密码在数据库 Django AbstractUser 中保存为纯文本
Password saved as plain text in database Django AbstractUser
实际上,我正在做一个项目,我必须修改身份验证系统,以便我能够使用电子邮件而不是用户名登录。此外,我必须删除用户名字段,因为它与用例场景无关。我遇到的问题是在用户注册后密码在数据库中保存为纯文本。下面是我的实现
我的views.py
def signup(request):
if request.method == 'POST':
password = request.POST['cr-pwd']
email = request.POST['cr-eml']
phone_number = request.POST['cr-phone']
print(password, email, phone_number)
user = User.objects.create_user(email, password)
# user.username = username
user.password = password
user.email = email
user.phone_number = phone_number
user.save()
messages.success(request, 'Your account has been created successfully')
return render(request, 'index.html')
return render(request, 'index.html')
我的models.py
from django.contrib.auth.models import AbstractUser, BaseUserManager
from django.db import models
from django.utils.translation import gettext_lazy as _
class UserManager(BaseUserManager):
"""Define a model manager for User model with no username field."""
use_in_migrations = True
def _create_user(self, email, password, **extra_fields):
"""Create and save a User with the given email and password."""
if not email:
raise ValueError('The given email must be set')
email = self.normalize_email(email)
user = self.model(email=email, **extra_fields)
user.set_password(password)
user.save(using=self._db)
return user
def create_user(self, email, password=None, **extra_fields):
"""Create and save a regular User with the given email and password."""
extra_fields.setdefault('is_staff', False)
extra_fields.setdefault('is_superuser', False)
return self._create_user(email, password, **extra_fields)
def create_superuser(self, email, password, **extra_fields):
"""Create and save a SuperUser with the given email and password."""
extra_fields.setdefault('is_staff', True)
extra_fields.setdefault('is_superuser', True)
if extra_fields.get('is_staff') is not True:
raise ValueError('Superuser must have is_staff=True.')
if extra_fields.get('is_superuser') is not True:
raise ValueError('Superuser must have is_superuser=True.')
return self._create_user(email, password, **extra_fields)
class CustomUser(AbstractUser):
#Email as auth removing username
username = None
email = models.EmailField(('email address'), unique=True)
USERNAME_FIELD = 'email'
REQUIRED_FIELDS = []
#Adding extra fields
is_student = models.BooleanField(default=False)
is_teacher = models.BooleanField(default=False)
phone_number = models.CharField(max_length=200, blank=True)
objects = UserManager()
class Meta:
model = CustomUser
fields = ("email", "password")
在 _create_user 方法 models.py 中,您正在保存 散列密码正确
但是在 views.py 中的 signup 方法中,您正在使用纯文本重新分配密码值,因此只需删除该行即可。
views.py
def signup(request):
if request.method == 'POST':
password = request.POST['cr-pwd']
email = request.POST['cr-eml']
phone_number = request.POST['cr-phone']
print(password, email, phone_number)
user = User.objects.create_user(email, password)
# user.username = username
user.email = email
user.phone_number = phone_number
user.save()
messages.success(request, 'Your account has been created successfully')
return render(request, 'index.html')
return render(request, 'index.html')
实际上,我正在做一个项目,我必须修改身份验证系统,以便我能够使用电子邮件而不是用户名登录。此外,我必须删除用户名字段,因为它与用例场景无关。我遇到的问题是在用户注册后密码在数据库中保存为纯文本。下面是我的实现
我的views.py
def signup(request):
if request.method == 'POST':
password = request.POST['cr-pwd']
email = request.POST['cr-eml']
phone_number = request.POST['cr-phone']
print(password, email, phone_number)
user = User.objects.create_user(email, password)
# user.username = username
user.password = password
user.email = email
user.phone_number = phone_number
user.save()
messages.success(request, 'Your account has been created successfully')
return render(request, 'index.html')
return render(request, 'index.html')
我的models.py
from django.contrib.auth.models import AbstractUser, BaseUserManager
from django.db import models
from django.utils.translation import gettext_lazy as _
class UserManager(BaseUserManager):
"""Define a model manager for User model with no username field."""
use_in_migrations = True
def _create_user(self, email, password, **extra_fields):
"""Create and save a User with the given email and password."""
if not email:
raise ValueError('The given email must be set')
email = self.normalize_email(email)
user = self.model(email=email, **extra_fields)
user.set_password(password)
user.save(using=self._db)
return user
def create_user(self, email, password=None, **extra_fields):
"""Create and save a regular User with the given email and password."""
extra_fields.setdefault('is_staff', False)
extra_fields.setdefault('is_superuser', False)
return self._create_user(email, password, **extra_fields)
def create_superuser(self, email, password, **extra_fields):
"""Create and save a SuperUser with the given email and password."""
extra_fields.setdefault('is_staff', True)
extra_fields.setdefault('is_superuser', True)
if extra_fields.get('is_staff') is not True:
raise ValueError('Superuser must have is_staff=True.')
if extra_fields.get('is_superuser') is not True:
raise ValueError('Superuser must have is_superuser=True.')
return self._create_user(email, password, **extra_fields)
class CustomUser(AbstractUser):
#Email as auth removing username
username = None
email = models.EmailField(('email address'), unique=True)
USERNAME_FIELD = 'email'
REQUIRED_FIELDS = []
#Adding extra fields
is_student = models.BooleanField(default=False)
is_teacher = models.BooleanField(default=False)
phone_number = models.CharField(max_length=200, blank=True)
objects = UserManager()
class Meta:
model = CustomUser
fields = ("email", "password")
在 _create_user 方法 models.py 中,您正在保存 散列密码正确 但是在 views.py 中的 signup 方法中,您正在使用纯文本重新分配密码值,因此只需删除该行即可。
views.py
def signup(request):
if request.method == 'POST':
password = request.POST['cr-pwd']
email = request.POST['cr-eml']
phone_number = request.POST['cr-phone']
print(password, email, phone_number)
user = User.objects.create_user(email, password)
# user.username = username
user.email = email
user.phone_number = phone_number
user.save()
messages.success(request, 'Your account has been created successfully')
return render(request, 'index.html')
return render(request, 'index.html')