Currently I implemented a login routine for the website I am working on, according to This Tutorial.
Also I am not authenticating the user with djangos own system, because I am using authentication against the LDAP of my company (django-auth-ldap).
Currently I am using a general user to login to the database, which has universal access to all data, which also gives full access to any user logging in to the website.
To avoid that I would like to know how I can connect to the database as the individual user, who just logged in to the website.
Thanks in advance and sorry for bad english
Restricting user access to functionality and authenticating with the DB are handled separately in Django. You might be able to read the privileges of your users from the DB and map them to Django permissions but this is non-trivial (about Permissions see https://docs.djangoproject.com/en/2.1/topics/auth/default/#permissions-and-authorization).
In a UI/UX that has functionalities restricted depending on authorization, the frontend and backend need to be aware that permissions need to be checked and missing authorization needs to be communicated in some way or other to the user.
Example:
Users in group A are allowed to delete X. They see the "delete" button and there might also be an AJAX call that can delete X.
Users in group B are not allowed to delete X. They do not see the delete button and the AJAX call that can delete X needs to check for that permission and/or user group membership.
If you are only using a DB level authorization layer than - how would you know if the "delete" button should be displayed and for what to check in the AJAX call?
hi!
If I'm getting your problem correctly, the user you are creating is a Super User every time right?
Well if you are using Django auth.User model, you can just make User_object.is_super to False and then restrict the access of users though if-else in view! (User_object is the object of the auth.User model)
Does that made any sense?
//BTW, a side-note, a mistake I made while making my first custom user model: make sure to store your passwords hashed using Django hashes and salts!
Related
I'm working on a question and answer system with django. my problem : I want the app to get a question from an ontology and according the user's answer get the next question. how can I have all the questions and user's answers displayed. i'm new to django, I don't know if I can use session with unauthenticated user and if I need to use websocket with the django channels library.
Given that you want to work with anonymous users the simplest way to go is to add a hidden field on the page and use it to track the user progress. The field can contain virtual session id that will point at a model record in the backend, or the entire Q/A session(ugly but fast and easy). Using REST or sockets would require similar approach.
I can't tell from the top of my mind if you can step on top of the built in session system. It will work for registered users, but I do believe that for anonymous users it gets reset on refresh(may be wrong here).
I've created a custom user model (AbstractBaseUser) so that user could login into my website.
The problem is that I want to keep using Django's default user and authentication system for the admin so that staff could easily log in and manage stuff.
I saw a lot of tutorials but all of the instruct to change the setting AUTH_USER_MODEL, but if I change that I won't be able to keep using Django's default user.
Is there any solution for this?
Thanks in advance.
I have never implemented this myself, but to point you in the right direction, it may be worth having a read through this:
https://docs.djangoproject.com/en/1.10/topics/auth/customizing/#authentication-backends
By the sounds of things you may be able to write an authentication backend for your front end user model, that you can run in tandem with Django's authentication system.
If you could get this to work, I would imagine that you would then have to make sure that the front end user model, once authenticated, can not access the admin part of the site.
For me the million dollar question here is, why do you want to keep the front end and backend users on separate models? They both have the same job, to authenticate the user?
I've created several projects in the past where there are front end users and admin users. Out of the box, without any modification you set the user attribute is_staff=False for front end users and is_staff=True for the admin users; that determines whether or not a user can access the admin part of the site, and I've never had any issues with this approach.
If the front end user (or backend user) desires additional functionality, the simplest solution would be to extend the user model:
https://docs.djangoproject.com/en/1.10/topics/auth/customizing/#extending-the-existing-user-model
Alternatively you could user your could create a custom user model and use this for both.
If you're willing to provide more details, perhaps I could help further, but unless there's a strong reason for having separate user models, I'd just stick with the one and configure and extend as you need.
I hope this helps.
Documentation: https://docs.djangoproject.com/en/1.7/topics/auth/default/#django.contrib.auth.login
When you’re manually logging a user in, you must call authenticate() before you call login(). authenticate() sets an attribute on the User noting which authentication backend successfully authenticated that user (see the backends documentation for details), and this information is needed later during the login process. An error will be raised if you try to login a user object retrieved from the database directly.
So why exactly is authenticate and login 2 separate functions? From what I understand, authenticate just verifies the login information. login will take the user object and set the cookies. The only reason I can think they are separate is because maybe you can put different user objects in, say the user had 2 accounts merged. Maybe you want to verify the email address first. Is that why they are separate functions and login doesn't wrap authenticate?
This is a matter of the single responsibility principle: a method should do one logical thing. As you noted yourself, these two steps ate logically distinct:
authenticate just verifies the login information.
login will take the user object and set the cookies
To further clarify, authentication is a one-time check,
and doesn't imply a login session.
A login session implies some period of time during which the user is free to perform various restricted activities without repeated authentication checks.
Sometimes you may need to authenticate users (verify they are who they say they are) without logging them in.
If these two functionalities were combined into one,
you wouldn't be able to do that,
even if you just wanted to do a one-time check,
you would have to log them in, creating a session,
which wouldn't make sense.
Since these are clearly distinct purposes,
it makes perfect sense to have two methods.
The separation also makes testing easier. If you write an new authentication backend, you would want to be able to test if the authentication step alone is working or not, without having to worry about how the whole login system works, which is not the responsibility of your backend.
Decomposing methods into their smallest logically independent elements is the sensible thing to do, with many benefits.
In simple terms,
Authenticate refers to verifying the user credentials
Whereas login refers to creation of a user session once the user credentials has been verified(authenticated)
Authentication is the process of identifying users and verifying that they are who they claim to be. A password is one of the most prevalent and visible measures in establishing identity.
The identity is valid if the user name matches the password credential, and the system enables access to the user.
Logging in is the standard process by which an individual receives access to certain resources, computer systems, or networks after being identified and authenticated in the field of computer and information security.
A username is often made up of user credentials, and login is made up of a password.
I have a requirement to migrate from php to django. I was authentication the user over a rest call's response in php. Where I would pass the user name and password and it would tell me if the user is authenticated or not in a form of JSON response.
I would like to make use of the same concept here with django admin, I have seen the custom-authentication that django provides, in which it creates a new user into django's user tables after checking the authenticity of the user from my existing table. But that is not what i am looking for.
And this rest call is not any of the social websites but a different stand alone system itself. So cant make use of the different plugins available on google search.
I am building a system which serves content on external properties. I would like to track users which have not registered with my site with anonymous unique IDs. Then, if later they register with my site, I can covert them to regular Django users, but still have information related to their preferences and activities when they were anonymous.
Is there a facility to automatically set a user cookie via Django so that if they user is accepting cookies, I have a user session ID to work with?
I'd prefer not to come up with a custom solution if Django has some path to move from Anonymous to Authenticated users.
I suggest you look for sessions. They use cookies, store a unique id into a cookie which is linked to a file on your server containing their data.
https://docs.djangoproject.com/en/dev/topics/http/sessions/
I've looked for a solution to problems like this in the past. Django Lazy Signup (https://github.com/danfairs/django-lazysignup) looks like it should solve your problem and not force you to reinvent the wheel, though, fair warning I haven't personally used the project.