We have digest authentication in our application. For some reason we are seeing for a few users having different id, username as in "auth_user" table but for some reason in the django_digest_partialdigest the user_id is different but the "login" column has the same username.
I Am not able find out what scenario would lead to this kind of entry in the db.
we allow signup/activation of account/resetting password.
I will try to answer why this was happening for us, i worked on it long time ago so will try to recollect as much as i can.
We were allowing admins to modify the login id of the user, This would go and change the email id int he partial digest table. A lot of times they would use this to disable an account by changing the login id of that user. Now what would happen is this user who's not able to login as his id is changed did a trial registration with us using the same email id/password as before and hence now the partial digest table will have two entries.
Related
Im using Django Allauth and have a number of questions.
(a) When a user registers they are instantly logged in and a confirmation email is sent to their inbox. I am wondering if this is best practice? Should the user instead be signed out after registration and only allowed to sign in using the link in their email?
I am also wondering about password change. The password change functionality that comes with Allauth simply asks the user to enter their old password then enter a new one twice. My two questions for this are (b) is this good practice or should I make my users request a new password via email, and (c) should I force logout my users after a password change and make them login using their new credentials?
(d) And lastly, if a user has forgotten their password they can request a new one sent to them via email. I could imagine this could easily be abused as you do not need to be signed in to do this (a person or bot continually enter a users email address sending them thousands of password reset links). Is there a way to add a limit on a persons email address so the one user can only be sent maybe 2 password reset links per day?
I would appreciate answers to any of these questions and greatly appreciate any elaboration on how to do any of this as I am new to Django and really dont know where to begin if I am to make these changes.
Thank you very much.
It all depends on what you want to do, if your site is gonna manage a lot privacy data, then the story would be completely different. Assuming that it is true.
A) Best practice would be to be able to log in right away but they have restriction until they confirm the email.
B)Always request password change via Email using generated url.
C)You should not keep the user logged in with the old password, either log it out or automatic re login.
D)This is probably the most important here. There is a lot of way to prevent such abuse, tho they are not 100% effective but it is very effective, here is the thing: 1) if your way to recover password is by email, you can KEEP THE EMAIL PRIVATE, no one can see it, and what do you think the odds are to type a random email and matches the one on your database ? 2) Use popular antibots like Google's Recaptcha. 3) Set a limit of attempts on a limited range of time.
I am integrating Django authentication and login system with Facebook Login API. The problem is that once Facebook username will be the same as existing in my project's database so the only solution to the problem is to catch Facebook username and add numbers or something to the string to make it unique ? Is it correct ? How is it normally handled ?
You have several options, I'm sure I won't think of them all.
If you have an unique constraint on the field for 'username', you can add numbers to remain unique.
Remove the unique constraint on the 'username' field. Add a boolean to the user table, to identify users logging in with facebook. You are probably able to determine when a user logins with a facebook account. After logging in you can crossmatch the information with the user you have in the database. Facebook probably has some kind of 'unique' data about a specific user which you can place in your database to differentiate between unique users with the same name.
I set django default user authentication to use an email address instead of a user name.
My worry is about the possible future effects. If the user changes his email will the primary keys need to be changed as I assume the primary key for a user is now an email. What are the basic consequences of this.
The users will also have their own space on the website, hence the urls will need to have some kind of username/unique identification ,I do not foresee an issue here as but if you do please advise.
My main concern being updates of email causing bugs in the database and application.
I know the topic is broad but what would the consequence be here or are there none.
Thank you.
The username is unique, but it is not the primary key. Django creates a primary key id by default. See the docs on automatic primary key fields for more information.
So you should be able to change your username or email without causing problems with primary keys.
However, if you include the username or email address in the url, then these would of course change if the user changes their details.
I mean using the default django authentication backend and functions.
If two users have the same usernames but different passwords is django able to login that user and return the correct User object? Or is the authenticate function not able to handle that scenario? I looked in the github and I don't think the username field in the User model has to be unique
Short answer: no.
Long answer:
Django doesn't support having more than one user with the same username because, even with what you are proposing (password differentiation) there is still a chance two users will have the same password.
Even if it weren't like this, I find it very hard to find a reason to let users share their usernames. You can create an "alias" or something additional, and let it be "not unique"
To learn Django, I was making a very basic app which does the following:
Takes a user's login (checks id password in a database).
If user exists and password is right, give user option to either insert,delete or update.
If insert, user can insert an entry into a common table.
Similarly for delete or update.
I was cruising through this but I just got stuck.
My Login page is /index/.
Option for insert/delete/update is at /application/.
Now next, page is displayed according to insert/delete/update at /application/action/
Now the problem is that after completing one insertion, I want to return to /application to carry on my next operation.
But if I do that, I get this error
"Key 'userid' not found in <QueryDict: {}>"
So the view for /application/ is expecting the userid and password in request.POST.
How do I get around this without using external user login modules. I just want a very basic login system just to learn.
Django comes with user authentication built in. I don't think it is external as it is included in django.contrib.
If you use the built in user authentiaction and User model, you will not have to pass the userid to each view. Django will automatically retrieve the logged in user from the session and make it available as a property of the request object.
So using built in user and authentiaction, after logging in a user, you can access that user at
request.user