1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099 |
- ====================================
- Customizing authentication in Django
- ====================================
- The authentication that comes with Django is good enough for most common cases,
- but you may have needs not met by the out-of-the-box defaults. To customize
- authentication to your projects needs involves understanding what points of the
- provided system are extendible or replaceable. This document provides details
- about how the auth system can be customized.
- :ref:`Authentication backends <authentication-backends>` provide an extensible
- system for when a username and password stored with the User model need
- to be authenticated against a different service than Django's default.
- You can give your models :ref:`custom permissions <custom-permissions>` that can be
- checked through Django's authorization system.
- You can :ref:`extend <extending-user>` the default User model, or :ref:`substitute
- <auth-custom-user>` a completely customized model.
- .. _authentication-backends:
- Other authentication sources
- ============================
- There may be times you have the need to hook into another authentication source
- -- that is, another source of usernames and passwords or authentication
- methods.
- For example, your company may already have an LDAP setup that stores a username
- and password for every employee. It'd be a hassle for both the network
- administrator and the users themselves if users had separate accounts in LDAP
- and the Django-based applications.
- So, to handle situations like this, the Django authentication system lets you
- plug in other authentication sources. You can override Django's default
- database-based scheme, or you can use the default system in tandem with other
- systems.
- See the :ref:`authentication backend reference
- <authentication-backends-reference>` for information on the authentication
- backends included with Django.
- Specifying authentication backends
- ----------------------------------
- Behind the scenes, Django maintains a list of "authentication backends" that it
- checks for authentication. When somebody calls
- :func:`django.contrib.auth.authenticate()` -- as described in :ref:`How to log
- a user in <how-to-log-a-user-in>` -- Django tries authenticating across
- all of its authentication backends. If the first authentication method fails,
- Django tries the second one, and so on, until all backends have been attempted.
- The list of authentication backends to use is specified in the
- :setting:`AUTHENTICATION_BACKENDS` setting. This should be a tuple of Python
- path names that point to Python classes that know how to authenticate. These
- classes can be anywhere on your Python path.
- By default, :setting:`AUTHENTICATION_BACKENDS` is set to::
- ('django.contrib.auth.backends.ModelBackend',)
- That's the basic authentication backend that checks the Django users database
- and queries the built-in permissions. It does not provide protection against
- brute force attacks via any rate limiting mechanism. You may either implement
- your own rate limiting mechanism in a custom auth backend, or use the
- mechanisms provided by most Web servers.
- The order of :setting:`AUTHENTICATION_BACKENDS` matters, so if the same
- username and password is valid in multiple backends, Django will stop
- processing at the first positive match.
- .. note::
- Once a user has authenticated, Django stores which backend was used to
- authenticate the user in the user's session, and re-uses the same backend
- for the duration of that session whenever access to the currently
- authenticated user is needed. This effectively means that authentication
- sources are cached on a per-session basis, so if you change
- :setting:`AUTHENTICATION_BACKENDS`, you'll need to clear out session data if
- you need to force users to re-authenticate using different methods. A simple
- way to do that is simply to execute ``Session.objects.all().delete()``.
- .. versionadded:: 1.6
- If a backend raises a :class:`~django.core.exceptions.PermissionDenied`
- exception, authentication will immediately fail. Django won't check the
- backends that follow.
- Writing an authentication backend
- ---------------------------------
- An authentication backend is a class that implements two required methods:
- ``get_user(user_id)`` and ``authenticate(**credentials)``, as well as a set of
- optional permission related :ref:`authorization methods <authorization_methods>`.
- The ``get_user`` method takes a ``user_id`` -- which could be a username,
- database ID or whatever, but has to be the primary key of your ``User`` object
- -- and returns a ``User`` object.
- The ``authenticate`` method takes credentials as keyword arguments. Most of
- the time, it'll just look like this::
- class MyBackend(object):
- def authenticate(self, username=None, password=None):
- # Check the username/password and return a User.
- ...
- But it could also authenticate a token, like so::
- class MyBackend(object):
- def authenticate(self, token=None):
- # Check the token and return a User.
- ...
- Either way, ``authenticate`` should check the credentials it gets, and it
- should return a ``User`` object that matches those credentials, if the
- credentials are valid. If they're not valid, it should return ``None``.
- The Django admin system is tightly coupled to the Django ``User`` object
- described at the beginning of this document. For now, the best way to deal with
- this is to create a Django ``User`` object for each user that exists for your
- backend (e.g., in your LDAP directory, your external SQL database, etc.) You
- can either write a script to do this in advance, or your ``authenticate``
- method can do it the first time a user logs in.
