为什么在 Django 中使用自定义用户模型时我的密码不安全?
Why isn't my password being secured when using a custom user model in Django?
我正在尝试在 Django 中构建自定义用户模型。我的 models.py 看起来像这样:
class UserManager(BaseUserManager):
def _create_user(self, username, email, password, is_staff, is_superuser, **extra_fields):
now = timezone.now()
if not username:
raise ValueError(_('The given username must be set'))
if not email:
raise ValueError(_('The given email must be set'))
email = self.normalize_email(email)
user = self.model(
username=username, email=email,
is_staff=is_staff, is_active=False,
is_superuser=is_superuser, last_login=now,
date_joined=now, **extra_fields
)
user.set_password(password)
user.save(using=self._db)
return user
def create_user(self, username, email, password=None, **extra_fields):
return self._create_user(username, email, password, False, False, **extra_fields)
def create_superuser(self, username, email, password, **extra_fields):
user=self._create_user(username, email, password, True, True, **extra_fields)
user.is_active=True
user.save(using=self._db)
return user
class User(AbstractBaseUser, PermissionsMixin):
# Standard fields
username = models.CharField(_('username'), max_length=30, unique=True,
help_text=_('Required. 30 characters or fewer. Letters, numbers and @/./+/-/_ characters'),
validators=[
validators.RegexValidator(re.compile('^[\w.@+-]+$'), _('Enter a valid username.'), _('invalid'))
])
first_name = models.CharField(_('first name'), max_length=30, blank=True, null=True)
last_name = models.CharField(_('last name'), max_length=30, blank=True, null=True)
email = models.EmailField(_('email address'), max_length=255)
is_staff = models.BooleanField(_('staff status'), default=False,
help_text=_('Designates whether the user can log into this admin site.'))
is_active = models.BooleanField(_('active'), default=True,
help_text=_('Designates whether this user should be treated as active. Unselect this instead of deleting accounts.'))
date_joined = models.DateTimeField(_('date joined'), default=timezone.now)
# Custom fields
is_publisher = models.BooleanField(_('publisher status'), default=False)
# User manager
objects = UserManager()
USERNAME_FIELD = 'username'
REQUIRED_FIELDS = ['email']
class Meta:
verbose_name = _('user')
verbose_name_plural = _('users')
def get_full_name(self):
full_name = '%s %s' % (self.first_name, self.last_name)
return full_name.strip()
def get_short_name(self):
return self.first_name
def email_user(self, subject, message, from_email=None):
send_mail(subject, message, from_email, [self.email])
无论如何,如果我使用 createsuperuser 命令创建超级用户,一切正常:用户已创建,密码已正确散列并得到保护。但是,如果我从管理面板创建用户,则创建的用户的 his/her 密码完全暴露。确认密码字段也没有显示,它在 Django 中使用的常规用户模型中显示。我怎么解决这个问题?
此外,是的,我的 settings.py.
中确实有 AUTH_USER_MODEL = 'myapp.User'
您需要自定义 ModelForm 和 ModelAdmin 来创建/更新用户模型项。
def home(request):
if request.method == 'POST':
uf = UserForm(request.POST, prefix='user')
upf = UserProfileForm(request.POST, prefix='userprofile')
if uf.is_valid() * upf.is_valid():
userform = uf.save(commit=False)
userform.password = make_password(uf.cleaned_data['password'])
userform.save()
messages.success(request,
'successful Registration',
extra_tags='safe')
else:
uf = UserForm(prefix='user')
return render_to_response('base.html',
dict(userform=uf
),
context_instance=RequestContext(request))
在您的 views.py 中尝试使用它并在 forms.py 中尝试从 django 表单获取密码。希望这有效
没有自定义代码的表单,直接访问 password 字段,直接写在密码字段上。 不会调用 createuser 或 createsuperuser,因此永远不会调用 set_password(默认情况下,ModelForm 在调用 save 时会在模型中调用 save在里面)。回想一下,写入用户密码 并不会写入安全密码 (这就是为什么 createuser 和 createsuperuser 在某处调用 set_password 的原因)。为此,请避免直接在该字段上书写,而是调用:
myuserinstance.set_password('new pwd')
# not this:
# myuserinstance.password = 'new pwd'
因此您必须在自定义表单中使用自定义逻辑。 See the implementation for details; you will notice those forms have custom logic calling set_password and check_password。顺便说一句,Django 中的默认 UserAdmin 通过两个步骤创建用户:user/password/password_confirm(这样的密码创建),然后是整个用户数据。有一个非常自定义的实现。
