Django框架詳細介紹---認證系統
在web開發中一般設計網站的登陸認證、註冊等功能,Django剛好內置了功能完善的用戶認證系統html
1.auth模塊python
from django.contrib import auth
模塊源碼web
import inspect import re import warnings from django.apps import apps as django_apps from django.conf import settings from django.core.exceptions import ImproperlyConfigured, PermissionDenied from django.middleware.csrf import rotate_token from django.utils.crypto import constant_time_compare from django.utils.deprecation import RemovedInDjango21Warning from django.utils.module_loading import import_string from django.utils.translation import LANGUAGE_SESSION_KEY from .signals import user_logged_in, user_logged_out, user_login_failed SESSION_KEY = '_auth_user_id' BACKEND_SESSION_KEY = '_auth_user_backend' HASH_SESSION_KEY = '_auth_user_hash' REDIRECT_FIELD_NAME = 'next' def load_backend(path): return import_string(path)() def _get_backends(return_tuples=False): backends = [] for backend_path in settings.AUTHENTICATION_BACKENDS: backend = load_backend(backend_path) backends.append((backend, backend_path) if return_tuples else backend) if not backends: raise ImproperlyConfigured( 'No authentication backends have been defined. Does ' 'AUTHENTICATION_BACKENDS contain anything?' ) return backends def get_backends(): return _get_backends(return_tuples=False) def _clean_credentials(credentials): """ Clean a dictionary of credentials of potentially sensitive info before sending to less secure functions. Not comprehensive - intended for user_login_failed signal """ SENSITIVE_CREDENTIALS = re.compile('api|token|key|secret|password|signature', re.I) CLEANSED_SUBSTITUTE = '********************' for key in credentials: if SENSITIVE_CREDENTIALS.search(key): credentials[key] = CLEANSED_SUBSTITUTE return credentials def _get_user_session_key(request): # This value in the session is always serialized to a string, so we need # to convert it back to Python whenever we access it. return get_user_model()._meta.pk.to_python(request.session[SESSION_KEY]) def authenticate(request=None, **credentials): """ If the given credentials are valid, return a User object. """ for backend, backend_path in _get_backends(return_tuples=True): try: user = _authenticate_with_backend(backend, backend_path, request, credentials) except PermissionDenied: # This backend says to stop in our tracks - this user should not be allowed in at all. break if user is None: continue # Annotate the user object with the path of the backend. user.backend = backend_path return user # The credentials supplied are invalid to all backends, fire signal user_login_failed.send(sender=__name__, credentials=_clean_credentials(credentials), request=request) def _authenticate_with_backend(backend, backend_path, request, credentials): credentials = credentials.copy() # Prevent a mutation from propagating. args = (request,) # Does the backend accept a request argument? try: inspect.getcallargs(backend.authenticate, request, **credentials) except TypeError: args = () credentials.pop('request', None) # Does the backend accept a request keyword argument? try: inspect.getcallargs(backend.authenticate, request=request, **credentials) except TypeError: # Does the backend accept credentials without request? try: inspect.getcallargs(backend.authenticate, **credentials) except TypeError: # This backend doesn't accept these credentials as arguments. Try the next one. return None else: warnings.warn( "Update %s.authenticate() to accept a positional " "`request` argument." % backend_path, RemovedInDjango21Warning ) else: credentials['request'] = request warnings.warn( "In %s.authenticate(), move the `request` keyword argument " "to the first positional argument." % backend_path, RemovedInDjango21Warning ) return backend.authenticate(*args, **credentials) def login(request, user, backend=None): """ Persist a user id and a backend in the request. This way a user doesn't have to reauthenticate on every request. Note that data set during the anonymous session is retained when the user logs in. """ session_auth_hash = '' if user is None: user = request.user if hasattr(user, 'get_session_auth_hash'): session_auth_hash = user.get_session_auth_hash() if SESSION_KEY in request.session: if _get_user_session_key(request) != user.pk or ( session_auth_hash and not constant_time_compare(request.session.get(HASH_SESSION_KEY, ''), session_auth_hash)): # To avoid reusing another