- Here's an example backend that authenticates against a username and password
- variable defined in your ``settings.py`` file and creates a Django ``User``
- object the first time a user authenticates::
- from django.conf import settings
- from django.contrib.auth.models import User, check_password
- class SettingsBackend(object):
- """
- Authenticate against the settings ADMIN_LOGIN and ADMIN_PASSWORD.
- Use the login name, and a hash of the password. For example:
- ADMIN_LOGIN = 'admin'
- ADMIN_PASSWORD = 'sha1$4e987$afbcf42e21bd417fb71db8c66b321e9fc33051de'
- """
- def authenticate(self, username=None, password=None):
- login_valid = (settings.ADMIN_LOGIN == username)
- pwd_valid = check_password(password, settings.ADMIN_PASSWORD)
- if login_valid and pwd_valid:
- try:
- user = User.objects.get(username=username)
- except User.DoesNotExist:
- # Create a new user. Note that we can set password
- # to anything, because it won't be checked; the password
- # from settings.py will.
- user = User(username=username, password='get from settings.py')
- user.is_staff = True
- user.is_superuser = True
- user.save()
- return user
- return None
- def get_user(self, user_id):
- try:
- return User.objects.get(pk=user_id)
- except User.DoesNotExist:
- return None
- .. _authorization_methods:
- Handling authorization in custom backends
- -----------------------------------------
- Custom auth backends can provide their own permissions.
- The user model will delegate permission lookup functions
- (:meth:`~django.contrib.auth.models.User.get_group_permissions()`,
- :meth:`~django.contrib.auth.models.User.get_all_permissions()`,
- :meth:`~django.contrib.auth.models.User.has_perm()`, and
- :meth:`~django.contrib.auth.models.User.has_module_perms()`) to any
- authentication backend that implements these functions.
- The permissions given to the user will be the superset of all permissions
- returned by all backends. That is, Django grants a permission to a user that
- any one backend grants.
- The simple backend above could implement permissions for the magic admin
- fairly simply::
- class SettingsBackend(object):
- ...
- def has_perm(self, user_obj, perm, obj=None):
- if user_obj.username == settings.ADMIN_LOGIN:
- return True
- else:
- return False
- This gives full permissions to the user granted access in the above example.
- Notice that in addition to the same arguments given to the associated
- :class:`django.contrib.auth.models.User` functions, the backend auth functions
- all take the user object, which may be an anonymous user, as an argument.
- A full authorization implementation can be found in the ``ModelBackend`` class
- in `django/contrib/auth/backends.py`_, which is the default backend and queries
- the ``auth_permission`` table most of the time. If you wish to provide
- custom behavior for only part of the backend API, you can take advantage of
- Python inheritance and subclass ``ModelBackend`` instead of implementing the
- complete API in a custom backend.
- .. _django/contrib/auth/backends.py: https://github.com/django/django/blob/master/django/contrib/auth/backends.py
- .. _anonymous_auth:
- Authorization for anonymous users
- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- An anonymous user is one that is not authenticated i.e. they have provided no
- valid authentication details. However, that does not necessarily mean they are
- not authorized to do anything. At the most basic level, most Web sites
- authorize anonymous users to browse most of the site, and many allow anonymous
- posting of comments etc.
- Django's permission framework does not have a place to store permissions for
- anonymous users. However, the user object passed to an authentication backend
- may be an :class:`django.contrib.auth.models.AnonymousUser` object, allowing
- the backend to specify custom authorization behavior for anonymous users. This
- is especially useful for the authors of re-usable apps, who can delegate all
- questions of authorization to the auth backend, rather than needing settings,
- for example, to control anonymous access.
- .. _inactive_auth:
- Authorization for inactive users
- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- An inactive user is a one that is authenticated but has its attribute
- ``is_active`` set to ``False``. However this does not mean they are not
- authorized to do anything. For example they are allowed to activate their
- account.
- The support for anonymous users in the permission system allows for a scenario
- where anonymous users have permissions to do something while inactive
- authenticated users do not.
- Do not forget to test for the ``is_active`` attribute of the user in your own
- backend permission methods.
- Handling object permissions
- ~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Django's permission framework has a foundation for object permissions, though
- there is no implementation for it in the core. That means that checking for
- object permissions will always return ``False`` or an empty list (depending on
- the check performed). An authentication backend will receive the keyword
- parameters ``obj`` and ``user_obj`` for each object related authorization
- method and can return the object level permission as appropriate.
- .. _custom-permissions:
- Custom permissions
- ==================
- To create custom permissions for a given model object, use the ``permissions``
- :ref:`model Meta attribute <meta-options>`.
- This example Task model creates three custom permissions, i.e., actions users
- can or cannot do with Task instances, specific to your application::
- class Task(models.Model):
- ...
