Say I had a setup that was similar to an office with a system admin. But instead of using email to reset passwords, the system admin did it himself, and then got the password to the user through some other fashion. Is this possible to do in Django? Can I use the hash of the previous password somehow? Is there possibly a way to overwrite the rest-auth in the serializer and view? Please let me know if you guys have any methods for this. I haven't really come across anything that isn't email or Django frontend stuff.
Yes it is possible indeed. The admin could use the admin interface.
Just implement a custom Django admin action for that.
https://docs.djangoproject.com/en/2.1/ref/contrib/admin/actions/
And use user.set_password so you won't have to deal the hash for the previuos password.
If you don't want to use the admin interface you still can use user.set_password from any view.
Related
Due to the complexities of the application I'm creating, I ended up with three user models. One which is pretty much the normal User which is not used for anything other than admin and two others. I wrote my own set of auth backends to deal with it and it's working well.
Now my problem is having a reset password system. Is there a way to use Django's reset password views while using a custom model?
I've answered your related question about password resets which touches on a lot of similar ground.
I haven't tried password resets with multiple user models myself, but if you look at Django's auth views in django.contrib.auth.views, in PasswordResetConfirmView - the view that handles the reset form - it has a get_user() method which fetches the user model. And the form_valid() method performs user authentication. So if you subclass this view as per my other answer and write your own versions of these methods to handle your non-default user model, that should be the way to go.
I don't know about your specific case, but if you were starting again, the best way would probably be to set the default user (as specified in AUTHOR_USER_MODEL) to an extension of Django's AbstractUser, and from there you can customise your user model with different user types and roles. Apologies if you already did that, and of course changing user models on an existing app is difficult and risky. But I think with that design, one password reset link would cover all users. Here's a good blog post laying out that approach.
I'd like users to be able to register without using a 3rd party if they so choose. Few sites require a username to login anymore, so I'd like to use emails instead of usernames.
django-rest-framework-social-oauth2 combines python-social-auth and django-oauth-toolkit.
python-social-auth includes an EmailAuth backend that should let users register with an email and password. However, I don't understand the implications around using this instead of a Django-specific auth backend, and the docs label it as 'legacy', which sounds a little scary.
In fact, I have no idea how creating accounts, including from 3rd parties, works regarding the Django User Model as it requires a username.
What will I lose using EmailAuth? Is that the ideal way to go here, or is there an alternative?
For reasons I don't understand, Django still doesn't support emails instead of usernames without a custom user model, so regardless I need to use something bespoke or open-source for email-based accounts.
EDIT: python-social-auth just fills the username field with username = email.split('#', 1)[0] as shown here. I think I may need to make a custom Django User model and point python-social-auth to it, but I'm not sure how, and I'm not sure if this should still be used via EmailAuth or independantly of python-social-auth.
I mean using the default django authentication backend and functions.
If two users have the same usernames but different passwords is django able to login that user and return the correct User object? Or is the authenticate function not able to handle that scenario? I looked in the github and I don't think the username field in the User model has to be unique
Short answer: no.
Long answer:
Django doesn't support having more than one user with the same username because, even with what you are proposing (password differentiation) there is still a chance two users will have the same password.
Even if it weren't like this, I find it very hard to find a reason to let users share their usernames. You can create an "alias" or something additional, and let it be "not unique"
I've recently started using Pushover.net, I've done some searching and can't find any examples of it being integrated with a django project.
Since i can't find any examples I've decided it would be fun to try myself. What I'm interested in is how you would suggest I do it. I want the actual pushover part as decoupled a possible, hence doing it asas an app.
What I'm not entirely sure on how to approach is the user authorization. The idea being a user enters their pushover user key and its saved in a user profile model using django's AUTH_PROFILE_MODULE with some functions such as has_pushover but obviously I'd like some security so the user keys aren't stored in plaintext. What do people suggest for this?
Is there some inbuilt django security I can use?
In the past when I've needed to encrypt Django fields I used the encrypted fields available in django-fields. You could use one of these on your UserProfile model and define a has_pushover() method on the model which basically returns whether the pushover token field is None or not.
I'm guessing because you're talking about storing each user's Pushover token you are wanting to build an app for pushing arbitrary notifications to your website's users? This is in contrast to having the website just push notifications to yourself for site events.
For my app, I'd just like people to register with an email address and password and use that to log in. Essentially I dont want the username to ever be seen by the end user.
I'm using django-registration. Is there a super simple way to set it this way? Seems like a fairly common need.
Thanks!
http://djangosnippets.org/snippets/1001/
In your registration form, you'll need to remove the username and have it be autogenerated. The username field isn't very long in Django so just using an email isn't a viable option without (monkey)patching Django.
Once you are registering users with a autogenerated username, you'll need to enable authenication. To do this you need to use a custom Authentication backend that enables signing in by email. Pinax has one that you can use as a reference:
Link