Django框架中的用户认证的实现

jieforest · 发表于 2012-12-13 12:36

Creating superusers

manage.py syncdb prompts you to create a superuser the first time you run it after adding 'django.contrib.auth' to yourINSTALLED_APPS. If you need to create a superuser at a later date, you can use a command line utility:

manage.py createsuperuser --username=joe --email=joe@example.com

复制代码

You will be prompted for a password. After you enter one, the user will be created immediately. If you leave off the --usernameor the --email options, it will prompt you for those values.

If you're using an older release of Django, the old way of creating a superuser on the command line still works:

python /path/to/django/contrib/auth/create_superuser.py

复制代码

jieforest · 发表于 2012-12-13 12:37

...where /path/to is the path to the Django codebase on your filesystem. The manage.py command is preferred because it figures out the correct path and environment for you.

Storing additional information about users

Deprecated in Django 1.5: With the introduction of custom User models, the use of AUTH_PROFILE_MODULE to define a single profile model is no longer supported. See the Django 1.5 release notes for more information.

If you'd like to store additional information related to your users, Django provides a method to specify a site-specific related model -- termed a "user profile" -- for this purpose.

To make use of this feature, define a model with fields for the additional information you'd like to store, or additional methods you'd like to have available, and also add a OneToOneField named user from your model to the User model. This will ensure only one instance of your model can be created for each User. For example:

from django.contrib.auth.models import User
class UserProfile(models.Model):
# This field is required.
user = models.OneToOneField(User)
# Other fields here
accepted_eula = models.BooleanField()
favorite_animal = models.CharField(max_length=20, default="Dragons.")

复制代码

jieforest · 发表于 2012-12-13 12:38

To indicate that this model is the user profile model for a given site, fill in the setting AUTH_PROFILE_MODULE with a string consisting of the following items, separated by a dot:

The name of the application (case sensitive) in which the user profile model is defined (in other words, the name which was passed to manage.py startapp to create the application).

The name of the model (not case sensitive) class.

For example, if the profile model was a class named UserProfile and was defined inside an application named accounts, the appropriate setting would be:

AUTH_PROFILE_MODULE = 'accounts.UserProfile'

复制代码

jieforest · 发表于 2012-12-13 12:38

When a user profile model has been defined and specified in this manner, each User object will have a method -- get_profile()-- which returns the instance of the user profile model associated with that User.

The method get_profile() does not create a profile if one does not exist. You need to register a handler for the User model'sdjango.db.models.signals.post_save signal and, in the handler, if created is True, create the associated user profile:

# in models.py
from django.contrib.auth.models import User
from django.db.models.signals import post_save
# definition of UserProfile from above
# ...
def create_user_profile(sender, instance, created, **kwargs):
if created:
UserProfile.objects.create(user=instance)
post_save.connect(create_user_profile, sender=User)

复制代码

jieforest · 发表于 2012-12-13 12:38

See also

Signals for more information on Django's signal dispatcher.

Adding UserProfile fields to the admin

To add the UserProfile fields to the user page in the admin, define an InlineModelAdmin (for this example, we'll use aStackedInline) in your app's admin.py and add it to a UserAdmin class which is registered with the User class:

from django.contrib import admin
from django.contrib.auth.admin import UserAdmin
from django.contrib.auth.models import User
from my_user_profile_app.models import UserProfile
# Define an inline admin descriptor for UserProfile model
# which acts a bit like a singleton
class UserProfileInline(admin.StackedInline):
model = UserProfile
can_delete = False
verbose_name_plural = 'profile'
# Define a new User admin
class UserAdmin(UserAdmin):
inlines = (UserProfileInline, )
# Re-register UserAdmin
admin.site.unregister(User)
admin.site.register(User, UserAdmin)

复制代码

jieforest · 发表于 2012-12-14 09:45

Authentication in Web requests

Until now, this document has dealt with the low-level APIs for manipulating authentication-related objects. On a higher level, Django can hook this authentication framework into its system of request objects.

First, install the SessionMiddleware and AuthenticationMiddleware middlewares by adding them to your MIDDLEWARE_CLASSES setting. See the session documentation for more information.

Once you have those middlewares installed, you'll be able to access request.user in views. request.user will give you a Userobject representing the currently logged-in user. If a user isn't currently logged in, request.user will be set to an instance ofAnonymousUser (see the previous section). You can tell them apart with is_authenticated(), like so:

if request.user.is_authenticated():
# Do something for authenticated users.
else:
# Do something for anonymous users.

复制代码

jieforest · 发表于 2012-12-14 09:46

How to log a user in

Django provides two functions in django.contrib.auth: authenticate() and login().

authenticate()

To authenticate a given username and password, use authenticate(). It takes two keyword arguments, username and password, and it returns a User object if the password is valid for the given username. If the password is invalid, authenticate() returns None. Example:

from django.contrib.auth import authenticate
user = authenticate(username='john', password='secret')
if user is not None:
if user.is_active:
print("You provided a correct username and password!")
else:
print("Your account has been disabled!")
else:
print("Your username and password were incorrect.")

复制代码

jieforest · 发表于 2012-12-14 09:46

login()

To log a user in, in a view, use login(). It takes an HttpRequest object and a User object. login() saves the user's ID in the session, using Django's session framework, so, as mentioned above, you'll need to make sure to have the session middleware installed.

Note that data set during the anonymous session is retained when the user logs in.

This example shows how you might use both authenticate() and login():

from django.contrib.auth import authenticate, login
def my_view(request):
username = request.POST['username']
password = request.POST['password']
user = authenticate(username=username, password=password)
if user is not None:
if user.is_active:
login(request, user)
# Redirect to a success page.
else:
# Return a 'disabled account' error message
else:
# Return an 'invalid login' error message.

复制代码

jieforest · 发表于 2012-12-14 09:47

Calling authenticate() first

When you're manually logging a user in, you must call authenticate() before you call login(). authenticate() sets an attribute on the User noting which authentication backend successfully authenticated that user (see the backends documentation for details), and this information is needed later during the login process.

Manually managing a user's password

New in Django 1.4: The django.contrib.auth.hashers module provides a set of functions to create and validate hashed password. You can use them independently from the User model.

jieforest · 发表于 2012-12-14 09:47

check_password(password, encoded)

New in Django 1.4: Please see the release notes

If you'd like to manually authenticate a user by comparing a plain-text password to the hashed password in the database, use the convenience function django.contrib.auth.hashers.check_password(). It takes two arguments: the plain-text password to check, and the full value of a user's password field in the database to check against, and returns True if they match, Falseotherwise.