- class Meta:
- permissions = (
- ("view_task", "Can see available tasks"),
- ("change_task_status", "Can change the status of tasks"),
- ("close_task", "Can remove a task by setting its status as closed"),
- )
- The only thing this does is create those extra permissions when you run
- :djadmin:`manage.py migrate <migrate>`. Your code is in charge of checking the
- value of these permissions when a user is trying to access the functionality
- provided by the application (viewing tasks, changing the status of tasks,
- closing tasks.) Continuing the above example, the following checks if a user may
- view tasks::
- user.has_perm('app.view_task')
- .. _extending-user:
- Extending the existing User model
- =================================
- There are two ways to extend the default
- :class:`~django.contrib.auth.models.User` model without substituting your own
- model. If the changes you need are purely behavioral, and don't require any
- change to what is stored in the database, you can create a :ref:`proxy model
- <proxy-models>` based on :class:`~django.contrib.auth.models.User`. This
- allows for any of the features offered by proxy models including default
- ordering, custom managers, or custom model methods.
- If you wish to store information related to ``User``, you can use a :ref:`one-to-one
- relationship <ref-onetoone>` to a model containing the fields for
- additional information. This one-to-one model is often called a profile model,
- as it might store non-auth related information about a site user. For example
- you might create an Employee model::
- from django.contrib.auth.models import User
- class Employee(models.Model):
- user = models.OneToOneField(User)
- department = models.CharField(max_length=100)
- Assuming an existing Employee Fred Smith who has both a User and Employee
- model, you can access the related information using Django's standard related
- model conventions::
- >>> u = User.objects.get(username='fsmith')
- >>> freds_department = u.employee.department
- To add a profile model's fields to the user page in the admin, define an
- :class:`~django.contrib.admin.InlineModelAdmin` (for this example, we'll use a
- :class:`~django.contrib.admin.StackedInline`) in your app's ``admin.py`` and
- add it to a ``UserAdmin`` class which is registered with the
- :class:`~django.contrib.auth.models.User` class::
- from django.contrib import admin
- from django.contrib.auth.admin import UserAdmin
- from django.contrib.auth.models import User
- from my_user_profile_app.models import Employee
- # Define an inline admin descriptor for Employee model
- # which acts a bit like a singleton
- class EmployeeInline(admin.StackedInline):
- model = Employee
- can_delete = False
- verbose_name_plural = 'employee'
- # Define a new User admin
- class UserAdmin(UserAdmin):
- inlines = (EmployeeInline, )
- # Re-register UserAdmin
- admin.site.unregister(User)
- admin.site.register(User, UserAdmin)
- These profile models are not special in any way - they are just Django models that
- happen to have a one-to-one link with a User model. As such, they do not get
- auto created when a user is created, but
- a :attr:`django.db.models.signals.post_save` could be used to create or update
- related models as appropriate.
- Note that using related models results in additional queries or joins to
- retrieve the related data, and depending on your needs substituting the User
- model and adding the related fields may be your better option. However
- existing links to the default User model within your project's apps may justify
- the extra database load.
- .. _auth-custom-user:
- Substituting a custom User model
- ================================
- Some kinds of projects may have authentication requirements for which Django's
- built-in :class:`~django.contrib.auth.models.User` model is not always
- appropriate. For instance, on some sites it makes more sense to use an email
- address as your identification token instead of a username.
- Django allows you to override the default User model by providing a value for
- the :setting:`AUTH_USER_MODEL` setting that references a custom model::
- AUTH_USER_MODEL = 'myapp.MyUser'
- This dotted pair describes the name of the Django app (which must be in your
- :setting:`INSTALLED_APPS`), and the name of the Django model that you wish to
- use as your User model.
- .. warning::
- Changing :setting:`AUTH_USER_MODEL` has a big effect on your database
- structure. It changes the tables that are available, and it will affect the
- construction of foreign keys and many-to-many relationships. If you intend
- to set :setting:`AUTH_USER_MODEL`, you should set it before creating
- any migrations or running ``manage.py migrate`` for the first time.
- Changing this setting after you have tables created is not supported
- by :djadmin:`makemigrations` and will result in you having to manually
- write a set of migrations to fix your schema.
- Referencing the User model
- --------------------------
- .. currentmodule:: django.contrib.auth
- If you reference :class:`~django.contrib.auth.models.User` directly (for
- example, by referring to it in a foreign key), your code will not work in
- projects where the :setting:`AUTH_USER_MODEL` setting has been changed to a
- different User model.
- .. function:: get_user_model()
- Instead of referring to :class:`~django.contrib.auth.models.User` directly,
- you should reference the user model using
- ``django.contrib.auth.get_user_model()``. This method will return the
- currently active User model -- the custom User model if one is specified, or
- :class:`~django.contrib.auth.models.User` otherwise.