我正在尝试在 Django 中构建自定义用户模型。我的 models.py 看起来像这样:
class UserManager(BaseUserManager):
def _create_user(self, username, email, password, is_staff, is_superuser, **extra_fields):
now = timezone.now()
if not username:
raise ValueError(_('The given username must be set'))
if not email:
raise ValueError(_('The given email must be set'))
email = self.normalize_email(email)
user = self.model(
username=username, email=email,
is_staff=is_staff, is_active=False,
is_superuser=is_superuser, last_login=now,
date_joined=now, **extra_fields
)
user.set_password(password)
user.save(using=self._db)
return user
def create_user(self, username, email, password=None, **extra_fields):
return self._create_user(username, email, password, False, False, **extra_fields)
def create_superuser(self, username, email, password, **extra_fields):
user=self._create_user(username, email, password, True, True, **extra_fields)
user.is_active=True
user.save(using=self._db)
return user
class User(AbstractBaseUser, PermissionsMixin):
# Standard fields
username = models.CharField(_('username'), max_length=30, unique=True,
help_text=_('Required. 30 characters or fewer. Letters, numbers and @/./+/-/_ characters'),
validators=[
validators.RegexValidator(re.compile('^[\w.@+-]+$'), _('Enter a valid username.'), _('invalid'))
])
first_name = models.CharField(_('first name'), max_length=30, blank=True, null=True)
last_name = models.CharField(_('last name'), max_length=30, blank=True, null=True)
email = models.EmailField(_('email address'), max_length=255)
is_staff = models.BooleanField(_('staff status'), default=False,
help_text=_('Designates whether the user can log into this admin site.'))
is_active = models.BooleanField(_('active'), default=True,
help_text=_('Designates whether this user should be treated as active. Unselect this instead of deleting accounts.'))
date_joined = models.DateTimeField(_('date joined'), default=timezone.now)
# Custom fields
is_publisher = models.BooleanField(_('publisher status'), default=False)
# User manager
objects = UserManager()
USERNAME_FIELD = 'username'
REQUIRED_FIELDS = ['email']
class Meta:
verbose_name = _('user')
verbose_name_plural = _('users')
def get_full_name(self):
full_name = '%s %s' % (self.first_name, self.last_name)
return full_name.strip()
def get_short_name(self):
return self.first_name
def email_user(self, subject, message, from_email=None):
send_mail(subject, message, from_email, [self.email])
无论如何,如果我使用 createsuperuser 命令创建超级用户,一切正常:用户已创建,密码已正确散列并得到保护。但是,如果我从管理面板创建用户,则创建的用户的 his/her 密码完全暴露。确认密码字段也没有显示,它在 Django 中使用的常规用户模型中显示。我怎么解决这个问题?
此外,是的,我的 settings.py.
中确实有 AUTH_USER_MODEL = 'myapp.User'您需要自定义 ModelForm 和 ModelAdmin 来创建/更新用户模型项。
def home(request):
if request.method == 'POST':
uf = UserForm(request.POST, prefix='user')
upf = UserProfileForm(request.POST, prefix='userprofile')
if uf.is_valid() * upf.is_valid():
userform = uf.save(commit=False)
userform.password = make_password(uf.cleaned_data['password'])
userform.save()
messages.success(request,
'successful Registration',
extra_tags='safe')
else:
uf = UserForm(prefix='user')
return render_to_response('base.html',
dict(userform=uf
),
context_instance=RequestContext(request))
在您的 views.py 中尝试使用它并在 forms.py 中尝试从 django 表单获取密码。希望这有效
没有自定义代码的表单,直接访问 password 字段,直接写在密码字段上。 不会调用 createuser 或 createsuperuser,因此永远不会调用 set_password(默认情况下,ModelForm 在调用 save 时会在模型中调用 save在里面)。回想一下,写入用户密码 并不会写入安全密码 (这就是为什么 createuser 和 createsuperuser 在某处调用 set_password 的原因)。为此,请避免直接在该字段上书写,而是调用:
myuserinstance.set_password('new pwd')
# not this:
# myuserinstance.password = 'new pwd'
因此您必须在自定义表单中使用自定义逻辑。 See the implementation for details; you will notice those forms have custom logic calling set_password and check_password。顺便说一句,Django 中的默认 UserAdmin 通过两个步骤创建用户:user/password/password_confirm(这样的密码创建),然后是整个用户数据。有一个非常自定义的实现。