Django框架中的用户认证的实现

jieforest · 发表于 2012-12-15 22:13

make_password(password[, salt, hashers])

New in Django 1.4: Please see the release notes

Creates a hashed password in the format used by this application.

It takes one mandatory argument: the password in plain-text. Optionally, you can provide a salt and a hashing algorithm to use, if you don't want to use the defaults (first entry of PASSWORD_HASHERS setting).

Currently supported algorithms are: 'pbkdf2_sha256', 'pbkdf2_sha1', 'bcrypt' (see Using bcrypt with Django), 'sha1', 'md5', 'unsalted_md5' (only for backward compatibility) and 'crypt' if you have the crypt library installed.

If the password argument is None, an unusable password is returned (a one that will be never accepted by django.contrib.auth.hashers.check_password()).

jieforest · 发表于 2012-12-15 22:13

is_password_usable(encoded_password)

New in Django 1.4: Please see the release notes

Checks if the given string is a hashed password that has a chance of being verified

againstdjango.contrib.auth.hashers.check_password().

How to log a user out

logout()

To log out a user who has been logged in via django.contrib.auth.login(), use django.contrib.auth.logout() within your view. It takes an HttpRequest object and has no return value. Example:

from django.contrib.auth import logout
def logout_view(request):
logout(request)
# Redirect to a success page.

复制代码

jieforest · 发表于 2012-12-15 22:14

Note that logout() doesn't throw any errors if the user wasn't logged in.

When you call logout(), the session data for the current request is completely cleaned out. All existing data is removed. This is to prevent another person from using the same Web browser to log in and have access to the previous user's session data.

If you want to put anything into the session that will be available to the user immediately after logging out, do thatafter calling django.contrib.auth.logout().

Login and logout signals

The auth framework uses two signals that can be used for notification when a user logs in or out.

jieforest · 发表于 2012-12-15 22:14

django.contrib.auth.signals.user_logged_in

Sent when a user logs in successfully.

Arguments sent with this signal:

sender

The class of the user that just logged in.

request

The current HttpRequest instance.

user

The user instance that just logged in.

jieforest · 发表于 2012-12-15 22:15

django.contrib.auth.signals.user_logged_out

Sent when the logout method is called.

sender

As above: the class of the user that just logged out or None if the user was not authenticated.

request

The current HttpRequest instance.

user

The user instance that just logged out or None if the user was not authenticated.

jieforest · 发表于 2012-12-16 13:20

django.contrib.auth.signals.user_login_failed

New in Django 1.5: Please see the release notes

Sent when the user failed to login successfully

sender

The name of the module used for authentication.

credentials

A dictonary of keyword arguments containing the user credentials that were passed to authenticate() or your own custom authentication backend. Credentials matching a set of 'sensitive' patterns, (including password) will not be sent in the clear as part of the signal.

jieforest · 发表于 2012-12-16 13:21

Limiting access to logged-in users

The raw way

The simple, raw way to limit access to pages is to check request.user.is_authenticated() and either redirect to a login page:

from django.http import HttpResponseRedirect
def my_view(request):
if not request.user.is_authenticated():
return HttpResponseRedirect('/login/?next=%s' % request.path)
# ...

复制代码

jieforest · 发表于 2012-12-16 13:21

...or display an error message:

def my_view(request):
if not request.user.is_authenticated():
return render_to_response('myapp/login_error.html')
# ...

复制代码

The login_required decorator

decorators.login_required([redirect_field_name=REDIRECT_FIELD_NAME, login_url=None])

jieforest · 发表于 2012-12-16 13:22

As a shortcut, you can use the convenient login_required() decorator:

from django.contrib.auth.decorators import login_required
@login_required
def my_view(request):
...

复制代码

login_required() does the following:

1. If the user isn't logged in, redirect to settings.LOGIN_URL, passing the current absolute path in the query string.

Example:/accounts/login/?next=/polls/3/.

2. If the user is logged in, execute the view normally. The view code is free to assume the user is logged in.

jieforest · 发表于 2012-12-16 13:22

By default, the path that the user should be redirected to upon successful authentication is stored in a query string parameter called "next". If you would prefer to use a different name for this parameter, login_required() takes an optionalredirect_field_name parameter:

from django.contrib.auth.decorators import login_required
@login_required(redirect_field_name='my_redirect_field')
def my_view(request):
...

复制代码

Note that if you provide a value to redirect_field_name, you will most likely need to customize your login template as well, since the template context variable which stores the redirect path will use the value of redirect_field_name as its key rather than "next" (the default).