Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
I want to build a Django app that allows users to sign up using their Facebook account (but isn't necessary). However, I don't feel like dealing with the social auth stuff from the get go because I'd rather focus on the meat of my app. So, can I make an app without social authentication and just "plug it in" at the end or is it something I should set up from the beginning?
It is fine to plug it in later. However, one decision you must make at the start and stick to is the user model you're going to use.
Whether users register/login to your site with a social account or not, a local account will need to be created. Social accounts are linked to that local account.
If you are happy for the local account to use the default user model and have users log in to your site with a username and password, then go right ahead.
If you'd like the local account to use an email instead of a username then you've a bit of work to do.
The Django docs explain your options and provide a working example at the bottom .
Assuming you're going to use django-allauth, this tutorial will get you started and this demo will give you most of the templates you need.
The demo gives an example of customizing the user model to use email instead of a username but it is not quite complete.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I'd like to password-protect my staging environment so it's not accessible to the public. Also, the password protection should not be tied to Django's authentication backend, so that I can test features (e.g. creating an account for user, logging in / out, etc.).
How best to achieve that?
So here are some ideas:
Do not make a registration possible. No form, no form validation etc
Give users you created special profile attributes like is_real_user = models.BooleanField(default=False) or maybe a group. Check or uncheck the boolean in the admin only!
Check in the views, templates, forms etc if the user has the attribute is_real_user and if not send 404/Validation_error
The first view on your "homepage" (start page) can have a form where user needs to type in password(s). Do a form validation and if its True render next template else 404/Validation_error and redirect him again to the main page.
Save in session/userprofile that the password was correct and check on templates/views if the correct password is given (again Booleanfield) else 404/Validation_error
Do not tell anybody about your site, url.
Hope that helps a bit :)
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I am wondering what is the most Django-like way to handle Django's user model together with OAuth users? Specifically I would have mostly OAuth users (logged in using **social-app-django
** (https://github.com/python-social-auth/social-app-django)), some of which also have a password for the admin interface. All users should have the ability to save some settings in the webapp. Each user belongs to one or more groups.
Snippet of the problem:
Django users require a password to be set, but for OAuth users the field would need another value. This is for example shown here: https://github.com/joestump/python-oauth2/wiki/Logging-into-Django-w--Twitter After the successful authentification a user is created and logged into the session like this:
user = authenticate(username=access_token['screen_name'],
password=access_token['oauth_token_secret'])
login(request, user)
Two possible approaches:
A:
The approach from the snippet uses the Django user model and I can just relate the user settings to the user model. The downside is that the password and email are set to an arbitrary value (I also don't get the email from the OAuth provider).
B:
Approach B is to save the settings and roles in a table that is not associated with the user table (thereby not requiring email and password), but also loosing a lot of built in functionality of the user model.
You can use a different model for storing all additional data associated with an OAuth user and linked to settings.AUTH_USER_MODEL.
It might require a custom OAuth authentication backend. You don't have to fake the password and email (just leave them blank), but have to generate unique username.
Check the sources of one of the third-party libraries, for example django-all-access
https://github.com/mlavin/django-all-access/blob/master/allaccess/models.py
https://github.com/mlavin/django-all-access/blob/master/allaccess/backends.py
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I am not an expert in Django and learning it by doing. I am making an application and it has two kind of users-
User who offers services
User who uses services
So my query is how to manage these two types of users? One possible approach i am thinking of is make two separate profile models for both these users and have different login pages for these users. And still I want to have upper layer of Django admin which can manage both these users. So my problem is-Is there any particular way to implement this kind of scenario or i can go with my approach? These users will have different privileges like offer-er of service can add his service while simple user can only use that service by logging in himself. So i want to have a secure separation between these users.
I would suggest using django's built in Groups and custom Permissions. Also another interesting tidbit I would consider is implementing two versions of the django admin.
How to have 2 different admin sites in a Django project?
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
I am writing a web service in JAVA which will expose a product's API.
What i cannot figure out for my Low level design is, how to authenticate and authorize within my web service.
For example :- Who can or cannot invoke methods on my web service.
I want to build something like, one user can add an account however shouldn't be allowed to add user while some other user can do vice versa.
Can anyone give me a direction for best practices, i can figure out the details.
Here is a leightweight howto:
You could implement a usertable and provide a login mechanism. Every time a user logs in you could store the userid in a session. If an arbitrary request is received you check whether a session exists. If not you force the user to login otherwise you read the userid from the session. Then you can determine which functions the user is allowed to access.
Also this link about similar question on stackoverflow might help:
Servlet user authentication
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
I am the webmaster for a large online school. On our visitors page I would like to use the photos of Facebook users who have liked our page. The photos would be used in a header graphic, and would not be altered in anyway. Is this okay?
Thank you
No. Without permission it is ethically wrong.
Go for it.
Your users may detest you, but they had the opportunity to read the Facebook Data Use Policy before starting use of the service:
Information you choose to make public Choosing to make your
information public is exactly what it sounds like: anyone, including
people off of Facebook, will be able to see it. Choosing to make your
information public also means that this information:
can be associated with you (i.e., your name, profile picture, Facebook profile, User ID, etc.) even off Facebook
can show up when someone does a search on Facebook or on a public search engine
will be accessible to the games, applications, and websites you and your friends use
will be accessible to anyone who uses our APIs such as our Graph API.
Facebook doesn't provide an API of who likes your page so it will be difficult for you to get a complete list. However Facebook provides social plugins that will show the pictures of who likes a page so I don't see why you wouldnt be able to do this.