django使用auth模块进行身份认证

2023-08-22 14:16:16

https://docs.djangoproject.com/zh-hans/2.0/topics/auth/default/#authentication-in-web-requests

django认证模型系统是django自带，默认配置文件在settings.py文件当中。这个项目在INSTALLED_APPS setting里面由两个部分组成，分别是：

'django.contrib.auth' 包含了认证框架的核心模块, 是默认的模型。
'django.contrib.contenttypes' 是django的内容类型系统, 这个会允许你连接你创建的模型。

这是你的中间件配置:

SessionMiddleware manages sessions across requests.
AuthenticationMiddleware associates users with requests using sessions.

一、创建超级用户

$ python manage.py createsuperuser --username=joe --email=joe@example.com

更改密码

from django.contrib.auth.models import User

u = User.objects.get(username='john')

u.set_password('new password')

u.save()

# 这里的User是django默认创建的用户表，如果用到自己定义的表，这里需要更改，更改后的表含有User表所有的方法。

检查密码

auth 提供的一个检查密码是否正确的方法，需要提供当前请求用户的密码。

密码正确返回True，否则返回False。

用法：

ok = user_obj.check_password('密码')

或者

ok = request.user.check_password(raw_password='原密码')

一个简单的修改密码功能的事例：

@login_required

def set_password(request):

    user = request.user

    err_msg = ''

    if request.method == 'POST':

        old_password = request.POST.get('old_password', '')

        new_password = request.POST.get('new_password', '')

        repeat_password = request.POST.get('repeat_password', '')

        # 检查旧密码是否正确

        if user.check_password(old_password):

            if not new_password:

                err_msg = '新密码不能为空'

            elif new_password != repeat_password:

                err_msg = '两次密码不一致'

            else:

                user.set_password(new_password)

                user.save()

                return redirect("/login/")

        else:

            err_msg = '原密码输入错误'

    content = {

        'err_msg': err_msg,

    }

    return render(request, 'set_password.html', content)

修改密码示例

验证用户

from django.contrib.auth import authenticate

user = authenticate(username='john', password='secret')

if user is not None:

    # 验证通过

    # A backend authenticated the credentials

else:

    # 验证失败

    # No backend authenticated the credentials

request is an optional HttpRequest which is passed on the authenticate() method of the authentication backends.

Changed in Django 1.11:

The optional request argument was added.

权限和认证

User objects have two many-to-many fields: groups and user_permissions. User objects can access their related objects in the same way as any other Django model:

myuser.groups.set([group_list])

myuser.groups.add(group, group, ...)

myuser.groups.remove(group, group, ...)

myuser.groups.clear()

myuser.user_permissions.set([permission_list])

myuser.user_permissions.add(permission, permission, ...)

myuser.user_permissions.remove(permission, permission, ...)

myuser.user_permissions.clear()

from django.contrib.auth.models import User

u = User.objects.get(username='john')

u.groups.add()

或

u = User.objects.get(username='john')

u.user_permissions.add()

默认权限

假设我创建了一个app名称叫做foo,model名称叫做Bar，测试你所拥有的基本权限方法如下：

add: user.has_perm('foo.add_bar')

change: user.has_perm('foo.change_bar')

delete: user.has_perm('foo.delete_bar')

权限缓存

from django.contrib.auth.models import Permission, User

from django.contrib.contenttypes.models import ContentType

from django.shortcuts import get_object_or_404

from myapp.models import BlogPost

def user_gains_perms(request, user_id):

    user = get_object_or_404(User, pk=user_id)

    # any permission check will cache the current set of permissions

    user.has_perm('myapp.change_blogpost')

    content_type = ContentType.objects.get_for_model(BlogPost)

    permission = Permission.objects.get(

        codename='change_blogpost',

        content_type=content_type,

    )

    user.user_permissions.add(permission)

    # Checking the cached permission set

    user.has_perm('myapp.change_blogpost')  # False

    # Request new instance of User

    # Be aware that user.refresh_from_db() won't clear the cache.

    user = get_object_or_404(User, pk=user_id)

    # Permission cache is repopulated from the database

    user.has_perm('myapp.change_blogpost')  # True

    ...

