What is a good way to dynamically set SITE_ID in settings.py based on domain name in URL?
I have an app that will be running with too many domain names (city based) that a custom settings.py file for each domain is just not doable.
Is there a way to set it dynamically?
You can do a custom middleware which reads the request and sets the SITE_ID. I use this code on one of my sites:
class SiteMiddleware(object):
def process_request(self, request):
try:
current_site = Site.objects.get(domain=request.get_host())
except Site.DoesNotExist:
current_site = Site.objects.get(id=settings.DEFAULT_SITE_ID)
request.current_site = current_site
settings.SITE_ID = current_site.id
You should look at Django's documentation on middleware to find out how to add your own middleware. https://docs.djangoproject.com/en/dev/topics/http/middleware/
The middleware code form seems to have changed. The current (Django v3.1) form of the code (that seems to work):
from django.conf import settings
from django.contrib.sites.models import Site
class DynamicSiteDomainMiddleware:
def __init__(self, get_response):
self.get_response = get_response
# One-time configuration and initialization.
def __call__(self, request):
try:
current_site = Site.objects.get(domain=request.get_host())
except Site.DoesNotExist:
current_site = Site.objects.get(id=settings.DEFAULT_SITE_ID)
request.current_site = current_site
settings.SITE_ID = current_site.id
response = self.get_response(request)
return response
This should work for Django v3.2.
This code is not very different compared to earlier answers, so I won't explain how this works.
However, I believe that writing custom middleware changed slightly in v3.2. The key difference is subclassing MiddleWareMixin. I put this code in middleware.py, and add it to the MIDDLEWARE list in settings.py.
The second change compared to above answers is the use of SITE_ID directly from settings.py instead of DEFAULT_SITE_ID, since I see no point in having both these set in settings.py.
# middleware.py
class DynamicSiteMiddleware(MiddlewareMixin):
"""
Make all domain names available through request.site
"""
def process_request(self, request):
try:
current_site = Site.objects.get(domain=request.get_host())
except Site.DoesNotExist:
current_site = Site.objects.get(id=settings.SITE_ID)
request.site = current_site
settings.SITE_ID = current_site.id
response = self.get_response(request)
return response
# settings.py
MIDDLEWARE = [
...
'library.middleware.DynamicSiteMiddleware',
]
Related
I am trying to implement a dynamic subdomain and urls system in my django project.
Generally, each user has its domain, eg. myusername.example.com
User may define dynamic URLs, for example:
myusername.example.com/something1
myusername.example.com/something2
myusername2.example.com/something1
myusername2.example.com/something2
But I have also my website running on example.com, with urls like example.com/contact, example.com/about-us and so on.
I want to all of these URLs to point to my custom view (class based) where I do some DB queries and return dynamic content. this somethin1/something2 part is fully dynamic, and there may be anything . defined by user.
I've got something like this:
urls.py
from web.views import HomeView, ContactView
urlpatterns = [
path('admin/', admin.site.urls),
path('contact', ContactView.as_view()),
path('', HomeView.as_view()),
re_path('.*', HomeView.as_view())
]
web.views.py
class HomeView(TemplateView):
template_name = 'home.html'
def dispatch(self, request, *args, **kwargs):
SERVICE_DOMAIN = settings.DOMAIN
http_host = str(request.META.get('HTTP_HOST'))
if SERVICE_DOMAIN in http_host:
subdomains = http_host.split(SERVICE_DOMAIN)[0]
subdomain = slugify.slugify(subdomains)
else:
subdomain = False
if subdomain:
print('Our subdomain is {}'.format(subdomain))
kwargs['subdomain'] = subdomain
return CustomUrlView.as_view()(self.request, *args, **kwargs)
if not subdomain:
print('run normally')
return super().dispatch(request, *args, **kwargs)
class CustomUrlView(View):
def dispatch(self, request, *args, **kwargs):
subdomain = kwargs.get('subdomain')
url = request.META.get('PATH_INFO').lower().strip().replace('/', '', 1)
# here I do some queries in DB with my url variable - it has own model etc.
Generally, everything works fine for almost all user defined urls...