- When you define a foreign key or many-to-many relations to the User model,
- you should specify the custom model using the :setting:`AUTH_USER_MODEL`
- setting. For example::
- from django.conf import settings
- from django.db import models
- class Article(models.Model):
- author = models.ForeignKey(settings.AUTH_USER_MODEL)
- .. versionadded:: 1.7
- When connecting to signals sent by the User model, you should specify the
- custom model using the :setting:`AUTH_USER_MODEL` setting. For example::
- from django.conf import settings
- from django.db.models.signals import post_save
- def post_save_receiver(signal, sender, instance, **kwargs):
- pass
- post_save.connect(post_save_receiver, sender=settings.AUTH_USER_MODEL)
- Specifying a custom User model
- ------------------------------
- .. admonition:: Model design considerations
- Think carefully before handling information not directly related to
- authentication in your custom User Model.
- It may be better to store app-specific user information in a model
- that has a relation with the User model. That allows each app to specify
- its own user data requirements without risking conflicts with other
- apps. On the other hand, queries to retrieve this related information
- will involve a database join, which may have an effect on performance.
- Django expects your custom User model to meet some minimum requirements.
- 1. Your model must have an integer primary key.
- 2. Your model must have a single unique field that can be used for
- identification purposes. This can be a username, an email address,
- or any other unique attribute.
- 3. Your model must provide a way to address the user in a "short" and
- "long" form. The most common interpretation of this would be to use
- the user's given name as the "short" identifier, and the user's full
- name as the "long" identifier. However, there are no constraints on
- what these two methods return - if you want, they can return exactly
- the same value.
- The easiest way to construct a compliant custom User model is to inherit from
- :class:`~django.contrib.auth.models.AbstractBaseUser`.
- :class:`~django.contrib.auth.models.AbstractBaseUser` provides the core
- implementation of a ``User`` model, including hashed passwords and tokenized
- password resets. You must then provide some key implementation details:
- .. currentmodule:: django.contrib.auth
- .. class:: models.CustomUser
- .. attribute:: USERNAME_FIELD
- A string describing the name of the field on the User model that is
- used as the unique identifier. This will usually be a username of
- some kind, but it can also be an email address, or any other unique
- identifier. The field *must* be unique (i.e., have ``unique=True``
- set in its definition).
- In the following example, the field ``identifier`` is used
- as the identifying field::
- class MyUser(AbstractBaseUser):
- identifier = models.CharField(max_length=40, unique=True)
- ...
- USERNAME_FIELD = 'identifier'
- .. attribute:: REQUIRED_FIELDS
- A list of the field names that will be prompted for when creating a
- user via the :djadmin:`createsuperuser` management command. The user
- will be prompted to supply a value for each of these fields. It must
- include any field for which :attr:`~django.db.models.Field.blank` is
- ``False`` or undefined and may include additional fields you want
- prompted for when a user is created interactively. However, it will not
- work for :class:`~django.db.models.ForeignKey` fields.
- ``REQUIRED_FIELDS`` has no effect in other parts of Django, like
- creating a user in the admin.
- For example, here is the partial definition for a ``User`` model that
- defines two required fields - a date of birth and height::
- class MyUser(AbstractBaseUser):
- ...
- date_of_birth = models.DateField()
- height = models.FloatField()
- ...
- REQUIRED_FIELDS = ['date_of_birth', 'height']
- .. note::
- ``REQUIRED_FIELDS`` must contain all required fields on your
- ``User`` model, but should *not* contain the ``USERNAME_FIELD`` or
- ``password`` as these fields will always be prompted for.
- .. attribute:: is_active
- A boolean attribute that indicates whether the user is considered
- "active". This attribute is provided as an attribute on
- ``AbstractBaseUser`` defaulting to ``True``. How you choose to
- implement it will depend on the details of your chosen auth backends.
- See the documentation of the :attr:`is_active attribute on the built-in
- user model <django.contrib.auth.models.User.is_active>` for details.
- .. method:: get_full_name()
- A longer formal identifier for the user. A common interpretation
- would be the full name of the user, but it can be any string that
- identifies the user.
- .. method:: get_short_name()
- A short, informal identifier for the user. A common interpretation
- would be the first name of the user, but it can be any string that
- identifies the user in an informal way. It may also return the same
- value as :meth:`django.contrib.auth.models.User.get_full_name()`.
- The following methods are available on any subclass of
- :class:`~django.contrib.auth.models.AbstractBaseUser`:
- .. class:: models.AbstractBaseUser
- .. method:: get_username()
- Returns the value of the field nominated by ``USERNAME_FIELD``.
