So let's say i want to authenticate two different user (e.g students with its studentID, and teachers with its teacherID). and both let's say both have different ID pattern.
how should I do that with Custom User ? should I extend from AbsractBaseUser and use BaseUserManager for both of them in the same class or make different class for each students and teacher ?
if so, what should I do with AUTH_USER_MODEL in settings.py ?
can i write it like "AUTH_USER_MODEL = ('accounts.StudentAccount', 'accounts.TeacherAccount' ) ?
I appreciate any of your help and answer !!!
I think you may be over complicating the matter.
To authenticate a user, you need two pieces of information from them - one is public (like their username), the other is private, their password.
Once you have authenticated the user - confirmed they are who they say they are, that is, they have submitted valid credentials, next step is to figure out what they are authorized to do.
There are always two different steps - authentication and then authorization. Authentication confirms who you are, and authorization determines what you are able to do.
Now, in your scenario, students and teachers are logging in. The difference between a student and a teacher (besides having a different id pattern) is that they can do different things on the system.
So the problem is making sure you are giving the right authorization to the user.
The way they authenticate really doesn't matter. In other words, it doesn't matter if students are logging in with their email address and teachers are logging in with their teacherid, in the end - the authentication process is the same.
Now, let us get to Django. By default in Django a user is supposed to enter a username. This can be anything as long as it follows two rules:
Maximum length is 150 characters
It can only contain alphanumeric, _, #, +, . and - characters
Do we need to customize this part? Not really, as both studentid and teacherid will fit within those restrictions.
The next part is how do I differentiate between a "student" and a "teacher"? The easiest way to do this is to extend the user model by adding a custom flag to differentiate between a teacher and a student:
from django.contrib.auth.models import User
class UserType(models.Model):
user = models.OneToOneField(User, on_delete=models.CASCADE)
flag = models.IntegerField(choices=((1, 'Student'),(2, 'Teacher')), default=1)
Now, when you create a user - simply set this flag to either 1 or 2, depending on what kind of user you are creating.
Remember, the authentication will not change - just the authorization.
You can then use this flag to further restrict what this user can do. Have a look at the documentation for some examples.
Related
I am looking to generate a django authtoken for a non user object. previously I had easily generated auth tokens for user objects like this
email = request.data.get('email')
user = User.objects.get(email=email)
Token.objects.create(user=user)
but if I am trying this for non user object it is not getting generated.
device_id = request.data.get('device_id')
tablet = Table.objects.get(device_id=device_id)
Token.objects.create(user=tablet)
Here Table is simple model holding various device_ids.
I just want to generate an auth token for each tablet like we do for each user.
If you are linking devices to users, and need a "per device" token where a user has >1 device (e.g. desktop, tablet, phone, etc) that are logged in separately and where the tokens can be revoked, then look at the Knox App:
Django Knox (https://github.com/James1345/django-rest-knox)
Otherwise, authentication tokens are normally used to log in a user. If you don't have a user then they aren't much use as far as the standard infrastructure is concerned.
If you want something custom, then you'll have to write your own solution, which might include:
A custom middleware if:
you want/need to set request.device=, like request.user
you want a custom user object (below)
Decide if you want a "fake" user like DeviceUser
Implement the User interface (see AnonymousUser's example)
Has is_authenticated=True
Has permissions (?)
Has is_device_user=True so you can distinguish
Be really careful not to rely on request.user to have a user_id
Possibly a new Permission class (e.g. a new IsAuthenticated)
The main problem I see is with things that expect a non-anonymous User object (in request) to be a real user with a pk. If you are careful then this might not be too big an issue, but you'll need to start implementing to be sure how it affects you.
I have a requirement of two types of login in my django project where one login is for students and one login is for teachers.
I have gone through the Django documentation and other internet resources, and I have come up with a simple design solution but I am not sure about the pros and cons as I am still quiet new to Django.
Solution I thought to solve this Problem:
1) For student login, I have succesfully integrated django-allauth and it is working fine.
2) Now for the teacher login, I am thinking to build a model as follows:
class Teacher(models.Model):
teacher = models.OneToOneField(User,unique=True)
identifier = models.CharField(max_length=128)
#other fields
3) Then two forms over this model - Signup and Login for teachers and email verification form: Here I thought that I will create teacher object and student object on successful signup but I will set is_active=False and ask for email verification.On successful verification, I will set is_active=True so that a teacher can successfully login.
