Django user authentication system (2) Authentication in Web requests

黄舟
Release: 2016-12-23 17:42:12
Original
1502 people have browsed it

Provide a request.user attribute in every web request to represent the current user. If the current user is not logged in, this attribute is an instance of AnonymousUser, otherwise, it is a User instance.

You can distinguish it by is_authenticated(), for example:

if request.user.is_authenticated():
# Do something for authenticated users.
else:
# Do something for anonymous users.

Login

login()

The login function requires an HttPRequest object and a User object as parameters. login() uses Django's session framework to store the User's id in the session.

Use authenticate() and login() at the same time:

from django.contrib.auth import authenticate, login

def my_view(request):
username = request.POST['username']
passWord = request.POST[ 'password']
user = authenticate(username=username, password=password) if user is not None:
if user.is_active:
login(request, user)
# Redirect to a success page.
el se:
      # Return a 'disabled account' error message
else:
# Return an 'invalid login' error message.

Logout logout

logout()

Use HttpRequest object as parameter, no return value. For example:

from django.contrib.auth import logout


def logout_view(request):
logout(request)
# Redirect to a success page.

Restrict access

The raw way

use request.user. is_authenticated()

Redirect:

from django.shortcuts import redirect


def my_view(request):
if not request.user.is_authenticated():
return redirect('/login/?next=%s' % request.path)
# ...

or:

from django.shortcuts import render


def my_view(request):
if not request.user.is_authenticated():
return render(request, 'myapp/ login_error.html')
# ...

Use the decorator login_required

login_required([redirect_field_name=REDIRECT_FIELD_NAME, login_url=None]

from django.contrib.auth.decorators import login_required


@login_requir ed
def my_view( request):
...

If the user is not logged in, redirect to settings.LOGIN_URL, and form a next query character pair as the key using the relative path of the current url and append it to settings.LOGIN_URL:

/ accounts/login/?next=/polls/3/.


The key of the query character pair defaults to next, you can also name it yourself:

from django.contrib.auth.decorators import login_required


@login_required(redirect_field_name=' my_redirect_field')
def my_view(request):
...

You can also define login_url yourself:

from django.contrib.auth.decorators import login_required


@login_required(login_url='/accounts/login/')
def my_view(request):
...

urls.py needs to be defined:

(r'^accounts/login/$', 'django.contrib.auth.views.login'),


Test logged in users

For example, to detect the user's email:

def my_view(request):

if not '@example.com' in request.user.email:
return HttpResponse("You can't vote in this poll .")
# ...

You can use decorators:

from django.contrib.auth.decorators import user_passes_test


def email_check(user):
return '@example.com' in user.email

@user_passes_test(email_check)
def my_view(request):
...

You can also change the login_url:

@user_passes_test(email_check, login_url='/login/')

def my_view(request):
...

Authentication Views

Of course, we can define some view functions for login, logout, and password management ourselves, and it is more convenient.

But you can also learn about Django’s built-in views.

Django does not provide a default template for authentication views, however the template context is documented for each view below.

All built-in views return a TemplateResponse instance, allowing you to easily customize response data.

https://github.com/django/django/blob/master/django/contrib/auth/views.py

Most of the built-in authentication views provide a URL name for use.

login(request[, template_name, redirect_field_name, authentication_form,current_app,extra_context])

Source code:

def login(request, template_name='registration/login.html',
         redirect_field_name=REDIRECT_FIELD_NAME,
         authentication_form=AuthenticationForm,
         current_app=None, extra_context=None):
   """
   Displays the login form and handles the login action.
   """
   redirect_to = request.POST.get(redirect_field_name,
                                  request.GET.get(redirect_field_name, ''))

   if request.method == "POST":
       form = authentication_form(request, data=request.POST)
       if form.is_valid():

           # Ensure the user-originating redirection url is safe.
           if not is_safe_url(url=redirect_to, host=request.get_host()):
               redirect_to = resolve_url(settings.LOGIN_REDIRECT_URL)

           # Okay, security check complete. Log the user in.
           auth_login(request, form.get_user())

           return HttpResponseRedirect(redirect_to)
   else:
       form = authentication_form(request)

   current_site = get_current_site(request)

   context = {
       'form': form,
       redirect_field_name: redirect_to,
       'site': current_site,
       'site_name': current_site.name,
   }
   if extra_context is not None:
       context.update(extra_context)
   return TemplateResponse(request, template_name, context,
                           current_app=current_app)

URL name: login

参数:

template_name: 默认的登陆模板.默认为registration/login.html.
redirect_field_name: 重定向的name,默认为next.
authentication_form: 默认Form. Defaults to AuthenticationForm.
current_app: A hint indicating which application contains the current view. See the namespaced URL resolution strategy for more information.
extra_context: 添加到默认context data中的额外数据,为字典。

django.contrib.auth.views.login does:

如果通过GET访问, 将显示登录表单,可以将其内容POST到相同的URL上。
如果通过POST访问,它首先会尝试登录,如果成功,view就重定向到next指定的的链接。如果next 未设置,则重定向到settings.LOGIN_REDIRECT_URL(一般缺省值为accounts/profile/)。如果登录失败,则再次显示登录表单。

需要用户自己来提供login的html模板,缺省是registration/login.html 。这个模板将传递4个模板上下文变量:

form: 一个表单对象AuthenticationForm.
next: 登录成功后的重定向链接,可以包含一个query string中。
site: 当前网站,根据 SITE_ID 设置。如果你并没有安装site框架,这个变量将设定为一个 RequestSite实例,它从当前 HttpRequest中取得站点名和域名。
site_name: 是 site.name的一个别名。如果你没有安装site框架,它将会被设为 request.META['SERVER_NAME']的值。

如果你不想调用registration/login.html模板,你可以在URLconf中设定特定的view参数来传递template_name参数。

(r'^accounts/login/$', 'django.contrib.auth.views.login', {'template_name': 'myapp/login.html'}),

你也可以自己指定重定向链接字段名,通过redirect_field_name 参数。默认的字段名为next.