- .. method:: models.AbstractBaseUser.is_anonymous()
- Always returns ``False``. This is a way of differentiating
- from :class:`~django.contrib.auth.models.AnonymousUser` objects.
- Generally, you should prefer using
- :meth:`~django.contrib.auth.models.AbstractBaseUser.is_authenticated()` to this
- method.
- .. method:: models.AbstractBaseUser.is_authenticated()
- Always returns ``True``. This is a way to tell if the user has been
- authenticated. This does not imply any permissions, and doesn't check
- if the user is active - it only indicates that the user has provided a
- valid username and password.
- .. method:: models.AbstractBaseUser.set_password(raw_password)
- Sets the user's password to the given raw string, taking care of the
- password hashing. Doesn't save the
- :class:`~django.contrib.auth.models.AbstractBaseUser` object.
- When the raw_password is ``None``, the password will be set to an
- unusable password, as if
- :meth:`~django.contrib.auth.models.AbstractBaseUser.set_unusable_password()`
- were used.
- .. versionchanged:: 1.6
- In Django 1.4 and 1.5, a blank string was unintentionally stored
- as an unusable password as well.
- .. method:: models.AbstractBaseUser.check_password(raw_password)
- Returns ``True`` if the given raw string is the correct password for
- the user. (This takes care of the password hashing in making the
- comparison.)
- .. versionchanged:: 1.6
- In Django 1.4 and 1.5, a blank string was unintentionally
- considered to be an unusable password, resulting in this method
- returning ``False`` for such a password.
- .. method:: models.AbstractBaseUser.set_unusable_password()
- Marks the user as having no password set. This isn't the same as
- having a blank string for a password.
- :meth:`~django.contrib.auth.models.AbstractBaseUser.check_password()` for this user
- will never return ``True``. Doesn't save the
- :class:`~django.contrib.auth.models.AbstractBaseUser` object.
- You may need this if authentication for your application takes place
- against an existing external source such as an LDAP directory.
- .. method:: models.AbstractBaseUser.has_usable_password()
- Returns ``False`` if
- :meth:`~django.contrib.auth.models.AbstractBaseUser.set_unusable_password()` has
- been called for this user.
- You should also define a custom manager for your ``User`` model. If your
- ``User`` model defines ``username``, ``email``, ``is_staff``, ``is_active``,
- ``is_superuser``, ``last_login``, and ``date_joined`` fields the same as
- Django's default ``User``, you can just install Django's
- :class:`~django.contrib.auth.models.UserManager`; however, if your ``User``
- model defines different fields, you will need to define a custom manager that
- extends :class:`~django.contrib.auth.models.BaseUserManager` providing two
- additional methods:
- .. class:: models.CustomUserManager
- .. method:: models.CustomUserManager.create_user(*username_field*, password=None, \**other_fields)
- The prototype of ``create_user()`` should accept the username field,
- plus all required fields as arguments. For example, if your user model
- uses ``email`` as the username field, and has ``date_of_birth`` as a
- required field, then ``create_user`` should be defined as::
- def create_user(self, email, date_of_birth, password=None):
- # create user here
- ...
- .. method:: models.CustomUserManager.create_superuser(*username_field*, password, \**other_fields)
- The prototype of ``create_superuser()`` should accept the username
- field, plus all required fields as arguments. For example, if your user
- model uses ``email`` as the username field, and has ``date_of_birth``
- as a required field, then ``create_superuser`` should be defined as::
- def create_superuser(self, email, date_of_birth, password):
- # create superuser here
- ...
- Unlike ``create_user()``, ``create_superuser()`` *must* require the
- caller to provide a password.
- :class:`~django.contrib.auth.models.BaseUserManager` provides the following
- utility methods:
- .. class:: models.BaseUserManager
- .. method:: models.BaseUserManager.normalize_email(email)
- A ``classmethod`` that normalizes email addresses by lowercasing
- the domain portion of the email address.
- .. method:: models.BaseUserManager.get_by_natural_key(username)
- Retrieves a user instance using the contents of the field
- nominated by ``USERNAME_FIELD``.
- .. method:: models.BaseUserManager.make_random_password(length=10, allowed_chars='abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789')
- Returns a random password with the given length and given string of
- allowed characters. Note that the default value of ``allowed_chars``
- doesn't contain letters that can cause user confusion, including:
- * ``i``, ``l``, ``I``, and ``1`` (lowercase letter i, lowercase
- letter L, uppercase letter i, and the number one)
- * ``o``, ``O``, and ``0`` (lowercase letter o, uppercase letter o,
- and zero)
- Extending Django's default User
- -------------------------------
- If you're entirely happy with Django's :class:`~django.contrib.auth.models.User`
- model and you just want to add some additional profile information, you can
- simply subclass ``django.contrib.auth.models.AbstractUser`` and add your
- custom profile fields. This class provides the full implementation of the
- default :class:`~django.contrib.auth.models.User` as an :ref:`abstract model
- <abstract-base-classes>`.