Problem is when visitor opens myusername.example.com/contact - its always match the url defined in urls.py and and its not catched by my HomeView.
How can I solve it? I don't want to use any of my class based view's urls defined in urls.py when request comes from a subdomain.
You need to have a two different urls files. One for domain and second for subdomains.
Split domain and subdomain views in two url files. If you have views which works on both e.g. login, create a "common" file and include in both urls.
You can choose which url you will use, so create a middleware and inspect a host request.META.get('HTTP_HOST'). If request comes from subdomain, then simply load appropriated urls request.urlconf = 'path.to_subdomain.urls'
Note:
Be sure that ROOT_URLCONF in your settings.py point to the "domain' urls. Also, in your middleware you should inspect does subdomain exists and return 404 if it doesn't exist.
Is there a ready way to use the Django admin page without any form of authentication? I know I can use this method, but that was for Django 1.3. Are there any changes that would let me do this more easily in Django 1.6?
My main motivation for this is that I want to have as few database tables as possible, and I am using this only locally, so there is no need for any sort of authentication (I'm only ever running the server on localhost anyways).
The accepted answer is already super simple however after messing around with this I found that in recent versions of Django (since admin.site.has_permission became a thing... >= 1.8?) you can do it without middleware.
In your project's urls.py:
from django.contrib import admin
class AccessUser:
has_module_perms = has_perm = __getattr__ = lambda s,*a,**kw: True
admin.site.has_permission = lambda r: setattr(r, 'user', AccessUser()) or True
# Register the admin views or call admin.autodiscover()
urlpatterns = [
# Your url configs then...
url(r'^admin/', admin.site.urls),
]
If you have AccessUser extend User you can leave out the __getattr__ portion which is a hacky way to return something when user.pk or similar is called.
Create a module auto_auth.py:
from django.contrib.auth.models import User
from django.utils.deprecation import MiddlewareMixin
class AutoAuthMiddleware(MiddlewareMixin):
def process_request(self, request):
request.user = User.objects.filter()[0]
Edit MIDDLEWARE in your settings.py:
Remove 'django.contrib.auth.middleware.AuthenticationMiddleware'
Add 'auto_auth.AutoAuthMiddleware'
You can change User.objects.filter()[0] to something else if you want a particular user.
In response to your comment: yes. To run the Django admin without users at all, try this:
class User:
is_superuser = True
is_active = True
is_staff = True
id = 1
def return_true(*args, **kwargs):
return True
User.has_module_perms = return_true
User.has_perm = return_true
class AutoAuthMiddleware(MiddlewareMixin):
def process_request(self, request):
request.user = User()
And remove 'django.contrib.auth' from INSTALLED_APPS
But if you use any apps that depend on the auth app, you're going to have a bad time.
The accepted answer adapted for Django version >= 1.10
/[yourapp]/middleware.py:
from django.contrib.auth.models import User
class AuthenticationMiddleware(object):
def __init__(self, get_response):
self.get_response = get_response
def __call__(self, request):
request.user = User.objects.filter()[0]
return self.get_response(request)
In [yourproject]/settings.py for the MIDDLEWARE list:
Comment or remove: 'django.contrib.auth.middleware.AuthenticationMiddleware',
Append: '[yourapp].middleware.AuthenticationMiddleware',
Probably obvious to most people but note that the solution still requires one user to exist. Create one manually python manage.py createsuperuser or automatically with a script:
How to automate createsuperuser on django?
Autocreate superuser with each schema django
Create django super user in a docker container without inputting password
Another Option allows access from anyone: get the first user to bypass authentication
# app/admin.py
from django.contrib.auth.models import User
anonymous_user = User.objects.all().first()
admin.site.has_permission = lambda r: setattr(r, 'user', anonymous_user) or True
For the newer versions of django >=2.1 you need to do something like this:
auto_auth.py
class User:
is_superuser = True
is_active = True
is_staff = True
id = 1
pk = 1
User.has_module_perms = True
User.has_perm = True
class Middleware(object):
def __init__(self, get_response):
self.response = get_response
def __call__(self, request):
request.user = User()
return self.response(request)
And also don't forget to modify your settings middleware and deactivate django.contrib.auth and add auto_auth
For all using Django 3.0,
comment out this code AUTH_USER_MODEL = 'customUser' in your settings.py and create a superuser (python manage.py createsuperuser) with the default user model first.
