Django框架中的用户认证的实现

jieforest

Built-in forms

If you don't want to use the built-in views, but want the convenience of not having to write forms for this functionality, the authentication system provides several built-in forms located in django.contrib.auth.forms:

class AdminPasswordChangeForm
A form used in the admin interface to change a user's password.

class AuthenticationForm
A form for logging a user in.

class PasswordChangeForm
A form for allowing a user to change their password.

class PasswordResetForm
A form for generating and emailing a one-time use link to reset a user's password.

class SetPasswordForm
A form that lets a user change his/her password without entering the old password.

class UserChangeForm
A form used in the admin interface to change a user's information and permissions.

class UserCreationForm
A form for creating a new user.

jieforest

Limiting access to logged-in users that pass a test

To limit access based on certain permissions or some other test, you'd do essentially the same thing as described in the previous section.

The simple way is to run your test on request.user in the view directly. For example, this view checks to make sure the user is logged in and has the permission polls.can_vote:

1. def my_view(request):
   
2.     if not request.user.has_perm('polls.can_vote'):
   
3.         return HttpResponse("You can't vote in this poll.")
   
4.     # ...

复制代码

user_passes_test(func[, login_url=None])

As a shortcut, you can use the convenient user_passes_test decorator:

1. from django.contrib.auth.decorators import user_passes_test
   
2. 
   
3. @user_passes_test(lambda u: u.has_perm('polls.can_vote'))
   
4. def my_view(request):
   
5.     ...

复制代码

jieforest

We're using this particular test as a relatively simple example. However, if you just want to test whether a permission is available to a user, you can use the permission_required() decorator, described later in this document.

user_passes_test() takes a required argument: a callable that takes a User object and returns True if the user is allowed to view the page. Note that user_passes_test() does not automatically check that the User is not anonymous.

user_passes_test() takes an optional login_url argument, which lets you specify the URL for your login page (settings.LOGIN_URL by default).

For example:

1. from django.contrib.auth.decorators import user_passes_test
   
2. 
   
3. @user_passes_test(lambda u: u.has_perm('polls.can_vote'), login_url='/login/')
   
4. def my_view(request):
   
5.     ...

复制代码

jieforest

The permission_required decorator

permission_required([login_url=None, raise_exception=False])

It's a relatively common task to check whether a user has a particular permission. For that reason, Django provides a shortcut for that case: the permission_required() decorator. Using this decorator, the earlier example can be written as:

1. from django.contrib.auth.decorators import permission_required
   
2. 
   
3. @permission_required('polls.can_vote')
   
4. def my_view(request):
   
5.     ...

复制代码

As for the User.has_perm() method, permission names take the form "<app label>.<permission codename>" (i.e. polls.can_vote for a permission on a model in the polls application).

jieforest

Note that permission_required() also takes an optional login_url parameter. Example:

1. from django.contrib.auth.decorators import permission_required
   
2. 
   
3. @permission_required('polls.can_vote', login_url='/loginpage/')
   
4. def my_view(request):
   
5.     ...

复制代码

As in the login_required() decorator, login_url defaults to settings.LOGIN_URL.

Changed in Django 1.4: Please see the release notes

Added raise_exception parameter. If given, the decorator will raise PermissionDenied, prompting the 403 (HTTP Forbidden) view instead of redirecting to the login page.

Applying permissions to generic views

To apply a permission to a class-based generic view, decorate the View.dispatch method on the class. See Decorating the class for details.

jieforest

Template context:
title: The string "Logged out", localized.
site: The current Site, according to the SITE_ID setting. If you don't have the site framework installed, this will be set to an instance of RequestSite, which derives the site name and domain from the current HttpRequest.
site_name: An alias for site.name. If you don't have the site framework installed, this will be set to the value ofrequest.META['SERVER_NAME']. For more on sites, see The "sites" framework.
logout_then_login(request[, login_url])
Logs a user out, then redirects to the login page.
URL name: No default URL provided
Optional arguments:
login_url: The URL of the login page to redirect to. Defaults to settings.LOGIN_URL if not supplied.

jieforest

nge their password.

URL name: password_change

Optional arguments:

§ template_name: The full name of a template to use for displaying the password change form. Defaults toregistration/password_change_form.html if not supplied.

§ post_change_redirect: The URL to redirect to after a successful password change.

§ password_change_form: A custom "change password" form which must accept a user keyword argument. The form is responsible for actually changing the user's password. Defaults to PasswordChangeForm.

Template context:

§ form: The password change form (see password_change_form above).

password_change_done(request[, template_name])

The page shown after a user has changed their password.

URL name: password_change_done

Optional arguments:

§ template_name: The full name of a template to use. Defaults to registration/password_change_done.html if not supplied.

jieforest

password_reset(request[, is_admin_site, template_name, email_template_name, password_reset_form,token_generator, post_reset_redirect, from_email])
Allows a user to reset their password by generating a one-time use link that can be used to reset the password, and sending that link to the user's registered email address.
Changed in Django 1.4: Users flagged with an unusable password (see set_unusable_password() will not be able to request a password reset to prevent misuse when using an external authentication source like LDAP.
URL name: password_reset
Optional arguments:
template_name: The full name of a template to use for displaying the password reset form. Defaults to registration/password_reset_form.html if not supplied.
email_template_name: The full name of a template to use for generating the email with the reset password link. Defaults to registration/password_reset_email.html if not supplied.
subject_template_name: The full name of a template to use for the subject of the email with the reset password link. Defaults to registration/password_reset_subject.txt if not supplied.

jieforest

New in Django 1.4: Please see the release notes
password_reset_form: Form that will be used to get the email of the user to reset the password for. Defaults to PasswordResetForm.
token_generator: Instance of the class to check the one time link. This will default to default_token_generator, it's an instance of django.contrib.auth.tokens.PasswordResetTokenGenerator.
post_reset_redirect: The URL to redirect to after a successful password reset request.
from_email: A valid email address. By default Django uses the DEFAULT_FROM_EMAIL.
Template context:
form: The form (see password_reset_form above) for resetting the user's password.
Email template context:
email: An alias for user.email
user: The current User, according to the email form field. Only active users are able to reset their passwords (User.is_active is True).
site_name: An alias for site.name. If you don't have the site framework installed, this will be set to the value ofrequest.META['SERVER_NAME']. For more on sites, see The "sites" framework.
domain: An alias for site.domain. If you don't have the site framework installed, this will be set to the value ofrequest.get_host().
protocol: http or https
uid: The user's id encoded in base 36.
token: Token to check that the reset link is valid.

jieforest

Sample registration/password_reset_email.html (email body template):
Someone asked for password reset for email {{ email }}. Follow the link below:
{{ protocol}}://{{ domain }}{% url 'password_reset_confirm' uidb36=uid token=token %}

The same template context is used for subject template. Subject must be single line plain text string.
password_reset_done(request[, template_name])
The page shown after a user has been emailed a link to reset their password. This view is called by default if thepassword_reset() view doesn't have an explicit post_reset_redirect URL set.
URL name: password_reset_done
Optional arguments:
template_name: The full name of a template to use. Defaults to registration/password_reset_done.html if not supplied.