- .. _custom-users-and-the-built-in-auth-forms:
- Custom users and the built-in auth forms
- ----------------------------------------
- As you may expect, built-in Django's :ref:`forms <built-in-auth-forms>` and
- :ref:`views <built-in-auth-views>` make certain assumptions about the user
- model that they are working with.
- If your user model doesn't follow the same assumptions, it may be necessary to define
- a replacement form, and pass that form in as part of the configuration of the
- auth views.
- * :class:`~django.contrib.auth.forms.UserCreationForm`
- Depends on the :class:`~django.contrib.auth.models.User` model.
- Must be re-written for any custom user model.
- * :class:`~django.contrib.auth.forms.UserChangeForm`
- Depends on the :class:`~django.contrib.auth.models.User` model.
- Must be re-written for any custom user model.
- * :class:`~django.contrib.auth.forms.AuthenticationForm`
- Works with any subclass of :class:`~django.contrib.auth.models.AbstractBaseUser`,
- and will adapt to use the field defined in ``USERNAME_FIELD``.
- * :class:`~django.contrib.auth.forms.PasswordResetForm`
- Assumes that the user model has an integer primary key, has a field named
- ``email`` that can be used to identify the user, and a boolean field
- named ``is_active`` to prevent password resets for inactive users.
- * :class:`~django.contrib.auth.forms.SetPasswordForm`
- Works with any subclass of :class:`~django.contrib.auth.models.AbstractBaseUser`
- * :class:`~django.contrib.auth.forms.PasswordChangeForm`
- Works with any subclass of :class:`~django.contrib.auth.models.AbstractBaseUser`
- * :class:`~django.contrib.auth.forms.AdminPasswordChangeForm`
- Works with any subclass of :class:`~django.contrib.auth.models.AbstractBaseUser`
- Custom users and :mod:`django.contrib.admin`
- --------------------------------------------
- If you want your custom User model to also work with Admin, your User model must
- define some additional attributes and methods. These methods allow the admin to
- control access of the User to admin content:
- .. class:: models.CustomUser
- .. attribute:: is_staff
- Returns ``True`` if the user is allowed to have access to the admin site.
- .. attribute:: is_active
- Returns ``True`` if the user account is currently active.
- .. method:: has_perm(perm, obj=None):
- Returns ``True`` if the user has the named permission. If ``obj`` is
- provided, the permission needs to be checked against a specific object
- instance.
- .. method:: has_module_perms(app_label):
- Returns ``True`` if the user has permission to access models in
- the given app.
- You will also need to register your custom User model with the admin. If
- your custom User model extends ``django.contrib.auth.models.AbstractUser``,
- you can use Django's existing ``django.contrib.auth.admin.UserAdmin``
- class. However, if your User model extends
- :class:`~django.contrib.auth.models.AbstractBaseUser`, you'll need to define
- a custom ``ModelAdmin`` class. It may be possible to subclass the default
- ``django.contrib.auth.admin.UserAdmin``; however, you'll need to
- override any of the definitions that refer to fields on
- ``django.contrib.auth.models.AbstractUser`` that aren't on your
- custom User class.
- Custom users and permissions
- ----------------------------
- To make it easy to include Django's permission framework into your own User
- class, Django provides :class:`~django.contrib.auth.models.PermissionsMixin`.
- This is an abstract model you can include in the class hierarchy for your User
- model, giving you all the methods and database fields necessary to support
- Django's permission model.
- :class:`~django.contrib.auth.models.PermissionsMixin` provides the following
- methods and attributes:
- .. class:: models.PermissionsMixin
- .. attribute:: models.PermissionsMixin.is_superuser
- Boolean. Designates that this user has all permissions without
- explicitly assigning them.
- .. method:: models.PermissionsMixin.get_group_permissions(obj=None)
- Returns a set of permission strings that the user has, through his/her
- groups.
- If ``obj`` is passed in, only returns the group permissions for
- this specific object.
- .. method:: models.PermissionsMixin.get_all_permissions(obj=None)
- Returns a set of permission strings that the user has, both through
- group and user permissions.
- If ``obj`` is passed in, only returns the permissions for this
- specific object.
- .. method:: models.PermissionsMixin.has_perm(perm, obj=None)
- Returns ``True`` if the user has the specified permission, where
- ``perm`` is in the format ``"<app label>.<permission codename>"`` (see
- :ref:`permissions <topic-authorization>`). If the user is inactive, this method will
- always return ``False``.