After creating the superuser then uncomment this code AUTH_USER_MODEL = 'customUser'.
This happened to me and that's what I did with Django 3.0
You should be good to go. Hope it helps
django's User model has a last_login field, which is great if all the users were to log out each time they leave the site, but what if they don't?
How can I track when a user who never logged out and his activity on the site?
You need to have the last_activity field in the user profile (or custom user model). This field will be updated on every request. To achieve this you need to have custom middleware:
profiles/middleware.py:
from django.utils import timezone
from myproject.profiles.models import Profile
class UpdateLastActivityMiddleware(object):
def process_view(self, request, view_func, view_args, view_kwargs):
assert hasattr(request, 'user'), 'The UpdateLastActivityMiddleware requires authentication middleware to be installed.'
if request.user.is_authenticated():
Profile.objects.filter(user__id=request.user.id) \
.update(last_activity=timezone.now())
Add this middleware in your setting file:
MIDDLEWARE_CLASSES = (
# other middlewares
'myproject.profiles.middleware.UpdateLastActivityMiddleware',
)
i think in 2022 this will satisfy what you need also i did this and worked for me but the answer didnt.
put LastActivityTraceMiddleware after AuthenticationMiddleware in settings.py.
from django.utils.timezone import now
from .... import MemberEntity
class LastActivityTraceMiddleware:
def __init__(self, get_response):
self.get_response = get_response
def __call__(self, request):
response = self.get_response(request)
member: MemberEntity = request.user
if member.is_authenticated:
member.last_login = now()
member.save()
return response
I know the question is old ... and surely it has already been solved ...
but here is my contribution ...
In new versions of django you can use:
"Session Time" -> Used in configuration file. "settings.py"
If the user closes the browser, the session ends and must be logged in again ...
SESSION_EXPIRE_AT_BROWSER_CLOSE = True
If the user does not close the browser, you can set a time limit for the session ...
SESSION_COOKIE_AGE = 60 * 60
For "SESSION_COOKIE_AGE" if I remember correctly it's defined in seconds.
You can see more here...
Recommended reading is also django's own documentation about sessions...
I'm having a bit of trouble getting security in Pyramid to work properly. My security itself seems to be working: if a user attempts to access a resource they are not authorized to view, Pyramid throws an HTTPForbidden exception. The problem is that in this instance, it's supposed to fall back to the login view, which isn't happening. I'm just getting the default Pyramid exception screen with the stacktrace.
my login view:
from pyramid.httpexceptions import HTTPForbidden
#view_config(context = HTTPForbidden, renderer="login.mak")
#view_config(route_name = 'login', renderer='login.mak')
class Login(ViewBase):
def __init__(self, request):
super(Login, self).__init__(request)
self.data['title'] = "Login"
if request.method == 'POST':
name = request.params['username']
passwd = request.params['password']
validuser = User.check(name, passwd)
if validuser is None:
self.data['requested_path'] = request.params['requestpath']
self.__call__()
else:
headers = remember(request, str(validuser.id))
raise HTTPFound(
location = request.params['requestpath'],
headers = headers
)
else:
self.data['requested_path'] = request.url
def __call__(self):
return self.data
All of views have a default permission set to 'view', my acl class looks as follows:
from pyramid.security import Allow
from pyramid.security import Everyone
from pyramid.security import Authenticated
from pyramid.security import ALL_PERMISSIONS
# Handles ACL auth for the entire application
class RootFactory(object):
__acl__ = [
(Allow, Everyone, 'view'),
(Allow, 'Editor', 'edit'),
(Allow, 'Admin', ALL_PERMISSIONS)
]
def __init__(self, request):
pass
def groupfinder(userid, request):
from ctic.models import User
user = User.get(userid)
member_groups = []
if user != None:
member_groups.append(user.group.groupname)
return member_groups
else:
return None
As I said, the ACL aspect appears to be working.