Web 请求的认证

django使用session中间件来验证request objects，如果用户验证没有通过，这个实例会被设置成AnonymousUser。

if request.user.is_authenticated:
# Do something for authenticated users.
...
else:
# Do something for anonymous users.
...

如何使用`authenticate()和login()`:

from django.contrib.auth import authenticate, login

def my_view(request):

    username = request.POST['username']

    password = request.POST['password']

    user = authenticate(request, username=username, password=password)

    if user is not None:

        login(request, user)

        # Redirect to a success page.

        ...

    else:

        # Return an 'invalid login' error message.

        ...

用户如何登出

from django.contrib.auth import logout

def logout_view(request):

    logout(request)

    # Redirect to a success page.

Limiting access to logged-in users

from django.conf import settings

from django.shortcuts import redirect

def my_view(request):

    if not request.user.is_authenticated:

        return redirect('%s?next=%s' % (settings.LOGIN_URL, request.path))

    # ...

或者返回一个错误页面

from django.shortcuts import render

def my_view(request):

    if not request.user.is_authenticated:

        return render(request, 'myapp/login_error.html')

    # ...

`login_required` 装饰器

使用方法如下

from django.contrib.auth.decorators import login_required

@login_required

def my_view(request):

    ...

登陆成功后默认会跳转到/accounts/login/目录，如果需要使用自定义目录，需要添加在settings.py文件LOGIN_URL 参数。

测试登陆用户，验证用户是否存在email字段

from django.shortcuts import redirect

def my_view(request):

    if not request.user.email.endswith('@example.com'):

        return redirect('/login/?next=%s' % request.path)

    # ...

user_passes_test(test_func, login_url=None, redirect_field_name='next')[source]¶

As a shortcut, you can use the convenient user_passes_test decorator which performs a redirect when the callable returns False:

from django.contrib.auth.decorators import user_passes_test

def email_check(user):

    return user.email.endswith('@example.com')

@user_passes_test(email_check)

def my_view(request):

`permission_required` 装饰器

permission_required(perm, login_url=None, raise_exception=False)[source]

from django.contrib.auth.decorators import permission_required

@permission_required('polls.can_vote')

def my_view(request):

    ...

就好像has_perm方法一样，permission_requierd使用方法为<app label>.<permission codename>

注意permission_required()仍然需要login_url字段。作为login_required的装饰，login_url默认设置的为settings.LOGIN_URL，也就是settings.py文件当中的LOGIN_URL参数。

如果raise_exception字段抛出，这个装饰会抛出PermissionDenied，403 Forbidden，而不是跳转的login页面。如果你想要在异常抛出前再给你的用户登陆，你可以加上login_required()

from django.contrib.auth.decorators import login_required, permission_required

@login_required

@permission_required('polls.can_vote', raise_exception=True)

def my_view(request):

Session invalidation on password change

如果用户认证的model从 AbstractBaseUser 或者从get_session_auth_hash()方法实现，通过这些，认证缓存会通过hash方法实现，在AbstractBaseUser例子中，如果你想要更改密码并且不退出登陆，使用update_session_auth_hash()方法。

from django.contrib.auth import update_session_auth_hash

def password_change(request):

    if request.method == 'POST':

        form = PasswordChangeForm(user=request.user, data=request.POST)

        if form.is_valid():

            form.save()

            update_session_auth_hash(request, form.user)

    else:

        ...

如何扩展自带的auth_user表

1. 新建一个表，一对一关联上面的auth_user表

2. 继承的方式

from django.contrib.auth.models import AbstractUser

class UserInfo(AbstractUser):

    phone = models.CharField(max_length=11)

    addr = models.CharField(max_length=128)

    相当于对默认的auth_user表做了扩展， 并且代替auth_user

注意：
在settings.py中一定要加
AUTH_USER_MODEL = 'app名.类名'