Django authentication system consists of:
- Users
- Permissions: Binary (yes/no) flags designating whether a user may perform a certain task.
- Groups: A generic way of applying labels and permissions to more than one user.
A configurable password hashing system - Forms and view tools for logging in users, or restricting content
- A pluggable backend system
Installation
By default, the required configuration is already included in the settings.py generated by django-admin startproject project_name.
INSTALLED_APPS = [
...
"django.contrib.auth",
"django.contrib.contenttypes",
...
]
MIDDLEWARE = [
...
"django.contrib.sessions.middleware.SessionMiddleware",
"django.contrib.auth.middleware.AuthenticationMiddleware",
...
]
Creating users
from django.contrib.auth.models import User
user = User.objects.create_user("john", "[email protected]", "johnpassword")
Creating superusers
$ python manage.py createsuperuser --username=joe [email protected]
Changing passwords
python manage.py changepassword *username* or
from django.contrib.auth.models import User
u = User.objects.get(username="john")
u.set_password("new password")
u.save()
Authenticating users
- authenticate(request=None, **credentials)
- aauthenticate(request=None, **credentials) Asynchronous version: aauthenticate()
from django.contrib.auth import authenticate
user = authenticate(username="john", password="secret")
if user is not None:
# A backend authenticated the credentials
...
else:
# No backend authenticated the credentials
...
request is an optional HttpRequest which is passed on the authenticate() method of the authentication backends.
Permissions and Authorization
Django comes with a built-in permissions system. It provides a way to assign permissions to specific users and groups of users.
- has_view_permission()
- has_add_permission()
- has_change_permission()
- has_delete_permission()
Group operations:
myuser.groups.set([group_list])
myuser.groups.add(group, group, ...)
myuser.groups.remove(group, group, ...)
myuser.groups.clear()Permission operation:
myuser.user_permissions.set([permission_list])
myuser.user_permissions.add(permission, permission, ...)
myuser.user_permissions.remove(permission, permission, ...)
myuser.user_permissions.clear()
Default permissions
When django.contrib.auth is listed in your INSTALLED_APPS setting, it will ensure that four default permissions – add, change, delete, and view – are created for each Django model defined in one of your installed applications.
Assuming you have a model named Bar in an application named foo, to test for basic permissions you should use:
- add: user.has_perm('foo.add_bar')
- change: user.has_perm('foo.change_bar')
- delete: user.has_perm('foo.delete_bar')
- view: user.has_perm('foo.view_bar')
Programmatically creating permissions
While custom permissions can be defined within a model’s Meta class, you can also create permissions directly.
from myapp.models import BlogPost
from django.contrib.auth.models import Permission
from django.contrib.contenttypes.models import ContentType
content_type = ContentType.objects.get_for_model(BlogPost)
permission = Permission.objects.create(
codename="can_publish",
name="Can Publish Posts",
content_type=content_type,
)The permission can then be assigned to a User via its user_permissions attribute or to a Group via its permissions attribute.