user's session, create a new, empty # session if the existing session corresponds to a different # authenticated user. request.session.flush() else: request.session.cycle_key() try: backend = backend or user.backend except AttributeError: backends = _get_backends(return_tuples=True) if len(backends) == 1: _, backend = backends[0] else: raise ValueError( 'You have multiple authentication backends configured and ' 'therefore must provide the `backend` argument or set the ' '`backend` attribute on the user.' ) request.session[SESSION_KEY] = user._meta.pk.value_to_string(user) request.session[BACKEND_SESSION_KEY] = backend request.session[HASH_SESSION_KEY] = session_auth_hash if hasattr(request, 'user'): request.user = user rotate_token(request) user_logged_in.send(sender=user.__class__, request=request, user=user) def logout(request): """ Remove the authenticated user's ID from the request and flush their session data. """ # Dispatch the signal before the user is logged out so the receivers have a # chance to find out *who* logged out. user = getattr(request, 'user', None) if hasattr(user, 'is_authenticated') and not user.is_authenticated: user = None user_logged_out.send(sender=user.__class__, request=request, user=user) # remember language choice saved to session language = request.session.get(LANGUAGE_SESSION_KEY) request.session.flush() if language is not None: request.session[LANGUAGE_SESSION_KEY] = language if hasattr(request, 'user'): from django.contrib.auth.models import AnonymousUser request.user = AnonymousUser() def get_user_model(): """ Return the User model that is active in this project. """ try: return django_apps.get_model(settings.AUTH_USER_MODEL, require_ready=False) except ValueError: raise ImproperlyConfigured("AUTH_USER_MODEL must be of the form 'app_label.model_name'") except LookupError: raise ImproperlyConfigured( "AUTH_USER_MODEL refers to model '%s' that has not been installed" % settings.AUTH_USER_MODEL ) def get_user(request): """ Return the user model instance associated with the given request session. If no user is retrieved, return an instance of `AnonymousUser`. """ from .models import AnonymousUser user = None try: user_id = _get_user_session_key(request) backend_path = request.session[BACKEND_SESSION_KEY] except KeyError: pass else: if backend_path in settings.AUTHENTICATION_BACKENDS: backend = load_backend(backend_path) user = backend.get_user(user_id) # Verify the session if hasattr(user, 'get_session_auth_hash'): session_hash = request.session.get(HASH_SESSION_KEY) session_hash_verified = session_hash and constant_time_compare( session_hash, user.get_session_auth_hash() ) if not session_hash_verified: request.session.flush() user = None return user or AnonymousUser() def get_permission_codename(action, opts): """ Return the codename of the permission for the specified action. """ return '%s_%s' % (action, opts.model_name) def update_session_auth_hash(request, user): """ Updating a user's password logs out all sessions for the user. Take the current request and the updated user object from which the new session hash will be derived and update the session hash appropriately to prevent a password change from logging out the session from which the password was changed. """ request.session.cycle_key() if hasattr(user, 'get_session_auth_hash') and request.user == user: request.session[HASH_SESSION_KEY] = user.get_session_auth_hash() default_app_config = 'django.contrib.auth.apps.AuthConfig'
模塊內經常使用的內置方法:算法
authenticate(request=None, **credentials),提供用戶認證功能,驗證用戶名和密碼是否正確,認證成功則返回該用戶的對象數據庫
# 判斷用戶是否存在以及認證 user_obj = auth.authenticate(username=username, password=password)
login(request, user, backend=None),經過HttpRequest對象和user對象進行登陸驗證,同時在後端爲該用戶生成sessiondjango
# 登陸
auth.login(request, user_obj)
logout(request),查看logout源碼可看出該方法內經過傳入的request對象獲取當前退出的用戶將session清空後端
def logout(request): # 退出登陸 auth.logout(request) return redirect("/bbs/login/")
is_authenticated(self),判斷當前請求是否經過了驗證api
class AnonymousUser: @property def is_authenticated(self): return False
login_required(),auth提供的裝飾器工具,用來快捷的視圖添加登陸校驗,若是用戶沒有登陸則跳轉到Django中的global_setting.py內默認的URL(LOGIN_URL='/accounts/login/'),並傳遞當前訪問的URL絕對路徑,登錄成功後重定向到該路徑session
若是須要自定義登陸的URL,可在setting.py文件中指定LOGIN_URLapp
LOGIN_URL = '/login/' # 這裏配置成你項目登陸頁面的路由
from django.contrib.auth.decorators import login_required @login_required def index(request): ...