Interestingly, if I remove the default_permission from my init.py, everything works as normal.
Any pointers as to where im going wrong would be appreciated.
This is probably unrelated to your problem, but the way a class-based view works in Pyramid is that it's a 2-step process. 1) Pyramid instantiates your class with the request object 2) Pyramid calls either the __call__ method or a method specified by attr in view_config. Thus, the call to self.__call__() in your __init__ is incorrect.
The way you're using class-based views is a little unconventional, but I don't see any actual bugs in what you've pasted here.
Your groupfinder() should return a list in all cases. If the user isn't in any groups, return [] instead of None.
I'm not sure if this is your problem. But I experienced similar behaviour when I returned None instead of [].
you might want to add "permission=NO_PERMISSION_REQUIRED" to your view_config
from pyramid.security import NO_PERMISSION_REQUIRED
#view_config(context = HTTPForbidden, renderer="login.mak", permission=NO_PERMISSION_REQUIRED)
I want to be able to set an option in the user's settings that forces them to change their password upon the next login to the admin interface. Is this possible? How would it go about being implemented? I'm using the default auth model right now but not opposed to modifying or changing it. Thanks for any help.
I'm actually in the process of doing this myself. You need three components: a user profile (if not already in use on your site), a middleware component, and a pre_save signal.
My code for this is in an app named 'accounts'.
# myproject/accounts/models.py
from django.db import models
from django.db.models import signals
from django.contrib.auth.models import User
class UserProfile(models.Model):
user = models.ForeignKey(User, unique=True)
force_password_change = models.BooleanField(default=False)
def create_user_profile_signal(sender, instance, created, **kwargs):
if created:
UserProfile.objects.create(user=instance)
def password_change_signal(sender, instance, **kwargs):
try:
user = User.objects.get(username=instance.username)
if not user.password == instance.password:
profile = user.get_profile()
profile.force_password_change = False
profile.save()
except User.DoesNotExist:
pass
signals.pre_save.connect(password_change_signal, sender=User, dispatch_uid='accounts.models')
signals.post_save.connect(create_user_profile_signal, sender=User, dispatch_uid='accounts.models')
First, we create a UserProfile with a foreign key to User. The force_password_change boolean will, as its name describes, be set to true for a user whenever you want to force them to change their password. You could do anything here though. In my organization, we also chose to implement a mandatory change every 90 days, so I also have a DateTimeField that stores the last time a user changed their password. You then set that in the pre_save signal, password_changed_signal.
Second, we have the create_user_profile_signal. This is mostly added just for completeness. If you're just now adding user profiles into your project, you'll need a post_save signal that will create a UserProfile every time a User is created. This accomplishes that task.
Third, we have the password_changed_signal. This is a pre_save signal because at this point in the process the actual row in the User table hasn't be updated. Therefore, we can access both the previous password and the new password about to be saved. If the two don't match, that means the user has changed their password, and we can then reset the force_password_change boolean. This would be the point, also where you would take care of any other things you've added such as setting the DateTimeField previously mentioned.
The last two lines attach the two functions to their appropriate signals.
If you haven't already, you will also need to add the following line to your project's settings.py (changing the app label and model name to match your setup):
AUTH_PROFILE_MODULE = 'accounts.UserProfile'
That covers the basics. Now we need a middleware component to check the status of our force_password_change flag (and any other necessary checks).
