I am relatively new to Django. I am user a remote auth backend, but I am wondering if there is a way that I can restrict users that do not have permissions, gotten from REMOTE_USER. Is it similar to the way you do it with a Django Auth system?
Right now everyone who is logged in on my auth backend can access my site.
I want to grant certain users permissions before they login, and deny all other users. Is there a way in which I can do this?
Django's standard user model has is_staff and is_superuser attributes that can easily be toggled.
If you use your remote auth backend for authentication and are still using the django User model you can easily re-use some of this built-in functionality, such as the staff_member_required decorator:
from django.contrib.admin.views.decorators import staff_member_required
#staff_member_required
def staff_view(request..):
...
Related
I'm using rest_framework_simplejwt.authentication.JWTAuthentication in Django to create tokens for our users.
But some users have limited user permissions[in the admin panel]. For example they only allow to get articles and nothing else. But the token that simplejwt creates allow user to get all other data as well.
Is there a way to adjust it? I think simplejwt overwrites the Django permissions.
The token is used just for Authentication purposes, not for Authorisation purposes. You need to use permissions for assigning permissions to different users. Read about django permissions here. If you need to customize permissions, you can extend DjangoModelPermissions class.
I'm using django-allauth for my Django web app. How can I ban certain users from logging in or restrict certain actions after they log in for a period of time?
Should I just deactivate their accounts outright? What are some good solutions?
Normally for django authentication you would set the user object's is_active attribute to False and the user wouldn't be able to log in (into django admin for example). But you're using allauth, so by simply setting the is_staff attribute would be enough to block them from entering django admin for example.
Now, if you're implementing another type of frontend dashboard or need to set rules to how a user logs in, I'd say for you to use AccessMixins if you're using CBVs or decorators if you're using FBV. Specially the UserPassesTest mixin and user_passes_test decorator. With them you can check if a user comply to a certain rule and then allow them to log in or not. Check the docs here.
I've been working on a Django app that authenticates against an LDAP. I've created permissions and groups in the admin interface. In development mode I have both back-ends active
AUTHENTICATION_BACKENDS = (
'django_auth_ldap.backend.LDAPBackend',
'django.contrib.auth.backends.ModelBackend',
)
Django tries authenticating across all of its authentication back-ends. Regardless of where it succeeds it uses the ModelBackend Authorization (permissions and groups) granted to the users.
But when disabling 'django.contrib.auth.backends.ModelBackend' Django does not use the standard Authorization methods. In production environment I want users to authenticate against LDAP only.
My question:
Is there an option to disable ModelBackend authorization but still use ModelBackend Authorization.
EDIT
First note in the docs of django-auth-ldap :
Note LDAPBackend does not inherit from ModelBackend. It is possible to use LDAPBackend exclusively by configuring it to draw group membership from the LDAP server. However, if you would like to assign permissions to individual users or add users to groups within Django, you’ll need to have both backends installed:
But I'm still puzzled. There is no technical reason for this. When both backends activated, and authenticating against LDAP, Django is still able to use the Django permissions.
This was asked quite a while ago, so I hope you found an answer... but to help anyone else who may stumble across this:
"The permissions given to the user will be the superset of all permissions returned by all backends. That is, Django grants a permission to a user that any one backend grants."
https://docs.djangoproject.com/en/1.11/topics/auth/customizing/#handling-authorization-in-custom-backends
This means that it is falling through and checking all permissions/perms methods in all of the backends, even though you were authenticated using the LDAPBackend, Django is pulling permissions/perms from LDAPBackend + ModelBackend and grouping them all together.
If you REALLY REALLY want to be SURE that ModelBackend.authenticate() is never called, you could always just make your own class MyAuth(ModelBackend) inheriting from ModelBackend and override authenticate in that to just always return None. Then you would include this in your settings.py file.
I'm using Facebook login with Social-Auth, but how I can require a user to be logged in to access some view/template?
Can I use user_required the same as with User app from django?
Django-social-auth extends the built in authentication system. Simply use #login_required as a decorator, or whatever normal Django mechanism you prefer.
I am completely new to Django. I have done all the tutorials and would now like to create a simple user authentication to be able to access a page in my site.
My question is as to whether I should use the admin authentication? Or should I create my own customer view with a user name and password and use the DJango authentication api?
To clarify, I have a page that I want secured and to only be view when a user has permission to view it. Is this a reasonable thing to do in the built in Django admin? It seems the Django admin is for giving permission to create new records related to an apps model.
Thanks!
I would prefer using Django's built in authentication system. Lets assume that you'd want to create you own customer model with say mobile number and twitter handle, you can extend Django's User model by following
from django.contrib.auth.models import User
class Customer(User):
mobile = models.CharField(max_length=12)
twitter = models.CharField(max_length=100)
In this case not only would you inherit attributes like email, username etc from Django's User model but you'll also add you custom attributes that you can store in database.
The easiest approach to securing your pages would be to use login_required decorator. Also take care of including right URLs while securing your pages to make sure you have included Django's login and logout URLs