94
100
.. attribute:: models.User.is_active
96
102
Boolean. Designates whether this user account should be considered
97
active. Set this flag to ``False`` instead of deleting accounts.
103
active. We recommend that you set this flag to ``False`` instead of
104
deleting accounts; that way, if your applications have any foreign keys
105
to users, the foreign keys won't break.
99
This doesn't control whether or not the user can log in. Nothing in the
100
authentication path checks the ``is_active`` flag, so if you want to
101
reject a login based on ``is_active`` being ``False``, it is up to you
102
to check that in your own login view. However, permission checking
103
using the methods like :meth:`~models.User.has_perm` does check this
104
flag and will always return ``False`` for inactive users.
107
This doesn't necessarily control whether or not the user can log in.
108
Authentication backends aren't required to check for the ``is_active``
109
flag, so if you want to reject a login based on ``is_active`` being
110
``False``, it's up to you to check that in your own login view.
111
However, the :class:`~django.contrib.auth.forms.AuthenticationForm`
112
used by the :func:`~django.contrib.auth.views.login` view *does*
113
perform this check, as do the permission-checking methods such as
114
:meth:`~models.User.has_perm` and the authentication in the Django
115
admin. All of those functions/methods will return ``False`` for
106
118
.. attribute:: models.User.is_superuser
199
211
:meth:`~django.contrib.auth.models.User.set_unusable_password()` has
200
212
been called for this user.
202
.. method:: models.User.get_group_permissions()
214
.. method:: models.User.get_group_permissions(obj=None)
204
216
Returns a list of permission strings that the user has, through his/her
207
.. method:: models.User.get_all_permissions()
219
.. versionadded:: 1.2
221
If ``obj`` is passed in, only returns the group permissions for
222
this specific object.
224
.. method:: models.User.get_all_permissions(obj=None)
209
226
Returns a list of permission strings that the user has, both through
210
227
group and user permissions.
212
.. method:: models.User.has_perm(perm)
229
.. versionadded:: 1.2
231
If ``obj`` is passed in, only returns the permissions for this
234
.. method:: models.User.has_perm(perm, obj=None)
214
236
Returns ``True`` if the user has the specified permission, where perm is
215
in the format ``"<app label>.<permission codename>"``.
216
If the user is inactive, this method will always return ``False``.
218
.. method:: models.User.has_perms(perm_list)
237
in the format ``"<app label>.<permission codename>"``. (see
238
`permissions`_ section below). If the user is inactive, this method will
239
always return ``False``.
241
.. versionadded:: 1.2
243
If ``obj`` is passed in, this method won't check for a permission for
244
the model, but for this specific object.
246
.. method:: models.User.has_perms(perm_list, obj=None)
220
248
Returns ``True`` if the user has each of the specified permissions,
221
where each perm is in the format
249
where each perm is in the format
222
250
``"<app label>.<permission codename>"``. If the user is inactive,
223
251
this method will always return ``False``.
253
.. versionadded:: 1.2
255
If ``obj`` is passed in, this method won't check for permissions for
256
the model, but for the specific object.
225
258
.. method:: models.User.has_module_perms(package_name)
227
260
Returns ``True`` if the user has any permissions in the given package
260
293
.. method:: models.UserManager.create_user(username, email, password=None)
262
295
Creates, saves and returns a :class:`~django.contrib.auth.models.User`.
263
The :attr:`~django.contrib.auth.models.User.username`,
264
:attr:`~django.contrib.auth.models.User.email` and
265
:attr:`~django.contrib.auth.models.User.password` are set as given, and
266
the :class:`~django.contrib.auth.models.User` gets ``is_active=True``.
297
The :attr:`~django.contrib.auth.models.User.username` and
298
:attr:`~django.contrib.auth.models.User.password` are set as given. The
299
domain portion of :attr:`~django.contrib.auth.models.User.email` is
300
automatically convered to lowercase, and the returned
301
:class:`~django.contrib.auth.models.User` object will have
302
:attr:`~models.User.is_active` set to ``True``.
268
304
If no password is provided,
269
305
:meth:`~django.contrib.auth.models.User.set_unusable_password()` will
321
357
Changing passwords
322
358
~~~~~~~~~~~~~~~~~~
324
Change a password with :meth:`~django.contrib.auth.models.User.set_password()`:
360
.. versionadded:: 1.2
361
The ``manage.py changepassword`` command was added.
363
:djadmin:`manage.py changepassword <username>` offers a method of
364
changing a User's password from the command line. It prompts you to
365
change the password of a given user which you must enter twice. If
366
they both match, the new password will be changed immediately. If you
367
do not supply a user, the command will attempt to change the password
368
whose username matches the current user.