# myproject/accounts/middleware.py
from django.http import HttpResponseRedirect
import re
class PasswordChangeMiddleware:
def process_request(self, request):
if request.user.is_authenticated() and \
re.match(r'^/admin/?', request.path) and \
not re.match(r'^/admin/password_change/?', request.path):
profile = request.user.get_profile()
if profile.force_password_change:
return HttpResponseRedirect('/admin/password_change/')
This very simple middleware hooks into the process_request stage of the page loading process. It checks that 1) the user has already logged in, 2) they are trying to access some page in the admin, and 3) the page they are accessing is not the password change page itself (otherwise, you'd get an infinite loop of redirects). If all of these are true and the force_password_change flag has been set to True, then the user is redirected to the password change page. They will not be able to navigate anywhere else until they change their password (firing the pre_save signal discussed previously).
Finally, you just need to add this middleware to your project's settings.py (again, changing the import path as necessary):
MIDDLEWARE_CLASSES = (
# Other middleware here
'myproject.accounts.middleware.PasswordChangeMiddleware',
)
I have used Chris Pratt's solution, with a little change: instead of using a middleware, that'd be executed for every page with the consequent resource use, I figured I'd just intercept the login view.
In my urls.py I have added this to my urlpatterns:
url(r'^accounts/login/$', 'userbase.views.force_pwd_login'),
then I added the following to userbase.views:
def force_pwd_login(request, *args, **kwargs):
response = auth_views.login(request, *args, **kwargs)
if response.status_code == 302:
#We have a user
try:
if request.user.get_profile().force_password_change:
return redirect('django.contrib.auth.views.password_change')
except AttributeError: #No profile?
pass
return response
It seems to work flawlessly on Django 1.2, but I have no reason to believe 1.3+ should have problems with it.
This is the middleware I use with Django 1.11 :
# myproject/accounts/middleware.py
from django.http import HttpResponseRedirect
from django.urls import reverse
class PasswordChangeMiddleware:
def __init__(self, get_response):
self.get_response = get_response
def __call__(self, request):
response = self.get_response(request)
next = reverse('client:password-update')
if request.user.is_authenticated() and request.path != next:
if request.user.account.force_password_change:
return HttpResponseRedirect(next)
return response
Still adding it to the settings middleware list :
MIDDLEWARE_CLASSES = (
# Other middleware here
'myproject.accounts.middleware.PasswordChangeMiddleware',
)
I spent 2 days on this issue recently, and a new solution came out.
Hopefully it's useful.
Just as above said, a new user model created.
newuser/models.py
class Users(AbstractUser):
default_pwd_updated = models.NullBooleanField(default=None, editable=False)
pwd_update_time = models.DateTimeField(editable=False, null=True, default=None) # reserved column to support further interval password (such as 60 days) update policy
def set_password(self, raw_password):
if self.default_pwd_updated is None:
self.default_pwd_updated = False
elif not self.default_pwd_updated:
self.default_pwd_updated = True
self.pwd_update_time = timezone.now()
else:
self.pwd_update_time = timezone.now()
super().set_password(raw_password)
Set this model as the AUTH_USER_MODEL.
[project]/settings.py
AUTH_USER_MODEL = 'newuser.Users'
Now you just need to customize LoginView and some methods in AdminSite.
[project]/admin.py
from django.contrib.admin import AdminSite
from django.contrib.auth.views import LoginView
from django.utils.translation import gettext as _, gettext_lazy
from django.urls import reverse
from django.views.decorators.cache import never_cache
from django.contrib.auth import REDIRECT_FIELD_NAME
from django.http import HttpResponseRedirect
class NewLoginView(LoginView):
def get_redirect_url(self):
if self.request.method == "POST" and self.request.user.get_username()\
and not self.request.user.default_pwd_updated:
redirect_to = reverse("admin:password_change")
else:
redirect_to = self.request.POST.get(
self.redirect_field_name,
self.request.GET.get(self.redirect_field_name, '')
)
return redirect_to
class NewAdminSite(AdminSite):
site_header = site_title = gettext_lazy("Customized Admin Site")
def __init__(self, name="admin"):
super().__init__(name)
#never_cache
def login(self, request, extra_context=None):
"""
Display the login form for the given HttpRequest.