- If ``obj`` is passed in, this method won't check for a permission for
- the model, but for this specific object.
- .. method:: models.PermissionsMixin.has_perms(perm_list, obj=None)
- Returns ``True`` if the user has each of the specified permissions,
- where each perm is in the format
- ``"<app label>.<permission codename>"``. If the user is inactive,
- this method will always return ``False``.
- If ``obj`` is passed in, this method won't check for permissions for
- the model, but for the specific object.
- .. method:: models.PermissionsMixin.has_module_perms(package_name)
- Returns ``True`` if the user has any permissions in the given package
- (the Django app label). If the user is inactive, this method will
- always return ``False``.
- .. admonition:: ModelBackend
- If you don't include the
- :class:`~django.contrib.auth.models.PermissionsMixin`, you must ensure you
- don't invoke the permissions methods on ``ModelBackend``. ``ModelBackend``
- assumes that certain fields are available on your user model. If your User
- model doesn't provide those fields, you will receive database errors when
- you check permissions.
- Custom users and Proxy models
- -----------------------------
- One limitation of custom User models is that installing a custom User model
- will break any proxy model extending :class:`~django.contrib.auth.models.User`.
- Proxy models must be based on a concrete base class; by defining a custom User
- model, you remove the ability of Django to reliably identify the base class.
- If your project uses proxy models, you must either modify the proxy to extend
- the User model that is currently in use in your project, or merge your proxy's
- behavior into your User subclass.
- Custom users and signals
- ------------------------
- Another limitation of custom User models is that you can't use
- :func:`django.contrib.auth.get_user_model()` as the sender or target of a signal
- handler. Instead, you must register the handler with the resulting User model.
- See :doc:`/topics/signals` for more information on registering and sending
- signals.
- Custom users and testing/fixtures
- ---------------------------------
- If you are writing an application that interacts with the User model, you must
- take some precautions to ensure that your test suite will run regardless of
- the User model that is being used by a project. Any test that instantiates an
- instance of User will fail if the User model has been swapped out. This
- includes any attempt to create an instance of User with a fixture.
- To ensure that your test suite will pass in any project configuration,
- ``django.contrib.auth.tests.utils`` defines a ``@skipIfCustomUser`` decorator.
- This decorator will cause a test case to be skipped if any User model other
- than the default Django user is in use. This decorator can be applied to a
- single test, or to an entire test class.
- Depending on your application, tests may also be needed to be added to ensure
- that the application works with *any* user model, not just the default User
- model. To assist with this, Django provides two substitute user models that
- can be used in test suites:
- .. class:: tests.custom_user.CustomUser
- A custom user model that uses an ``email`` field as the username, and has a basic
- admin-compliant permissions setup
- .. class:: tests.custom_user.ExtensionUser
- A custom user model that extends ``django.contrib.auth.models.AbstractUser``,
- adding a ``date_of_birth`` field.
- You can then use the ``@override_settings`` decorator to make that test run
- with the custom User model. For example, here is a skeleton for a test that
- would test three possible User models -- the default, plus the two User
- models provided by ``auth`` app::
- from django.contrib.auth.tests.utils import skipIfCustomUser
- from django.contrib.auth.tests.custom_user import CustomUser, ExtensionUser
- from django.test import TestCase, override_settings
- class ApplicationTestCase(TestCase):
- @skipIfCustomUser
- def test_normal_user(self):
- "Run tests for the normal user model"
- self.assertSomething()
- @override_settings(AUTH_USER_MODEL='auth.CustomUser')
- def test_custom_user(self):
- "Run tests for a custom user model with email-based authentication"
- self.assertSomething()
- @override_settings(AUTH_USER_MODEL='auth.ExtensionUser')
- def test_extension_user(self):
- "Run tests for a simple extension of the built-in User."
- self.assertSomething()
- .. versionchanged:: 1.6
- In Django 1.5, it wasn't necessary to explicitly import the test User models.
- A full example
- --------------
- Here is an example of an admin-compliant custom user app. This user model uses
- an email address as the username, and has a required date of birth; it
- provides no permission checking, beyond a simple ``admin`` flag on the user
- account. This model would be compatible with all the built-in auth forms and
- views, except for the User creation forms. This example illustrates how most of
- the components work together, but is not intended to be copied directly into
- projects for production use.
- This code would all live in a ``models.py`` file for a custom
- authentication app::
- from django.db import models
- from django.contrib.auth.models import (
- BaseUserManager, AbstractBaseUser
- )
- class MyUserManager(BaseUserManager):
- def create_user(self, email, date_of_birth, password=None):
- """
- Creates and saves a User with the given email, date of
- birth and password.
