In our system most users log in using their LDAP credentials (via django_auth_ldap.backend.LDAPBackend module). Some people, however, have their passwords set directly in Django auth module (they don't have LDAP accounts). Recently, some users had their LDAP accounts created, so they don't need Django passwords anymore. Is there a way to unset those passwords? Django admin panel allows only to change password, not remove it alltogether.
Extend user model and make password field blank
An example:
Allow blank password fields on User model when updating profile in Django
There is no builtin way. The easiest way that I can think of unregisters the stock user admin, adds a "unset password for selected user" action, and re-registers that new user admin.
Related
I need a custom user model in Django with only one field to authenticate. Because the users of my website will not have an email or password. They will be logged in with only one string (like token generated immediately). If the string matches with the another string/token defined by my system, the user should be logged in.
How could it be possible?
Thanks
I'm using django 1.9.7 and django-allauth to handle my user authentication.
I have a contact form that includes several Fields (including the users email address) which are saved as a model in the backend, from there I am using a ModelForm to display the fields. So far so good.
Now there should be a checkbox, which when checked should add two fields (password, password confirm) and instantly create an account with the email and password provided.
For this I would probably manually create a user object from the view that receives the contact information, but since its security relevant I'm wondering if there is an easy way to call a allauth method from python that creates the user (or even provides the form).
How would I go about this?
Update: So i found the adapter has a method called save_user() which would populate the information and save the new user.I could then add the two password fields to the form and just pass the form in there.
My issue that it would skip all the username and password cleaning, the email confirmation or the auto login after sign up.
You should be able to use the new_user() method in the default adapter. refer here https://github.com/pennersr/django-allauth/blob/master/allauth/socialaccount/adapter.py
I would like to force the user to change their password on first login. Can I do this with the default django authentication system?
In short, yes.
You need to know which users need to change their password. If you don't want to use a custom User model, I would recommend having another model to store the users that need to change their password. You would add the users to this table upon user registration/creation.
Then you could write a very simple middleware to check the current logged user (place it after AuthenticationMiddleware in your settings.py). If the user is flagged as requiring a password change, you could force a HttpResponse (in the middleware) to a custom view with a PasswordChangeForm (which comes out of the box in Django, in django.contrib.auth.forms.PasswordChangeForm), after which you could remove the flag to the user, and redirect them to the home page.
I have been asked to introduce an unusual case and I'm wondering how others would go about it.
I have users in my Django application. The model is a standard user model, authentication. etc. Each one of of these site users can add their own contacts to the system. However my new requirement is to allow their contacts to set a password (if they want to to) so that they can login to their status page (belonging to that user).
So my question is how would you do this? I already have the contact table (which belongs to one user), I'm thinking of adding in a password (optional) field, but then I'm unsure how to handle the authentication for this as they are not my users but members of my users (if that make sense).
One way would be to create another user model for contacts inheriting from AbstractBaseUser. And then creating custom auth backend that would look in both models to login user. Finaly you would have to distinguish between standard user and contact user before every action.
That is if contact user and standard user differ significantly in your application.
Or you could just create custom user in your application, that would contain is_contact attribute. This would be used for both types of users. You would set that as AUTH_USER_MODEL in settings and check before every action for the is_contact attribute to determine the outcome. You could return 403 for the contact user if he tries to access what he's not suppose to.
Or if you use permissions in your application, you could set the contact user's persmissions only to view statuses of the users that added him as a contact and nothing else.
I'm trying to figure out how to enhance the authenticate method with additional functionality.
e.g.
Expiring passwords
special password formats
length requirements
etc...
It is pretty straight forward for the site's frontend, but what about the admin panel?
I reckon that I should override the User's Manager object, as authenticate probably resides there. This is quite a tough one to figure out I think.
Thanks in advance! :)
You can create custom authentication backend by following the instructions in http://docs.djangoproject.com/en/dev/topics/auth/#authentication-backends. Essentially, you create a backend class that has an authenticate method:
class MyBackend:
def authenticate(self, username=None, password=None):
# Check the username/password and return a User.
Then add the class to AUTHENTICATION_BACKENDS in settings.py.
Though this is for authentication, you could do all the password validation things you mentioned simply by redirecting a user to a change password page if the password is correct but expired, for instance. Consider using the messaging framework to give a user a hint about what is going on when directing him to a generic change password page.
If you want the validation for passwords to be built into the model, then you'll probably want to extend the django User model.
Otherwise, you could do the following:
override admin password options by creating your own views for changing and setting passwords, then putting the relevant URLS just above (r'^admin/', include(admin.site.urls)). Regex would look something like (r'^admin/auth/user/(\d+)/password/', new_change_password).
Keep track of password age in a separate model and then when they expire, redirect to a change password once it expires.