I am using django-registration 2.0.4 (https://django-registration.readthedocs.org/en/2.0.4/, https://github.com/ubernostrum/django-registration) with Django 1.8 and am trying to customise the registration form and application itself. While I am able to customise the form, I am stuck at using an email as username.
I don't need to change anything in Django's backend since simple removing the username field in the form and using the input email as username in the backend would be enough.
I have found this (Django-Registration: Email as username) for example but it is a couple of years old and I didn't manage to get it running yet.
How would I approach this the right way to implement said functionality? Has anyone solved this problem with a recent version already?
Edit:
Since I was asked for code: There isn't much that is relevant to this problem since it isn't a code problem but a question regarding how to extend or change the django plugin.
However, my current, boring, forms.py, as it is in the link I linked:
class MyCustomForm(forms.Form):
email = Email(required=True)
password1 = forms.CharField(widget=forms.PasswordInput(), label="Password")
password2 = forms.CharField(widget=forms.PasswordInput(), label="Repeat your password")
def clean_password(self):
if self.data['password1'] != self.data['password2']:
raise forms.ValidationError('Passwords are not the same')
return self.data['password1']
urls.py
...
url(r'^accounts/register/$', RegistrationView.as_view(form_class=InsuranceForm), name='registration_register'),
url(r'^accounts/', include('registration.backends.hmac.urls')),
...
I have done this using custom user models.
https://docs.djangoproject.com/en/1.10/topics/auth/customizing/#auth-custom-user
There is a full example in the docs above that you will have to slightly modify to achieve your aims.
Related
I've to try make a change password page with Django.contrib.auth.views.PasswordChangeView like:
[views.py]
class ChangePasswordView(LoginRequiredMixin, PasswordChangeView):
template_name = 'accounts/password_change.html'
success_url = reverse_lazy('account:password_change_done')
class ChangePasswordDoneView(LoginRequiredMixin, PasswordChangeDoneView):
template_name = 'accounts/password_change_done.html'
With URL like:
[urls.py]
path('profile/update/password/', views.ChangePasswordView.as_view(),
name='password_change'),
path('profile/update/password/success/', views.ChangePasswordDoneView.as_view(),
name='password_change_done'),
I use custom user, but I look the source code, Django get the user by request.user so its not be a problem if I use the custom user.
But why my change password not work, if I change the password with right old password and new password the form return the success page but not changing my password and I try to use wrong password in old password but always return the success page. What's the problem?
iam so sory, my problem is in my form action not to password_change url but in my success url. my fail not check this. thanks
O.K. I have a headache with this problem. I have to different sites(non django) with login option and I would like to join in it into one new website based on django.
Each of these two user databases consist of table with columns:(username, password, e-mail).
The problem is, I just can not copy it to User table in Django as we all know django is very rigid about it, so I am trying to think a way, existing users would be able to login to site as nothing has changed.
Is there any django/pythonic way to do so?
I was thinking to create an app, which would take a foreign key to User model. Within User model I would create two users (database_1, database_2), so whenever a user from database 1 would login, e.g. JohnSmith, he would be connected as database_1 user, but so would JessicaSimpson if she would be in database 1. I am just thing to create Authentication and Authorization app as system app in some way... Is this a right way thinking? Would love to hear from professionals. Thanks
in models:
from django.db import models
from django.contrib.auth.models import User, Group
# Create your models here.
class New_users(models.Model):
new_user_id = models.ForeignKey(User, unique=False)
username = models.CharField(max_length=25)
password = models.CharField(max_length=25)
email = models.CharField(max_length=25)
in views:
from django.shortcuts import render
from django.http import HttpResponse
# Create your views here.
def home(request):
if request.method == 'POST':
#if username and password from New_users are ok...
login()#User where id is the same blah blah....
I'm a professional, and I would add the old users to the new DB and put in random passwords. I would also make a table of old_users with their old hashed passwords.
I would flag these old users such that, when they visit the new app, they would be forced to enter their old pw (you'd need to know the hash method) and, if successful, then set the old pw to the new user, and log them in.
If that's too much trouble, you could write a script that sends all the old users an email (naturally, you have their email address) and a link to a change_password form. It's pretty easy to extend the django reset password functionality. And it's a good thing to have.
Could you just migrate the existing users into the new database by looping through the existing users and calling the create_user function? This would take care of the password hashing and everything, assuming that you can decrypt your current passwords back to plaintext.
I'm currently building a login for a webapp using Flask-Security (which includes Flask-WTForms, Flask-SQLalchemy and Flask-Login). I've been able to fairly painlessly set up the majority of my login flow, including forgotten password; however I want to make it so that the only way users can be registered is through a page only accessible to the admins. I've managed to configure Roles (Admin, User) and set up the following view:
#app.route('/adminregister')
#roles_accepted('admin')
def adminregister():
return render_template('*')
This creates the portal that is successfully limited to accounts with an Admin role. I'm unsure how to proceed for here however, as Flask-security has no built in means to enable what I'm trying to do.
