I have been using Django's built in password reset views and forms to great success, but I'm not sure how:
I could customize the error messages in each of the forms' field validation. For instance, rather than the default message: 'That e-mail address doesn't have an associated user account. Are you sure you've registered?', when an invalid email is entered, I want it to say something else.
I am using built-in facebook authentication (Django-facebook), so if a user's email is linked with a facebook account, I don't want to send him an email to reset the django User account's password. How can I explicitly check whether or not the user has an associated Facebook model (ie. if user.get_profile().facebook_data = True or something)?
The crux of this question really extends down to one thing, which is how I can extend the forms in the built in password reset fields. Based on the documentation (ie. https://docs.djangoproject.com/en/dev/ref/forms/fields/) I know I can do so for at least 1, not sure about 2 in forms I create from scratch, but not sure where to get started for built-in cases.
Related
I am using Flask-Security, which in turn uses Flask-Login. I have a site which requires that a user both confirm their email address AND subsequently be approved by an admin. Without both of these things, I don't want the user to be able to use the site.
I've turned on SECURITY_CONFIRMABLE and the email with the confirmation token is being sent correctly. I've set SECURITY_POST_CONFIRM_VIEW, and the user is directed to the right view once they click the confirmation link in the email. However, the user is logged in as part of the confirmation process. I don't want the user to have access until they are approved by an admin. (Interestingly, this line is not present in the develop branch.)
I can think of four ways to get around this, and none are particularly appealing:
Allow the user to log in after confirmation, but decorate every login_required view with a function which checks the user's permissions and sends them to an error page if they aren't allowed. I already have 2 of these, and I'd prefer to avoid adding a third to every view. Plus, it feels wrong to allow login when the user can't use the site until they're approved.
Turn off SECURITY_CONFIRMABLE and email/confirm the token myself. This will require copying a lot of code and the chances of an error are higher than I would like. And are there perhaps other ways a user can login which would get around this check? Say through the password reset flow? Or if a future admin turned on passwordless login with tokens?
Monkey patch Flask-Security's login_user or Flask-Login's login_user to do my check. Seems quite hacky, and I don't know how to ensure that my patch is installed before any other code connects to the original function.
Fork one of these libraries and insert a callback which I can implement in my code. Sledgehammer, meet nut. Plus maintainability issues. Unless perhaps I managed to get a PR accepted.
I hope there is another answer I'm overlooking. This can't be that uncommon a setup!
Fortunately, the solution was MUCH easier than I feared. UserMixin has an is_active property which gets consulted at the very beginning of Flask-Login's login_user. So my code simply looks like this:
class User(UserMixin, Base):
#property
def is_active(self):
return (super(UserMixin, self).is_active and not self.has_role('pending'))
Now no user can sign in who has a 'pending' role.
Currently I implemented a login routine for the website I am working on, according to This Tutorial.
Also I am not authenticating the user with djangos own system, because I am using authentication against the LDAP of my company (django-auth-ldap).
Currently I am using a general user to login to the database, which has universal access to all data, which also gives full access to any user logging in to the website.
To avoid that I would like to know how I can connect to the database as the individual user, who just logged in to the website.
Thanks in advance and sorry for bad english
Restricting user access to functionality and authenticating with the DB are handled separately in Django. You might be able to read the privileges of your users from the DB and map them to Django permissions but this is non-trivial (about Permissions see https://docs.djangoproject.com/en/2.1/topics/auth/default/#permissions-and-authorization).
In a UI/UX that has functionalities restricted depending on authorization, the frontend and backend need to be aware that permissions need to be checked and missing authorization needs to be communicated in some way or other to the user.
Example:
Users in group A are allowed to delete X. They see the "delete" button and there might also be an AJAX call that can delete X.
Users in group B are not allowed to delete X. They do not see the delete button and the AJAX call that can delete X needs to check for that permission and/or user group membership.
If you are only using a DB level authorization layer than - how would you know if the "delete" button should be displayed and for what to check in the AJAX call?
hi!
If I'm getting your problem correctly, the user you are creating is a Super User every time right?
Well if you are using Django auth.User model, you can just make User_object.is_super to False and then restrict the access of users though if-else in view! (User_object is the object of the auth.User model)
Does that made any sense?
//BTW, a side-note, a mistake I made while making my first custom user model: make sure to store your passwords hashed using Django hashes and salts!
As the title says, I'm developing a Django app which uses another API to authenticate the user. The external API is quite simple and returns a certificate if the user is properly authenticated. My app should not keep any user's information, except it's certificate and id (which I'm keeping as session variables).
As a drawback of this implementation, I'm not using Django’s authentication system and all the practical methods it offers, like to check if the user is_authenticated, is_anonymous or to get user's permissions.
As the user must be logged to access some pages of my app, I must aswell ask him/her to log in so that he/she could continue. Therefore, using #login_required would be handful.
I must also create a Access Control module to check permissions and to allow access to some restricted areas of the app according to groups of users (common users, admins, etc.).
Do you guys know how could I customize Django's authentication system to handle all theses issues?
You have to keep logged in user inside your request so just log him without authentication
from django.contrib.auth import login
def authenticate_by_api_view(request):
certificate = do_the_magic()
if certificate_valid(certificate):
user = User()
#you can set ID here and save the user to the DB then
login(request, user)
If you don't want to save user at all you can take a look at the django-lazysignup project or use rather Django sessions framework
I have simple form for create new user in Django.
Also I want that request (from user) forward to the administrator's email, and just admin can enable that account. User has to wait respond from admin. If admin enable that account, user is going to be able to use account!
Create the user with is_active = False, Then you can easily filter those user on django admin panel.
Or you can use django signal such as post_save signal to send an email to administrator's email, email can be included with an activation link which is unique for activating the user.
You can create a separate model to keep inactivated user and for each record generate an random-hashed key. You can use that random-hashed key (token) in activation link that you sending to administrator's email.
There is already some application that let you to handle registration, for example django-registration. But your case it little bit tricky. Because you want to admin be able to activate those users. So I suggest you to look at django-registration source code. It's so clear and easy to understand. Just read the code and you will get the point.
I found the django-registration app, but it seems to complex for what I am trying to do. I want users to simply enter their e-mail (username) + a password and automatically be registered. No activations or confirmations. Hacker News style. Does anyone know what the simplest way to implement this would be? Is there something pre-existing out there that you know of (I couldn't find anything), should I somehow modify django-registration, or build this on my own?
Login/Authentication
To make Django authenticate using email/password instead of username/password, you will need to add to your settings.py:
AUTHENTICATION_BACKENDS = ('myproject.myauthenticationbackend')
This authentication backend needs to be able to authenticate a user based on email/password. A good email authentication backend can be found here: http://djangosnippets.org/snippets/74/
User Registration
Normally, your registration form will ask user for the email and password. However, Django's auth User model requires every user have a username. One way to handle adding a username is - upon saving of the registration modelForm, generate a random username (since we're not using it anyways).
You will need to check manually that the email the user has entered is already registered in your system.
I've also written a blog post about it a while back and has more complete notes on email authentication. It also includes a sample email/password registration form:
http://www.xairon.net/2011/05/django-email-only-authentication/
I don't know any app which is doing that but it seems quite simple. I don't think it is necessary to modify and use django-registration in this case.
Create a form that will ask for email and password and then create the corresponding user. The username may be generated from a slug of the email address.
Look at the following snippet for allowing to authenticate with an email address. http://djangosnippets.org/snippets/74/