370
You can also change a password programmatically, using
371
:meth:`~django.contrib.auth.models.User.set_password()`:
326
373
.. code-block:: python
439
486
provides a method to specify a site-specific related model -- termed a "user
440
487
profile" -- for this purpose.
442
To make use of this feature, define a model with fields for the additional
443
information you'd like to store, or additional methods you'd like to have
444
available, and also add a :class:`~django.db.models.Field.ForeignKey` from your
445
model to the :class:`~django.contrib.auth.models.User` model, specified with
446
``unique=True`` to ensure only one instance of your model can be created for
447
each :class:`~django.contrib.auth.models.User`.
489
To make use of this feature, define a model with fields for the
490
additional information you'd like to store, or additional methods
491
you'd like to have available, and also add a
492
:class:`~django.db.models.Field.OneToOneField` from your model to the
493
:class:`~django.contrib.auth.models.User` model. This will ensure only
494
one instance of your model can be created for each
495
:class:`~django.contrib.auth.models.User`.
449
497
To indicate that this model is the user profile model for a given site, fill in
450
498
the setting :setting:`AUTH_PROFILE_MODULE` with a string consisting of the
656
704
from django.contrib.auth.decorators import login_required
658
def my_view(request):
660
my_view = login_required(my_view)
662
Here's an equivalent example, using the more compact decorator syntax
663
introduced in Python 2.4::
665
from django.contrib.auth.decorators import login_required
668
707
def my_view(request):
671
710
:func:`~django.contrib.auth.decorators.login_required` also takes an
672
711
optional ``redirect_field_name`` parameter. Example::
674
from django.contrib.auth.decorators import login_required
676
def my_view(request):
678
my_view = login_required(redirect_field_name='redirect_to')(my_view)
680
Again, an equivalent example of the more compact decorator syntax
681
introduced in Python 2.4::
683
714
from django.contrib.auth.decorators import login_required
685
716
@login_required(redirect_field_name='redirect_to')
686
717
def my_view(request):
689
720
:func:`~django.contrib.auth.decorators.login_required` does the following:
706
737
(r'^accounts/login/$', 'django.contrib.auth.views.login'),
708
.. function:: views.login(request, [template_name, redirect_field_name])
739
.. function:: views.login(request, [template_name, redirect_field_name, authentication_form])
710
741
Here's what ``django.contrib.auth.views.login`` does:
819
.. versionadded:: 1.2
821
If you are using alternate authentication (see
822
:ref:`authentication-backends`) you can pass a custom authentication form
823
to the login view via the ``authentication_form`` parameter. This form must
824
accept a ``request`` keyword argument in its ``__init__`` method, and
825
provide a ``get_user`` method which returns the authenticated user object
826
(this method is only ever called after successful form validation).
788
828
.. _forms documentation: ../forms/
789
829
.. _site framework docs: ../sites/
824
864
* ``login_url``: The URL of the login page to redirect to. This will
825
865
default to :setting:`settings.LOGIN_URL <LOGIN_URL>` if not supplied.
827
.. function:: views.password_change(request[, template_name, post_change_redirect])
867
.. function:: views.password_change(request[, template_name, post_change_redirect, password_change_form])
829
869
Allows a user to change their password.
1002
1049
from django.contrib.auth.decorators import user_passes_test
1051
@user_passes_test(lambda u: u.has_perm('polls.can_vote'))
1004
1052
def my_view(request):
1006
my_view = user_passes_test(lambda u: u.has_perm('polls.can_vote'))(my_view)
1008
1055
We're using this particular test as a relatively simple example. However,
1009
1056
if you just want to test whether a permission is available to a user, you
1010
1057
can use the :func:`~django.contrib.auth.decorators.permission_required()`
1011
1058
decorator, described later in this document.
1013
Here's the same thing, using Python 2.4's decorator syntax::
1015
from django.contrib.auth.decorators import user_passes_test
1017
@user_passes_test(lambda u: u.has_perm('polls.can_vote'))
1018
def my_view(request):
1021
1060
:func:`~django.contrib.auth.decorators.user_passes_test` takes a required
1022
1061
argument: a callable that takes a
1023
1062
:class:`~django.contrib.auth.models.User` object and returns ``True`` if
1030
1069
optional ``login_url`` argument, which lets you specify the URL for your
1031
1070
login page (:setting:`settings.LOGIN_URL <LOGIN_URL>` by default).