4) Avoid students from logging in the teachers section and teachers can login in the students section: Here I though of an identifier field to avoid authenticated students to login in the teachers section.
Please can anyone help me by providing your opinion on this solution or by suggesting some better alternative as I am still reading up more and more Django Documentation on this.
Thanks in Advance!
You could create a single model 'user' and define there permissions by adding them to a group.
And have your Django application for teachers check if there in the group teacher.
You could create separate forms or check based on email (name.student# or name# ) and
before saving the model adding the group.
Keeping is_active on False is alway a good idea if you want to verify that a 'user' has given a correct email.
I did an application which needed different permissions levels for Students, Teachers and a few different other User categories. I'm not sure if it's the best way to do it, but I did it by creating one UserProfile, as Eagllus mentioned, which had several categories for what kind of user profile it was. Something like:
PROFILE_CHOICES = (
('TE', 'Teacher'),
('ST', 'Student'),
)
class UserProfile(models.Model):
user = models.ForeignKey(User)
profile_type = models.CharField(max_length=2, choices=PROFILE_CHOICES)
'''other attributes'''
You can then decorate your views so only users of a certain type can access them.
Its not clear to me what you are trying to do in #3. It sounds like you want the user to be added as a teacher and student but only make them active by email verification?
I'm not familiar with django-auth but django-registration provides user registration where user account are activated via email. This may save you a significant amount of work.
I have been asked to introduce an unusual case and I'm wondering how others would go about it.
I have users in my Django application. The model is a standard user model, authentication. etc. Each one of of these site users can add their own contacts to the system. However my new requirement is to allow their contacts to set a password (if they want to to) so that they can login to their status page (belonging to that user).
So my question is how would you do this? I already have the contact table (which belongs to one user), I'm thinking of adding in a password (optional) field, but then I'm unsure how to handle the authentication for this as they are not my users but members of my users (if that make sense).
One way would be to create another user model for contacts inheriting from AbstractBaseUser. And then creating custom auth backend that would look in both models to login user. Finaly you would have to distinguish between standard user and contact user before every action.
That is if contact user and standard user differ significantly in your application.
Or you could just create custom user in your application, that would contain is_contact attribute. This would be used for both types of users. You would set that as AUTH_USER_MODEL in settings and check before every action for the is_contact attribute to determine the outcome. You could return 403 for the contact user if he tries to access what he's not suppose to.
Or if you use permissions in your application, you could set the contact user's persmissions only to view statuses of the users that added him as a contact and nothing else.
I understand the basic user authentication, login, creating accounts, extending user model...
I am trying to create a site where teachers and students can login. Teachers would have access to pages students cannot access with rights to post homeworks ect...
I think it is possible to do this with:
Assigning a user to a specific group upon creation.
Using decorators to limit access to the appropriate group.
.
#login_required
#user_passes_test(not_in_student_group, login_url='/login/')
def some_view(request):
# ...
def not_in_student_group(user):
if user:
return user.groups.filter(name='Student').count() == 0
return False
note I got the above code from:
http://bradmontgomery.blogspot.com/2009/04/restricting-access-by-group-in-django.html
Question:
How does using permission differ from the above approach?
How can permissions be used, and how does defining permission help me achieve the above results?
(If it is possible to do so, should it be used?)
It seems there are a hundred ways that people get to the same results in Django regarding authorization and permissions. Groups are one way, definitely.
Django permissions are usually based on your data, so "table based", or "row based". Row based permissions are not native to Django, you have to either roll your own solution, or use something like django-guardian or django-authority More Here.
The docs on permissions are here
class Quiz(models.Model):
title = models.CharField(max_length=64)
class Meta:
permissions = (
("can_take_quiz", "Can take quiz"),
("can_grade_quiz", "Can Grade Quiz"),
)
With this model, and these permissions, you could see that possibly a student aide would be given permission to grade a particular quiz, or a quiz for a given teacher, this is where row-based permissions would be useful. Implementing something like that (via has_permission) can solve a problem (and is more explicit) than just adding a user to a group.