# 源碼 def login_required(function=None, redirect_field_name=REDIRECT_FIELD_NAME, login_url=None): """ Decorator for views that checks that the user is logged in, redirecting to the log-in page if necessary. """ actual_decorator = user_passes_test( lambda u: u.is_authenticated, login_url=login_url, redirect_field_name=redirect_field_name ) if function: return actual_decorator(function) return actual_decorator
***********************************************************************************************
from django.contrib.auth import REDIRECT_FIELD_NAME
REDIRECT_FIELD_NAME = 'next'
create_user(self, username, eamil=None, password=None, **extra_fields),auth內提供的建立用戶的方法
# 源碼 def create_user(self, username, email=None, password=None, **extra_fields): extra_fields.setdefault('is_staff', False) extra_fields.setdefault('is_superuser', False) return self._create_user(username, email, password, **extra_fields)
create_superuser(self, username, eamil, password, **extra_fields),auth內提供的建立用戶的方法,
def create_superuser(self, username, email, password, **extra_fields): extra_fields.setdefault('is_staff', True) extra_fields.setdefault('is_superuser', True) if extra_fields.get('is_staff') is not True: raise ValueError('Superuser must have is_staff=True.') if extra_fields.get('is_superuser') is not True: raise ValueError('Superuser must have is_superuser=True.') return self._create_user(username, email, password, **extra_fields)
check_password(password),用於檢查密碼是否正確,正確返回True,錯誤返回False
ok = user.check_password('密碼')
set_password(password),用於修改密碼,接收新密碼做爲參數
user.set_password(password='') user.save()
User對象的相關屬性:
username 用戶名(必填)
password 密碼,用哈希算法保存到數據庫
is_staff 用戶是否擁有網站的管理權限
is_active 是否容許用戶登陸, 設置爲 False,能夠在刪除用戶的前提下禁止用戶登陸
2.擴展使用
在經過AbstractUser類建立用戶類時,可添加自定義字段,同時必須注意的是繼承該類必須在setting.py中聲明使用,一旦指定了新的認證系統使用的表,必須從新在數據庫中建立該表,不能使用原來的auth_user表
# 引用Django自帶的User表,繼承使用時須要設置 AUTH_USER_MODEL = "APP名.UserInfo"
示例:
自定義用戶類
class UserInfo(AbstractUser): """ 用戶信息表 """ nid = models.AutoField(primary_key=True) phone = models.CharField(max_length=11, null=True, unique=True) avatar = models.FileField(upload_to="avatars/") blog = models.OneToOneField(to="Blog", to_field="nid", null=True, on_delete=models.CASCADE) def __str__(self): return self.username class Meta: verbose_name = "用戶信息" verbose_name_plural = verbose_name
登陸視圖
def login(request): form_obj = forms.LoginForm() if request.method == "POST": ret = {"code": 0} # 獲取用戶輸入的用戶名、密碼、隨機驗證碼 username = request.POST.get("username") password = request.POST.get("password") v_code = request.POST.get("v_code", "") # 判斷用戶輸入的隨機驗證碼是否正確 if v_code.upper() == request.session.get("v_code", ""): # 判斷用戶是否存在以及認證 user_obj = auth.authenticate(username=username, password=password) if user_obj: # 登陸 auth.login(request, user_obj) # 存放認證成功後可跳轉的地址 ret["data"] = "/index/" else: # 認證失敗 ret["code"] = 1 ret["data"] = "用戶名或密碼錯誤" else: # 用戶輸入的隨機驗證碼錯誤 ret["code"] = 1 ret["data"] = "驗證碼錯誤" return JsonResponse(ret) return render(request, "login.html", {"form_obj": form_obj})
修改密碼視圖
def change_password(request): user = request.user ret = {"code": 0} form_obj = forms.change_password() if request.method == "POST": old_password = request.POST.get("old_password") new_password = request.POST.get("new_password") re_password = request.POST.get("re_password") # 檢查舊密碼是否正確 if user.check_password(old_password): if not new_password: ret["data"] = "密碼不能爲空" ret["code"] = 1 elif new_password != re_password: ret["data"] = "兩次輸入的密碼不一致" ret["code"] = 1 else: user.set_password(new_password) user.save() ret["data"] = "/bbs/login/" else: ret["data"] = "原密碼輸入錯誤" ret["code"] = 1 return JsonResponse(ret) return render(request, "change_password.html", {"form_obj": form_obj}, )
相關文章
- 1. Django框架詳細介紹---中間件(認證)
- 2. Django框架詳細介紹---模板系統
- 3. Django框架詳細介紹---Form表單
- 4. Amaple.js框架詳細介紹
- 5. Django詳細介紹
- 6. Django框架介紹
- 7. django框架介紹
- 8. Django 框架介紹
- 9. Django 框架 - Django介紹
- 10. Django認證系統
- 更多相關文章...
- • SSH框架(Struts2+Spring+Hibernate)搭建整合詳細步驟 - Spring教程
- • SSM(Spring+Spring MVC+MyBatis)框架整合搭建詳細步驟 - Spring教程
- • Java Agent入門實戰(一)-Instrumentation介紹與使用
- • Docker容器實戰(七) - 容器眼光下的文件系統
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. 在windows下的虛擬機中,安裝華爲電腦的deepin操作系統
- 2. 強烈推薦款下載不限速解析神器
- 3. 【區塊鏈技術】孫宇晨:區塊鏈技術帶來金融服務的信任變革
- 4. 搜索引起的鏈接分析-計算網頁的重要性
- 5. TiDB x 微衆銀行 | 耗時降低 58%,分佈式架構助力實現普惠金融
- 6. 《數字孿生體技術白皮書》重磅發佈(附完整版下載)
- 7. 雙十一「避坑」指南:區塊鏈電子合同爲電商交易保駕護航!
- 8. 區塊鏈產業,怎樣「鏈」住未來?
- 9. OpenglRipper使用教程
- 10. springcloud請求一次好用一次不好用zuul Name or service not known
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. Django框架詳細介紹---中間件(認證)
- 2. Django框架詳細介紹---模板系統
- 3. Django框架詳細介紹---Form表單
- 4. Amaple.js框架詳細介紹
- 5. Django詳細介紹
- 6. Django框架介紹
- 7. django框架介紹
- 8. Django 框架介紹
- 9. Django 框架 - Django介紹
- 10. Django認證系統