I've overridden RegisterForm already to enforce password rules through a regexp:
# fixed register form
class ExtendedRegisterForm(RegisterForm):
password = TextField('Password', [validators.Required(), validators.Regexp(r'(?=.*?[0-9])(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[$-/:-?{-~!"^_`\[\]])')])
Basically I want a form, located at /adminregister, that when visited by an admin allows for the entry of an email address, at which point first the user is created in the database with a random and secure password, and then a similar process to a forgotten password happens and a 1 time password code is created to reset the password.
Useful things I've looked at:
Within flask-security/views.py there is the forgotten passsword code:
def forgot_password():
"""View function that handles a forgotten password request."""
form_class = _security.forgot_password_form
if request.json:
form = form_class(MultiDict(request.json))
else:
form = form_class()
if form.validate_on_submit():
send_reset_password_instructions(form.user)
if request.json is None:
do_flash(*get_message('PASSWORD_RESET_REQUEST', email=form.user.email))
if request.json:
return _render_json(form, include_user=False)
return _security.render_template(config_value('FORGOT_PASSWORD_TEMPLATE'),
forgot_password_form=form,
**_ctx('forgot_password'))
Within flask_security/registerable.py there is the code for register_user
def register_user(**kwargs):
confirmation_link, token = None, None
kwargs['password'] = encrypt_password(kwargs['password'])
user = _datastore.create_user(**kwargs)
_datastore.commit()
if _security.confirmable:
confirmation_link, token = generate_confirmation_link(user)
do_flash(*get_message('CONFIRM_REGISTRATION', email=user.email))
user_registered.send(app._get_current_object(),
user=user, confirm_token=token)
if config_value('SEND_REGISTER_EMAIL'):
send_mail(config_value('EMAIL_SUBJECT_REGISTER'), user.email, 'welcome',
user=user, confirmation_link=confirmation_link)
return user
I want to somehow combine these two, so that upon submission of a form with the sole field "Email" at '/adminregister' the email is added with a secure, random password in the database and the email address is sent an email with a link to change there password (and ideally a message explaining). I'm not even sure where I would add such code, as there is nothing to specifically override, especially as I can't find a way to override RegisterForm to have FEWER fields and the same functionality.
The structure of my code is in line with the flask-security documentation's quickstart.
Thank you in advance for any guidance you can offer.
I ended up using a work around as follows:
I enabled registration but limited registration view to users with an admin role.
I used del form.password in views -> register to no longer send the form with a password field.
I did the following in .registerable, generating a random password to fill the table.
kwargs['password'] = encrypt_password(os.urandom(24))
Upon admin entry of an email in the registration form, I had confimable enabled. This means the user would immediatly get an email to confirm their account and explaining they'd been registered. Upon confirmation they are redirected to the forgotten password page and asked to change their password (which is limited based on security).
If anyone comes up with a more direct way I'd appreciate it. I'm leaving this here in case anyone has the same problem.
The register process creates a signal with blinker that you can access like this:
from flask.ext.security.signals import user_registered
#user_registered.connect_via(app)
def user_registered_sighandler(app, user, confirm_token):
user_datastore.deactivate_user(user)
db.session.commit()
Which will deactivate any newly registered users.
I know this is an ancient question, but I think I have an elegant answer.
first import register_user
from flask_security.registerable import register_user
Then since you do not want just anyone to register ensure registerable is disabled (though disabled is the default so you can omit this) and since you want to send confirmation email, enable confirmable, and changeable for users to change their paswords
app.config['SECURITY_CONFIRMABLE'] = True
app.config['SECURITY_REGISTERABLE'] = False
app.config['SECURITY_RECOVERABLE'] = True
Then, you can do your create your user registration view and decorate it with role required. I have used my own custom registration form so I have had to go an extra mile to check if user already exists and return an error accourdingly
#app.route('/admin/create/user', methods=['GET', 'POST'])
#roles_required('admin')
def admin_create_user():
form = RegistrationForm(request.form)
if request.method == 'POST' and form.validate_on_submit():
email = form.email.data
password = form.password.data
user_exists = session.query(User).filter_by(email=email).first()
if user_exists:
form.email.errors.append(email + ' is already associated with another user')
form.email.data = email
email = ''
return render_template('create-user.html', form = form)
else:
register_user(
email=email,
password = password)
flash('User added successfully')
return render_template('create-user.html', form = form)
Also see flask-security - admin create user, force user to choose password
Here's another solution I found after poking through flask-security-too. I made an admin create user form, and simply add the following code after creating the user in the database:
from flask_security.recoverable import send_reset_password_instructions
# my code is maintains self.created_id after creating the user record
# this is due to some complex class involved which handles my crudapi stuff
# your code may vary
user = User.query.filter_by(id=self.created_id).one()
send_reset_password_instructions(user)
I understand that when we need to make the django inbuilt views, parameter specification should be made before the inbuilt view function could use it.