You can add users to groups like you have already, and then give that entire group permissions to add a quiz, or grade quizes (teachers can add/edit/delete/grade, students can take) quizes, and check based on that.
then your user_passes_test would be user.has_perm('quiz.take_quiz') or instead of a decorator, you could pass the specific quiz to your object based backend.
The default Django's User model has some fields, and validation rules, that I don't really need. I want to make registration as simple as possible, i.e. require either email or username, or phone number - all those being unique, hence good as user identifiers.
I also don't like default character set for user name that is validated in Django user model. I'd like to allow any character there - why not?
I used user-profile django application before to add a profile to user - but this time I'd rather make the class mimimal. But I still want to use the User class, as it gives me an easy way to have parts of site restricted only for users logged in.
How do I do it?
Rather than modify the User class directly or do subclassing, you can also just repurpose the existing fields.
For one site I used the "first_name" field as the "publicly displayed name" of a user and stuff a slugified version of that into the "username" field (for use in URLs). I wrote a custom auth backend to allow people to log in using their "public name" or their email address, and I enforce the uniqueness of both of those at registration time. This plays nicely with other reusable apps and doesn't introduce extra tables or queries.
For another site I didn't want usernames at all, just unique emails. In order to satisfy Django's need for a unique username, I just hashed the email address and used that as the username (you have to base64-encode the hash to squeeze it under 30 characters). Custom auth backend to allow login with email.
If backwards-compatibility weren't an issue, there are a lot of improvements I'd love to see made to django.contrib.auth and the User model to make them more flexible. But there's quite a lot you can do inside the current constraints with a little creativity.
I misread the question. Hope this post is helpful to anyone else.
#in models.py
from django.db.models.signals import post_save
class UserProfile(models.Model):
user = models.ForeignKey(User)
#other fields here
def __str__(self):
return "%s's profile" % self.user
def create_user_profile(sender, instance, created, **kwargs):
if created:
profile, created = UserProfile.objects.get_or_create(user=instance)
post_save.connect(create_user_profile, sender=User)
#in settings.py
AUTH_PROFILE_MODULE = 'YOURAPP.UserProfile'
This will create a userprofile each time a user is saved if it is created.
You can then use
user.get_profile().whatever
Here is some more info from the docs
http://docs.djangoproject.com/en/dev/topics/auth/#storing-additional-information-about-users
The Django User model is structured very sensibly. You really don't want to allow arbitrary characters in a username, for instance, and there are ways to achieve email address login, without hacking changes to the base model.
To simply store additional information around a user account, Django supports the notion of user profiles. While you don't need to rely on the built in support to handle this, it is a convention that is commonly followed and it will allow you to play nice with the reusable Django apps that are floating around in the ether. For more information, see here.
If you want to actually modify the core User model but also "play nice" with reusable apps that rely on it, you're opening a bit of a Pandora's Box. Developers make base assumptions about how the core library is structured, so any changes may cause unexpected breakage. Nonetheless, you can monkeypatch changes to the base model, or branch a copy of Django locally. I would discourage the latter, and only recommend the former if you know what you're doing.
You face a bit of a dilemma which really has two solutions if you're committed to avoiding the profile-based customization already pointed out.
Change the User model itself, per Daniel's suggestions
Write a CustomUser class, subclassing User or copying its functionality.
The latter suggestion means that you would have to implement some things that User does automatically manually, but I wonder whether that's as bad as it sounds, especially if you're at the beginning of your project. All you'd have to do is rewrite a middle-ware class and some decorators.
Of course, I don't think this buys you anything that 1 won't get you, except that your project shouldn't break if you svn update your django. It may avoid some of the compatibility problems with other apps, but my guess is most problems will exist either way.
There are anumber of ways to do this, but here's what I'd do: I'd allow a user to enter an email, username (which must contain at least one letter and no # symbols) or mobile number. Then, when I validate it:
Check for the presence of #. If so, set it as the user's email, hash it appropriately and set it as their username as well.
Check to see if it's only numbers, dashes and +. Then, strip the appropriate characters and store it as both mobile number and username (if you're storing the mobile number in another model for SMS purposes or something).
If it's not either, just set it as username.
I'd also validate the user/phone/email field similarly on login and look in the appropriate place so that if, say, a user signs up with their mobile number and then changes their username (for some other purpose), they can still sign in with their mobile number.