1033
Example in Python 2.3 syntax::
1035
from django.contrib.auth.decorators import user_passes_test
1037
def my_view(request):
1039
my_view = user_passes_test(lambda u: u.has_perm('polls.can_vote'), login_url='/login/')(my_view)
1041
Example in Python 2.4 syntax::
1043
1074
from django.contrib.auth.decorators import user_passes_test
1045
1076
@user_passes_test(lambda u: u.has_perm('polls.can_vote'), login_url='/login/')
1046
1077
def my_view(request):
1049
1080
The permission_required decorator
1050
1081
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1133
1166
permissions for new models each time you run :djadmin:`manage.py syncdb
1169
Assuming you have an application with an
1170
:attr:`~django.db.models.Options.app_label` ``foo`` and a model named ``Bar``,
1171
to test for basic permissions you should use:
1173
* add: ``user.has_perm('foo.add_bar')``
1174
* change: ``user.has_perm('foo.change_bar')``
1175
* delete: ``user.has_perm('foo.delete_bar')``
1136
1177
.. _custom-permissions:
1138
1179
Custom permissions
1202
1243
Technically, these variables are only made available in the template context
1203
1244
if you use :class:`~django.template.context.RequestContext` *and* your
1204
1245
:setting:`TEMPLATE_CONTEXT_PROCESSORS` setting contains
1205
``"django.core.context_processors.auth"``, which is default. For more, see
1206
the :ref:`RequestContext docs <subclassing-context-requestcontext>`.
1246
``"django.contrib.auth.context_processors.auth"``, which is default. For
1247
more, see the :ref:`RequestContext docs <subclassing-context-requestcontext>`.
1329
Note that :class:`~django.template.context.RequestContext` calls
1330
:meth:`~django.contrib.auth.models.User.get_and_delete_messages` behind the
1331
scenes, so any messages will be deleted even if you don't display them.
1375
.. versionchanged:: 1.2
1376
The ``messages`` template variable uses a backwards compatible method in the
1377
:ref:`messages framework <ref-contrib-messages>` to retrieve messages from
1378
both the user ``Message`` model and from the new framework. Unlike in
1379
previous revisions, the messages will not be erased unless they are actually
1333
1382
Finally, note that this messages framework only works with users in the user
1334
1383
database. To send messages to anonymous users, use the
1335
:ref:`session framework <topics-http-sessions>`.
1384
:ref:`messages framework <ref-contrib-messages>`.
1337
1386
.. _authentication-backends:
1502
1551
the ``auth_permission`` table most of the time.
1504
1553
.. _django/contrib/auth/backends.py: http://code.djangoproject.com/browser/django/trunk/django/contrib/auth/backends.py
1555
Authorization for anonymous users
1556
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1558
.. versionchanged:: 1.2
1560
An anonymous user is one that is not authenticated i.e. they have provided no
1561
valid authentication details. However, that does not necessarily mean they are
1562
not authorized to do anything. At the most basic level, most Web sites
1563
authorize anonymous users to browse most of the site, and many allow anonymous
1564
posting of comments etc.
1566
Django's permission framework does not have a place to store permissions for
1567
anonymous users. However, it has a foundation that allows custom authentication
1568
backends to specify authorization for anonymous users. This is especially useful
1569
for the authors of re-usable apps, who can delegate all questions of authorization
1570
to the auth backend, rather than needing settings, for example, to control
1573
To enable this in your own backend, you must set the class attribute
1574
``supports_anonymous_user`` to ``True``. (This precaution is to maintain
1575
compatibility with backends that assume that all user objects are actual
1576
instances of the :class:`django.contrib.auth.models.User` class). With this
1577
in place, :class:`django.contrib.auth.models.AnonymousUser` will delegate all
1578
the relevant permission methods to the authentication backends.
1580
A nonexistent ``supports_anonymous_user`` attribute will raise a hidden
1581
``PendingDeprecationWarning`` if used in Django 1.2. In Django 1.3, this
1582
warning will be upgraded to a ``DeprecationWarning``, which will be displayed
1583
loudly. Additionally ``supports_anonymous_user`` will be set to ``False``.
1584
Django 1.4 will assume that every backend supports anonymous users being
1585
passed to the authorization methods.
1587
Handling object permissions
1588
---------------------------
1590
Django's permission framework has a foundation for object permissions, though
1591
there is no implementation for it in the core. That means that checking for
1592
object permissions will always return ``False`` or an empty list (depending on
1593
the check performed).
1595
To enable object permissions in your own
1596
:ref:`authentication backend <ref-authentication-backends>` you'll just have
1597
to allow passing an ``obj`` parameter to the permission methods and set the
1598
``supports_object_permissions`` class attribute to ``True``.
1600
A nonexistent ``supports_object_permissions`` will raise a hidden
1601
``PendingDeprecationWarning`` if used in Django 1.2. In Django 1.3, this
1602
warning will be upgraded to a ``DeprecationWarning``, which will be displayed
1603
loudly. Additionally ``supports_object_permissions`` will be set to ``False``.
1604
Django 1.4 will assume that every backend supports object permissions and
1605
won't check for the existence of ``supports_object_permissions``, which
1606
means not supporting ``obj`` as a parameter will raise a ``TypeError``.