"""
if request.method == 'GET' and self.has_permission(request):
# Already logged-in, redirect to admin index
if request.user.get_username() and not request.user.default_pwd_updated:
# default password not changed, force to password_change view
path = reverse('admin:password_change', current_app=self.name)
else:
path = reverse('admin:index', current_app=self.name)
return HttpResponseRedirect(path)
from django.contrib.auth.views import LoginView
from django.contrib.admin.forms import AdminAuthenticationForm
context = {
**self.each_context(request),
'title': _('Log in'),
'app_path': request.get_full_path(),
'username': request.user.get_username(),
}
if (REDIRECT_FIELD_NAME not in request.GET and
REDIRECT_FIELD_NAME not in request.POST):
context[REDIRECT_FIELD_NAME] = reverse('admin:index', current_app=self.name)
context.update(extra_context or {})
defaults = {
'extra_context': context,
'authentication_form': self.login_form or AdminAuthenticationForm,
'template_name': self.login_template or 'admin/login.html',
}
request.current_app = self.name
return NewLoginView.as_view(**defaults)(request) # use NewLoginView
#never_cache
def index(self, request, extra_context=None):
if request.user.get_username() and not request.user.default_pwd_updated:
# if default password not updated, force to password_change page
context = self.each_context(request)
context.update(extra_context or {})
return self.password_change(request, context)
return super().index(request, extra_context)
admin_site = NewAdminSite(name="admin")
NOTE: if you intend to use custom template for changing default password, you could override each_context method and then determine which template should be used up to the flag force_pwd_change.
[project]/admin.py
def using_default_password(self, request):
if self.has_permission(request) and request.user.get_username() and not request.user.default_pwd_updated:
return True
return False
def each_context(self, request):
context = super().each_context(request)
context["force_pwd_change"] = self.using_default_password(request)
return context
From a thread on the Django Users mailing list:
This isn't ideal, but it should work
(or prompt someone to propose
something better).
Add a one-to-one table for the user,
with a field containing the initial
password (encrypted, of course, so it
looks like the password in the
auth_user table).
When the user logs in, have the login
page check to see if the passwords
match. If they do, redirect to the
password change page instead of the
normal redirect page.
Checkout this simple package based on session (Tested with django 1.8). https://github.com/abdullatheef/django_force_reset_password
Create custom view in myapp.views.py
class PassWordReset(admin.AdminSite):
def login(self, request, extra_context=None):
if request.method == 'POST':
response = super(PassWordReset, self).login(request, extra_context=extra_context)
if response.status_code == 302 and request.user.is_authenticated():
if not "fpr" in request.session or request.session['fpr']:
request.session['fpr'] = True
return HttpResponseRedirect("/admin/password_change/")
return response
return super(PassWordReset, self).login(request, extra_context=extra_context)
def password_change(self, request, extra_context=None):
if request.method == 'POST':
response = super(PassWordReset, self).password_change(request, extra_context=extra_context)
if response.status_code == 302 and request.user.is_authenticated():
request.session['fpr'] = False
return response
return super(PassWordReset, self).password_change(request, extra_context=extra_context)
pfr_login = PassWordReset().login
pfr_password_change = PassWordReset().admin_view(PassWordReset().password_change, cacheable=True)
Then in project/urls.py
from myapp.views import pfr_password_change, pfr_login
urlpatterns = [
......
url(r'^admin/login/$', pfr_login),
url(r'^admin/password_change/$', pfr_password_change),
url(r'^admin/', admin.site.urls),
....
]
Then add this middleware myapp/middleware.py
class FPRCheck(object):
def process_request(self, request):
if request.user.is_authenticated() \
and re.match(r'^/admin/?', request.path) \
and (not "fpr" in request.session or ("fpr" in request.session and request.session['fpr'])) \
and not re.match(r"/admin/password_change|/admin/logout", request.path):
return HttpResponseRedirect("/admin/password_change/")
Order of middleware
MIDDLEWARE_CLASSES = [
....
'myapp.middleware.FPRCheck'
]
Note
This will not need any extra model.
Also work with any Session Engine.
No db query inside middleware.