As the title says, I'm developing a Django app which uses another API to authenticate the user. The external API is quite simple and returns a certificate if the user is properly authenticated. My app should not keep any user's information, except it's certificate and id (which I'm keeping as session variables).
As a drawback of this implementation, I'm not using Django’s authentication system and all the practical methods it offers, like to check if the user is_authenticated, is_anonymous or to get user's permissions.
As the user must be logged to access some pages of my app, I must aswell ask him/her to log in so that he/she could continue. Therefore, using #login_required would be handful.
I must also create a Access Control module to check permissions and to allow access to some restricted areas of the app according to groups of users (common users, admins, etc.).
Do you guys know how could I customize Django's authentication system to handle all theses issues?
You have to keep logged in user inside your request so just log him without authentication
from django.contrib.auth import login
def authenticate_by_api_view(request):
certificate = do_the_magic()
if certificate_valid(certificate):
user = User()
#you can set ID here and save the user to the DB then
login(request, user)
If you don't want to save user at all you can take a look at the django-lazysignup project or use rather Django sessions framework
Related
Im working with Python and Django.
I have a manual registration/login, and also I've installed with Allauth a Gmail registration/login.
When the user logins (with the manual login I created), it automatically executes a view which shows the differents things the user can do and information related to the user. The url is: http://127.0.0.1:8000/dashboard/9
screen capture here
In relation with Gmail, the user can register and login. But, when it logins, sees the url http://127.0.0.1:8000/accounts/google/login/callback/?(...), which confirms it is logged in.
screen capture here
I understand I should create a view in the social_app app, in order to connect the Gmail user with the information in the database. Any ideas? Thanks!
I think you want to go to your settings.py and set LOGIN_REDIRECT_URL = "/dashboard/9"
Check out the docs here, they are pretty complete: https://django-allauth.readthedocs.io/en/latest/configuration.html
Currently I implemented a login routine for the website I am working on, according to This Tutorial.
Also I am not authenticating the user with djangos own system, because I am using authentication against the LDAP of my company (django-auth-ldap).
Currently I am using a general user to login to the database, which has universal access to all data, which also gives full access to any user logging in to the website.
To avoid that I would like to know how I can connect to the database as the individual user, who just logged in to the website.
Thanks in advance and sorry for bad english
Restricting user access to functionality and authenticating with the DB are handled separately in Django. You might be able to read the privileges of your users from the DB and map them to Django permissions but this is non-trivial (about Permissions see https://docs.djangoproject.com/en/2.1/topics/auth/default/#permissions-and-authorization).
In a UI/UX that has functionalities restricted depending on authorization, the frontend and backend need to be aware that permissions need to be checked and missing authorization needs to be communicated in some way or other to the user.
Example:
Users in group A are allowed to delete X. They see the "delete" button and there might also be an AJAX call that can delete X.
Users in group B are not allowed to delete X. They do not see the delete button and the AJAX call that can delete X needs to check for that permission and/or user group membership.
If you are only using a DB level authorization layer than - how would you know if the "delete" button should be displayed and for what to check in the AJAX call?
hi!
If I'm getting your problem correctly, the user you are creating is a Super User every time right?
Well if you are using Django auth.User model, you can just make User_object.is_super to False and then restrict the access of users though if-else in view! (User_object is the object of the auth.User model)
Does that made any sense?
//BTW, a side-note, a mistake I made while making my first custom user model: make sure to store your passwords hashed using Django hashes and salts!
Python-social-auth is up an running with my Django app. Sign-up works on an average case.
However, when the current session ALREADY HAS A USER logged in from other backend (let's say, Django's own authentication backend), signup with Python-social-auth, using Facebook, only creates a UserSocialAuth instance associated with the current session user's instance.
Ex.: I'm logged in in my app as John (john#gmail.com), via Django's backend. Then, I click on "Signup with Facebook" to signup as Gabriel. When I check the database, I suddenly have a user called Gabriel with email (john#gmail.com).
I suspect that the reason for that is that there is no logout in the beginning of the Python-social-auth pipeline, which keeps passing the current session user as kwargs for the following functions.
Anyone could give a hand on that?
I have a requirement to migrate from php to django. I was authentication the user over a rest call's response in php. Where I would pass the user name and password and it would tell me if the user is authenticated or not in a form of JSON response.
I would like to make use of the same concept here with django admin, I have seen the custom-authentication that django provides, in which it creates a new user into django's user tables after checking the authenticity of the user from my existing table. But that is not what i am looking for.
And this rest call is not any of the social websites but a different stand alone system itself. So cant make use of the different plugins available on google search.
I am developing an app in GAE. Application provides different view depending upon whether logged-in user is admin or normal user. I want to use 'Google Apps domain' as Authentication Type. So that all user of my domain can login into the application and use it.
Here, application can't differentiate a logged-in as admin or normal user. Somehow I should make an user as admin and as soon as that user logs in, application should use admin view for that user. Is there any way to tell application that a particular user is admin?
If we have our own USER table, we can mark any user as admin. Whenever a user logs into the app, app can consult USER table to check if user is admin or not? But in my scenario, it is not possible.
Why is what you describe not possible? The object representing the logged-in user is an instance of google.appengine.api.users.User. That object has a user_id property. You can use that ID as a field in your own user model, to which you can add a field determining whether or not they are an admin.