Due to the complexities of the application I'm creating, I ended up with three user models. One which is pretty much the normal User which is not used for anything other than admin and two others. I wrote my own set of auth backends to deal with it and it's working well.
Now my problem is having a reset password system. Is there a way to use Django's reset password views while using a custom model?
I've answered your related question about password resets which touches on a lot of similar ground.
I haven't tried password resets with multiple user models myself, but if you look at Django's auth views in django.contrib.auth.views, in PasswordResetConfirmView - the view that handles the reset form - it has a get_user() method which fetches the user model. And the form_valid() method performs user authentication. So if you subclass this view as per my other answer and write your own versions of these methods to handle your non-default user model, that should be the way to go.
I don't know about your specific case, but if you were starting again, the best way would probably be to set the default user (as specified in AUTHOR_USER_MODEL) to an extension of Django's AbstractUser, and from there you can customise your user model with different user types and roles. Apologies if you already did that, and of course changing user models on an existing app is difficult and risky. But I think with that design, one password reset link would cover all users. Here's a good blog post laying out that approach.
Related
Say I had a setup that was similar to an office with a system admin. But instead of using email to reset passwords, the system admin did it himself, and then got the password to the user through some other fashion. Is this possible to do in Django? Can I use the hash of the previous password somehow? Is there possibly a way to overwrite the rest-auth in the serializer and view? Please let me know if you guys have any methods for this. I haven't really come across anything that isn't email or Django frontend stuff.
Yes it is possible indeed. The admin could use the admin interface.
Just implement a custom Django admin action for that.
https://docs.djangoproject.com/en/2.1/ref/contrib/admin/actions/
And use user.set_password so you won't have to deal the hash for the previuos password.
If you don't want to use the admin interface you still can use user.set_password from any view.
I know that one can set up authentication with the built in django login(request, user), request.is_authenticated when the user acquires the sessionid cookie, and authenticate(request, username="foo", password="bar").
However, underneath this interface, django creates a User object in the database. I am authenticating using other means, namely LDAP. I can opt for just passing the username and password for LDAP every single time, but having a sessionid token would be ideal.
Is there any way to use the same login(), request.is_authenticated, authenticate() API but without using the User model underneath? Another alternative is fine as well. The one restriction that I have is that I do not want to use another library.
Thanks!
As far as I know, its not possible to use djangos authentication/autorization framework without the User model.
In the part where the docs talk about customizing authentication, it is always centered around the User model (even if it is your custom user model).
That being said, you could look into something really hackish: creating your custom user model that is not stored in the database.
For that you'll probably need custom fields and managers that prevent database calls while still making certain fields available in the model (like email and username). I never tried it, but it should be possible by overriding djangos default behavior in the right places.
But all that effort is probably not worth the trouble. Just write your own authentication backend that automatically creates an User instance on successful authentication against your LDAP source, so you can "harness the full potential of the django User model".
I currently have a website that has three kinds of permissions:
Active
Staff
SuperUser
What I want to do is limit what a user can view depending on his subaccess level on Driver i.e. Driver has three sub access levels - 100, 200, 300. I was thinking of doing this by
def email_check(user):
return user.accesslevel
#user_passes_test(accesslevel=100)
def my_view(request):
...
How do I add the additional property of the subaccess level to the user model? Is there any other way to implement this? ALso, since this is a an already live project, there are a lot of user on-board already. I'll also need to provide them a default access value.
Your idea to go with user_passes_test looks good to me.
So your main issue is basically how to extend the user model. This topic is covered thoroughly under Django documentation: Customizing authentication.
To sum up, there are mainly two ways to go with. One is to extend your user model with a custom model with an one-to-one relationship with User and any custom fields such as access level.
Alternatively, you can provide with a custom user model and substitute the Django User model, but this seems not appropriate for your case.
My web features two user types, Client and Professional. There are also two 'main modules', one for clients to buy stuff and so on (the main site), and the other for professionals to manage operations. For auth, I would like to have:
A single 'sign in' form, which detects whether the user is a client or a professional and forwards her to the right module (main site or management site).
Two 'sign up' forms, one for clients and other for professionals. Probably, the site will ask the user whether she wants to register as a professional or as a client, to trigger the right registration flow for each case.
Clients will use the 'main site' and should not be authorized to use the 'management site'.
Professionals will use the 'management site' but should not be authorized to sign in to the main site.
Both professionals and clients are registered as Users, and share common fields, such as username, phone, email, etc...
Since Django won't let me use two models for authentication. I've created custom model subclassing AbstractBaseUser and which serves me as a base auth class for Client and Professional.
class BaseUser(AbstractBaseUser):
...
class Client(BaseUser):
...
class Professional(BaseUser):
...
I've also changed the AUTH_USER_MODEL setting to:
AUTH_USER_MODEL = 'myapp.BaseUser'
I've also included django-allauth to manage user registration and authentication. But now I'm stuck. I just began playing with Django/Python and I'm not sure how to solve this.
It seems there is no official recommended way for doing this (Implementing multiple user types with Django 1.5). Should I stick to the subclassing approach, or should I do the OnetoOne relationship pointed out in the docs ?
Once I have the models properly setup, how should I proceed with the two registration forms? Is it possible to accomplish this with django-allauth, or do I need to do it manually?
As far as I know, when a new user is registered, a new base user is created in the User table. But since I will be creating user specializations (Client or Professional), how should I specify that I also want to create the client-related data or professional-related data in the corresponding table?
I'm pretty new to Django, so any advise will help
I think the easiest way for you to do what you are talking about is going to be to have 3 apps in your project: your top level app, a "professional" app and a "client" app. At the top level app, all you really need to do is give the users a login form, and 2 links, one for registering as a Professional and one for registering as a Client.
In this case, I believe it will be easiest for you to use Django's built in Permissions system, and assign each type of user to a corresponding group (eg. professionals and clients). You can use a decorator on your views to ensure that only members of a particular group can access that view (since you have 2 separate apps for each group, you can add a decorator to all views in each of them, or you can import Django's authorization functions into your urls.py and check it there, although that is beyond the scope of this answer).
Registration is easy enough, use your urls.py file to forward the user that wants to register to the correct app. Once you do that, you should be able to use django-allauth registration on each app, allowing you to create 2 different kinds of users. Make sure when the register, you assign them to the correct group membership.
As for the login redirection, once you receive the POST data, I would check for which type of user logged in, and use that to forward the user to the correct URL that goes with the Professional or Client app. You can see the below link for an idea of redirecting a user after login.
Django - after login, redirect user to his custom page --> mysite.com/username
I searched for a similar question but found none so far.
I have a subclass of User (django.contrib.auth.models.User). I want my site to support both Individual users and Business users, so in this case it's:
class BusinessUser(User):
website = models.CharField(max_length=20)
objects = UserManager()
I have a register form that saves a user as a User and another one that saves my user as a BusinessUser. The problematic case is the BusinessUser:
I have checked through the Django console that both an User and a BusinessUser object exists after registration of a BusinessUser, and all fields are fine (username, email, password).
However, on my login page, I cannot login with my BusinessUser's. I can login fine with the normal User's registered, but not BusinessUser's.
Does anyone know what might be wrong?
Thank you.
Custom authentification backend should be used when django's User subclassed
You can see example here
I haven't tested this, but I believe this will work.
You subclassed User. Don't do that ever. Use profiles to add additional data, and if you really need two separate models (say for having two separate views for individual and business users in the admin) create proxy models and custom managers that filter only individual or business users from User.