now I want to customize the form for django auth viewpassword_reset_confirm
and in the url, I import my customized form
from Myapp.forms import PasswordSetForm
from django.contrib.auth import urls,views
and for the url
url(r'^accounts/ ^reset/(?P<uidb36>[0-9A-Za-z]{1,13})-(?P<token>[0-9A-Za-z]{1,13}-[0-9A-Za-z]{1,20})/$ ',
'django.contrib.auth.views.password_reset_confirm',{'set_password_form':PasswordSetForm},
name='password_reset_confirm'),
url(r'^accounts/', include('django.contrib.auth.urls')),
in my form.py i import the original SetPasswordForm that is used as default form by django password_reset_confirm funciton
from django.contrib.auth.forms import SetPasswordForm
and then customize the form
class PasswordSetForm(SetPasswordForm):
error_messages = {
'invalid_password': _("Please enter a valid password as instructed"),
'password_mismatch': _("The two password fields didn't match."),
}
#new_password1 = forms.CharField(label=_("New password"),
# widget=forms.PasswordInput)
#new_password2 = forms.CharField(label=_("New password confirmation"),
# widget=forms.PasswordInput)
new_password1 = forms.CharField(widget=forms.PasswordInput, min_length=6, label='New Password' )
new_password2 = forms.CharField(widget=forms.PasswordInput, min_length=6, label='Confirm new password')
def clean_new_password1(self):
new_password1 = self.cleaned_data.get("new_password1")
# password must contain both Digits and Alphabets
# password cannot contain other symbols
if new_password1.isdigit() or new_password1.isalpha() or not new_password1.isalnum():
raise forms.ValidationError(
self.error_messages['invalid_password'],
code='invalid_password',
)
return new_password1
as you could see more checking are done for the new_password1
But after trying many times the page is still using the default SetpasswordForm as the default labels for the two password is displayed in my html instead of my customized label(in the html {{form.new_password2.label}} is used to display label) and no additional checking on the new_password1 is done
I have tried to create another MyPasswordSetForm that does not inherit the SetPassordForm and pass this to the password_reset_confirm but it does not make any difference, the default form is still used.
I have googled lot and ask questions on this, seems this is the right way to go, but What could be the problem here?
Thank you very much for helping.
Oops, that URL regexp looks wrong wrong wrong:
r'^accounts/ ^reset/(?P<uidb36>[0-9A-Za-z]{1,13})-(?P<token>[0-9A-Za-z]{1,13}-[0-9A-Za-z]{1,20})/$ '
It should be:
r'^accounts/reset/(?P<uidb36>[0-9A-Za-z]{1,13})-(?P<token>[0-9A-Za-z]{1,13}-[0-9A-Za-z]{1,20})/$'
How to disable email activation in django-registration app?
In the current tip versions of django-registration there is a simple backend with no email and you can write your own backend to specify the workflow you want. See here https://bitbucket.org/ubernostrum/django-registration/src/fad7080fe769/docs/backend-api.rst for documentation.
To use the simple one without email, just change your urls.py to point to this backend, eg.
(r'^accounts/', include('registration.backends.simple.urls')),
Why not use this method and just use the simple backend that comes with django-registration instead of the default backend?
The new work flow would be...
1. A user signs up by filling out a registration form.
2. The user’s account is created and is active immediately, with no intermediate confirmation or activation step.
3. The new user is logged in immediately.
so on your main urls.py you would change:
url(r'^accounts/', include('registration.backends.default.urls')),
to
url(r'^accounts/', include('registration.backends.simple.urls')),
Better to fix the problem at the root than bandage it by calling commands to automatically activate the user.
Add this method to registration models.py:
def create_active_user(self, username, email, password,
site):
"""
Create a new, active ``User``, generate a
``RegistrationProfile`` and email its activation key to the
``User``, returning the new ``User``.
"""
new_user = User.objects.create_user(username, email, password)
new_user.is_active = True
new_user.save()
registration_profile = self.create_profile(new_user)
return new_user
create_active_user = transaction.commit_on_success(create_active_user)
Then, edit registration/backend/defaults/init.py and find the register() method.
Change the following to call your new method:
#new_user = RegistrationProfile.objects.create_inactive_user(username, email,
#password, site)
new_user = RegistrationProfile.objects.create_active_user(username, email,
password, site)
You could always modify this line to:
new_user = RegistrationProfile.objects.create_inactive_user(username=self.cleaned_data['username'],
password=self.cleaned_data['password1'],
email=self.cleaned_data['email'],
profile_callback=profile_callback,
send_email = False)
Or you could change this line to:
def create_inactive_user(self, username, password, email,
send_email=False, profile_callback=None):
Rather than modifying the registration app, why not just activate the user the same way django-registration does:
user.is_active = True
user.save()
profile.activation_key = "ALREADY_ACTIVATED"
profile.save()
After looking at it even more... I think what you want is to use both solutions. Probably add the above code, just after the change suggested by Dominic (though I would suggest using signals, or subclassing the form if possible)
OK final Answer:
new_user = RegistrationProfile.objects.create_inactive_user(username=self.cleaned_data['username'],
password=self.cleaned_data['password1'],
email=self.cleaned_data['email'],
profile_callback=profile_callback,
send_email = False)
RegistrationProfile.objects.activate_user(new_user.activation_key)