下面是registration/login.html 模板的原始状态,它假定你有一个base.html模板(其中有content block的定义。

{% extends "base.html" %}

{% block content %}

{% if form.errors %}

Your username and password didn't match. Please try again.
{% endif %}


{% csrf_token %}

{{ form.username.label_tag }}
{{ form.username }}

< ;tr>
{{ form.password.label_tag }}
{{ form.password }}





{% endblock %}

If you customize the authentication system, you can pass the customized authentication form to the login view through the authentication_form parameter. The form's __init__ method should have a request parameter and provide a get_user method to return the authenticated User object.

logout(request[, next_page, template_name, redirect_field_name, current_app,extra_context])

Log out the user.

URL name: logout

Optional parameters:

next_page: Redirect link after logout.

logout_then_login (request[, login_url, current_app, extra_context])

Log out the user and redirect to the login link.

Optional parameters:

login_url: Redirect link to the login page, the default value is settings.LOGIN_URL.

password_change(request[, template_name, post_change_redirect,password_change_form,current_app, extra_context])

Allows users to change passwords.

URL name: password_change

Optional arguments:

template_name: template name, default value is registration/password_change_form.html .
post_change_redirect: Redirect link.
password_change_form: Customized password change form, including a user parameter. The default value is PasswordChangeForm.

password_change_done(request[, template_name,current_app, extra_context])

The page after the user changes the password.

URL name: password_change_done

Optional arguments Optional arguments:

template_name: template name, The default is registration/password_change_done.html.

password_reset(request[, is_admin_site, template_name, email_template_name, password_reset_form, token_generator, post_reset_redirect, from_email, current_app, extra_context, html_email_template_name])

Sends an email to the user, containing a one-time link , to let the user reset their password.

If the email address provided does not exist, it will not be sent.

URL name: password_reset

Optional arguments Optional arguments:

template_name: Template name, the default value is registration/password_reset_form.html.
email_template_name: The template name used to generate emails with recharge links. The default value is registration/password_reset_email.html.
subject_template_name: The name of the template used to generate email subjects. The default value is registration/password_reset_subject.txt.
password_reset_form: Password reset form, the default value is PasswordResetForm.

token_generator: Check the class instance of one-time link, the default value is default_token_generator, its class is django.contrib.auth.tokens.PasswordResetTokenGenerator.

post_reset_redirect: Redirect link after password reset.

from_email: Email address, the default value is DEFAULT_FROM_EMAIL.

current_app: A hint indicating which application contains the current view. See the namespaced URL resolution strategy for more information.
extra_context: A dictionary of context data that will be added to the default context data passed to the template.
html_email_template_name: The full name of a template to use for generating a text/html multipart email with the password reset link. By default, HTML email is not sent.

Example: registration/password_reset_email.html (email content template):

Someone asked for password reset for email {{ email }}. Follow the link below:
{{ protocol}}://{{ domain }}{% url 'password_reset_confirm' uidb64=uid token=token %}

password_reset_done(request[, template_name])

Display the page after the user chooses to send a password reset email. If the post_reset_redirect link is not explicitly specified in the password_reset() view, this view will be called directly.

password_reset_confirm(request[, uidb36, token, template_name, token_generator,set_password_form, post_reset_redirect,current_app, extra_context])

Display the form for entering a new password.

password_reset_complete(request[, template_name, current_app, extra_context])

Heavy The form after successfully setting the password.

Helper functions

redirect_to_login(next[, login_url, redirect_field_name])

Redirect to the login page. After successful login, redirect to another link. .

Parameters:

next: link after successful login.

login_url: login page link, default value: settings.LOGIN_URL.

redirect_field_name: Redirect field name, the default value is next.

Built-in forms

class AdminPasswordChangeForm

Admin background user password change form

class AuthenticationForm

login form.

Method confirm_login_allowed(user)

For example, allow all users to log in, regardless of the is_active attribute:

from django.contrib.auth.forms import AuthenticationForm

class AuthenticationFormWithInactiveUsersOkay(AuthenticationForm):
def confirm_login_allowed(self , user):
                                                                     Or only allow active users to log in:                                                                                 use with                 use with                   ‐     ‐ ‐ off‐set,
                                                   Error(

          _("This account is inactive ."),

                                                                                            use   with                     through     through   through   through through out through out through through out through out through out through''s'  ‐    ‐ ‐‐‐ way to _(" Sorry, accounts starting with 'b' aren't welcome here. "),

                  code='no_b_users',

                                                                               wordForm

Password setting form.

class UserChangeForm

User information and permission modification form in the admin background.

class UserCreationForm

User creation form.

Authentication information in templates Authentication data in templates

The currently logged in user and their permissions can be obtained in the template variables by using RequestContext.

Users

When rendering the template RequestContext, the current logged-in user, whether it is a User instance or an AnonymousUser instance, is saved in the template variable {{ user }}:

{% if user.is_authenticated %}

Welcome, { { user.username }}. Thanks for logging in.

{% else %}

Welcome, new user.

If RequestContext is not used, this variable does not exist. St Use RequestContext:

from django.shortcuts import render_To_Response

from django.template Import REQUESTCONTEXTEF SOMEF SOME_View (request):

# ... Return Render_to_Response ('My_template.html',

my_data_dictionary,

context_instance = requestContextExt (request))

 

The above is the authentication content in the Django user authentication system (2) Web request. For more related content, please pay attention to the PHP Chinese website (www.php.cn)!


Related labels:
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template