- """
- if not email:
- raise ValueError('Users must have an email address')
- user = self.model(
- email=self.normalize_email(email),
- date_of_birth=date_of_birth,
- )
- user.set_password(password)
- user.save(using=self._db)
- return user
- def create_superuser(self, email, date_of_birth, password):
- """
- Creates and saves a superuser with the given email, date of
- birth and password.
- """
- user = self.create_user(email,
- password=password,
- date_of_birth=date_of_birth
- )
- user.is_admin = True
- user.save(using=self._db)
- return user
- class MyUser(AbstractBaseUser):
- email = models.EmailField(
- verbose_name='email address',
- max_length=255,
- unique=True,
- )
- date_of_birth = models.DateField()
- is_active = models.BooleanField(default=True)
- is_admin = models.BooleanField(default=False)
- objects = MyUserManager()
- USERNAME_FIELD = 'email'
- REQUIRED_FIELDS = ['date_of_birth']
- def get_full_name(self):
- # The user is identified by their email address
- return self.email
- def get_short_name(self):
- # The user is identified by their email address
- return self.email
- def __str__(self): # __unicode__ on Python 2
- return self.email
- def has_perm(self, perm, obj=None):
- "Does the user have a specific permission?"
- # Simplest possible answer: Yes, always
- return True
- def has_module_perms(self, app_label):
- "Does the user have permissions to view the app `app_label`?"
- # Simplest possible answer: Yes, always
- return True
- @property
- def is_staff(self):
- "Is the user a member of staff?"
- # Simplest possible answer: All admins are staff
- return self.is_admin
- Then, to register this custom User model with Django's admin, the following
- code would be required in the app's ``admin.py`` file::
- from django import forms
- from django.contrib import admin
- from django.contrib.auth.models import Group
- from django.contrib.auth.admin import UserAdmin
- from django.contrib.auth.forms import ReadOnlyPasswordHashField
- from customauth.models import MyUser
- class UserCreationForm(forms.ModelForm):
- """A form for creating new users. Includes all the required
- fields, plus a repeated password."""
- password1 = forms.CharField(label='Password', widget=forms.PasswordInput)
- password2 = forms.CharField(label='Password confirmation', widget=forms.PasswordInput)
- class Meta:
- model = MyUser
- fields = ('email', 'date_of_birth')
- def clean_password2(self):
- # Check that the two password entries match
- password1 = self.cleaned_data.get("password1")
- password2 = self.cleaned_data.get("password2")
- if password1 and password2 and password1 != password2:
- raise forms.ValidationError("Passwords don't match")
- return password2
- def save(self, commit=True):
- # Save the provided password in hashed format
- user = super(UserCreationForm, self).save(commit=False)
- user.set_password(self.cleaned_data["password1"])
- if commit:
- user.save()
- return user
- class UserChangeForm(forms.ModelForm):
- """A form for updating users. Includes all the fields on
- the user, but replaces the password field with admin's
- password hash display field.
- """
- password = ReadOnlyPasswordHashField()
- class Meta:
- model = MyUser
- fields = ('email', 'password', 'date_of_birth', 'is_active', 'is_admin')
- def clean_password(self):
- # Regardless of what the user provides, return the initial value.
- # This is done here, rather than on the field, because the
- # field does not have access to the initial value
- return self.initial["password"]
- class MyUserAdmin(UserAdmin):
- # The forms to add and change user instances
- form = UserChangeForm
- add_form = UserCreationForm
- # The fields to be used in displaying the User model.
- # These override the definitions on the base UserAdmin
- # that reference specific fields on auth.User.
- list_display = ('email', 'date_of_birth', 'is_admin')
- list_filter = ('is_admin',)
- fieldsets = (
- (None, {'fields': ('email', 'password')}),
- ('Personal info', {'fields': ('date_of_birth',)}),
- ('Permissions', {'fields': ('is_admin',)}),
- )
- # add_fieldsets is not a standard ModelAdmin attribute. UserAdmin
- # overrides get_fieldsets to use this attribute when creating a user.
- add_fieldsets = (
- (None, {
- 'classes': ('wide',),
- 'fields': ('email', 'date_of_birth', 'password1', 'password2')}
- ),
- )
- search_fields = ('email',)
- ordering = ('email',)
- filter_horizontal = ()
- # Now register the new UserAdmin...
- admin.site.register(MyUser, MyUserAdmin)
- # ... and, since we're not using Django's built-in permissions,
- # unregister the Group model from admin.
- admin.site.unregister(Group)
- Finally, specify the custom model as the default user model for your project
- using the :setting:`AUTH_USER_MODEL` setting in your ``settings.py``::
- AUTH_USER_MODEL = 'customauth.MyUser'