I am completely new to Django. I have done all the tutorials and would now like to create a simple user authentication to be able to access a page in my site.
My question is as to whether I should use the admin authentication? Or should I create my own customer view with a user name and password and use the DJango authentication api?
To clarify, I have a page that I want secured and to only be view when a user has permission to view it. Is this a reasonable thing to do in the built in Django admin? It seems the Django admin is for giving permission to create new records related to an apps model.
Thanks!
I would prefer using Django's built in authentication system. Lets assume that you'd want to create you own customer model with say mobile number and twitter handle, you can extend Django's User model by following
from django.contrib.auth.models import User
class Customer(User):
mobile = models.CharField(max_length=12)
twitter = models.CharField(max_length=100)
In this case not only would you inherit attributes like email, username etc from Django's User model but you'll also add you custom attributes that you can store in database.
The easiest approach to securing your pages would be to use login_required decorator. Also take care of including right URLs while securing your pages to make sure you have included Django's login and logout URLs
Related
On the client side I use the iOS SDK for Facebook to login and I get the Facebook ID and the access token.
Now on the Django side of things I would like to create a user with Facebook ID as the primary identifier and other fields like access token, first name, last name etc (the last two of which I will retrieve from the Graph API on the server side).
I know that I have to create a custom user model.
If you wish to store information related to User, you can use a one-to-one relationship to a model containing the fields for additional information. This one-to-one model is often called a profile model, as it might store non-auth related information about a site user.
This will not be enough as I will be using the Facebook ID and the access token for authentication.
This leaves me with two options: I can substitute a custom user model like so:
AUTH_USER_MODEL = 'myapp.MyUser'
Or I can subclass AbstractUser:
If you’re entirely happy with Django’s User model and you just want to
add some additional profile information, you can simply subclass
django.contrib.auth.models.AbstractUser and add your custom profile
fields.
But that doesn't sound quite right either. Also this design tip has confused me a little more.
Model design considerations
Think carefully before handling information not directly related to authentication in your custom User Model.It may be better to store app-specific user information in a model that has a relation with the User model.
What is the best way to implement what I am trying to do?
Just a side note: The problem of a custom user is that it is often the case that other apps (and yes, you will use them) don't interact correctly with it due to the assumptions they make on the base model for auth.
This will not be enough as I will be using the Facebook ID and the access token for authentication.
I'm not sure you really need a custom user. For instance, I'm using open id for authentication and there is no problem in using the default user: there is just another model with a OneToOne relationship to the default user.
The main concern you should have for a Facebook ID for authentication (and authentication in general) is to have a custom authentication Backend with its own specific facebook authentication.
Internally, authenticate() runs through all installed backends (settings.AUTHENTICATION_BACKENDS) and tries to authenticate the user with one of those.
You can search some of the existing implementations e.g. in Django packages for facebook authentication.
If your users should be enabled to login/register with username, mail and password -> use a OneToOne relationship to django's usermodel to store facebook credentials.
If your usermodel entirely depends on facebook data and you don't want your users to login with username/pass -> substitute the usermodel with AUTH_USER_MODEL = 'myapp.MyUser'.
You might also want to take a look at django-allauth which solves much of your problems in a sweet little package.
I am using Django for a small one-person tool. I would like to add/adapt my models via the admin interface, but I don't want to login everytime.
How can I switch off the required authentication at /admin/?
I highly recommend against you doing down that road:
Is it possible? No; the admin relies on the django auth app being with your settings' INSTALLED_APPS; of course this is because the admin relies on permissions and permissions rely on the admin user being authenticated.
The admin is built to edit not simply "your" models but also the models enabling the admin itself, mainly the models exposed by the auth app itself.
What to do ... 2 options:
Quickly develop a simple solution requiring no authentication using Django's ModelForms - docs and another good link here.
If it's a "one-person tool" then simply keep your authentication details saved in the browser you use; i.e. let the browser remember your username and password, so you just have to hit the "login" button rather than re-enter your data.
In my Django app a user can register to the site and receive staff_user privileges from the admin.
After that the staff user can create and manage some other users (normal users) using default django admin site.
Now, I would like to let the staff user see and manage only the users he created from the admin site, I don't want him to see other users created by another staff user.
how can I do that? I imagine I need to modify admin.py right?
Don't modify the admin site.
In general, you have the following tools available:
Create groups
Add users to groups
Create custom permissions on your models, to indicate certain actions
https://docs.djangoproject.com/en/1.4/topics/auth/#custom-permissions
However, what you are asking: Now, I would like to let the staff user see and manage only the users he created from the admin site is not possible in django-admin.
The Django-admin site is only intended as a glorified development tool for fully trusted users, not as a customizable app for end users.
If your project requires an admin site with any of the following ...
Customized administraion functionality.
Exposure to any user that is not completely trusted.
... then I'm afraid you have to create your own custom app.
You can replace the stock UserAdmin with your own which overrides queryset() and does the filtering. The bigger issue is what to filter by. The default User model does not store a "created_by" in the model instance. So you would need to add this information whenever a User is added.
How best to do this depends on your Django version.
Django 1.5 introduced a "Configurable User model" which makes this very easy.
https://docs.djangoproject.com/en/dev/releases/1.5/#configurable-user-model
In earlier versions you would either have to monkeypatch the User model, or store that information in a separate "user profile" attached 1:1 to the User.
https://docs.djangoproject.com/en/dev/topics/auth/customizing/#extending-the-existing-user-model
Regarding the trusting of users (which wasn't a topic but I feel the need to comment on thnee's answer) in the Django admin, check out the links in my answer here: Should I use Django's Admin feature?
I am familiar with using django's built-in auth to create a new user that has an email and password, but I would like to create a new user that will only use Twitter to login. From what I can tell, django-social-auth associates the twitter account with an existing Django User object. In my case, there will not be an existing Django User object, as Twitter will be the required method for logging into the site. Should I abandon django's built in auth? Or is there a good way to extend it to do what I want? Thank you for any suggestions.
django-social-auth extends django built-in auth. django-social-auth will create it self a new user whem your Twitter user will be successfully authenticate. You can read about django-social-auth features:
Basic user data population and signaling, to allows custom fields values from providers response.
Multiple social accounts association to single users
Custom User model override if needed (auth.User by default)
Extensible pipeline to handle authentication/association mechanism
I searched for a similar question but found none so far.
I have a subclass of User (django.contrib.auth.models.User). I want my site to support both Individual users and Business users, so in this case it's:
class BusinessUser(User):
website = models.CharField(max_length=20)
objects = UserManager()
I have a register form that saves a user as a User and another one that saves my user as a BusinessUser. The problematic case is the BusinessUser:
I have checked through the Django console that both an User and a BusinessUser object exists after registration of a BusinessUser, and all fields are fine (username, email, password).
However, on my login page, I cannot login with my BusinessUser's. I can login fine with the normal User's registered, but not BusinessUser's.
Does anyone know what might be wrong?
Thank you.
Custom authentification backend should be used when django's User subclassed
You can see example here
I haven't tested this, but I believe this will work.
You subclassed User. Don't do that ever. Use profiles to add additional data, and if you really need two separate models (say for having two separate views for individual and business users in the admin) create proxy models and custom managers that filter only individual or business users from User.