Django 在登录时区分不正确的登录信息和非活动用户
Django differentiate between incorrect login information and inactive user on login
目前我在我的站点中添加了一种注册时通过电子邮件确认的方法。我看到的是,当用户注册时,但还没有点击确认 link 并尝试登录,我无法区分错误的 user/password 和未确认的用户。
这是我的登录函数:
def loginUser(request):
if request.user.is_authenticated:
return redirect("decks:index")
if request.method == "POST":
form = AuthenticationForm(request, data=request.POST)
if form.is_valid():
username = form.cleaned_data.get('username')
password = form.cleaned_data.get('password')
user = authenticate(username=username, password=password)
if user is not None and user.is_active:
login(request, user)
return redirect("myApp:portal")
elif user is not None:
messages.error(request, "Email is not confirmed.")
else:
messages.error(request, "Invalid username or password.")
else:
messages.error(request, "Invalid username or password.")
form = AuthenticationForm()
return render(request, "myApp/login.html", context = {'login_form': form})
问题是,当 运行 form.is_valid() 执行 /home/nowork/.local/lib/python3.8/site-packages/django/contrib/auth ModelBackend 中的 authenticate 函数时:
def authenticate(self, request, username=None, password=None, **kwargs):
if username is None:
username = kwargs.get(UserModel.USERNAME_FIELD)
if username is None or password is None:
return
try:
user = UserModel._default_manager.get_by_natural_key(username)
except UserModel.DoesNotExist:
# Run the default password hasher once to reduce the timing
# difference between an existing and a nonexistent user (#20760).
UserModel().set_password(password)
else:
if user.check_password(password) and self.user_can_authenticate(user):
return user
因此当 is_active 标志为 False 时,form.is_valid() 永远不会为真。所以我无法判断是用户+密码的组合不正确还是用户尚未确认。
我不确定这样做的正确方法是什么,我想做类似的事情:
User.objects.get(username=request.POST['username'])
用户能否以某种方式利用它?有没有更好的方法来完成这个?
使用 python3 和 Django 4.0
您可以将自己的CustomLoginBackend设为
from django.contrib.auth import get_user_model
class CustomLoginBackend(object):
def authenticate(self, request, username, password):
User = get_user_model()
try:
user = User.objects.using(db_name).get(username=username)
except User.DoesNotExist:
return None
else:
if user.check_password(password):
return user
return None
然后在你的 views.py
def loginUser(request):
if request.user.is_authenticated:
return redirect("decks:index")
if request.method == "POST":
form = AuthenticationForm(request, data=request.POST)
if form.is_valid():
username = form.cleaned_data.get('username')
password = form.cleaned_data.get('password')
user = authenticate(username=username, password=password)
if user is not None:
if user.is_active == True:
login(request, user)
return redirect("myApp:portal")
else:
messages.error(request, "Email is not confirmed.")
else:
messages.error(request, "Invalid username or password.")
else:
messages.error(request, "Invalid username or password.")
form = AuthenticationForm()
return render(request, "myApp/login.html", context = {'login_form': form})
最后别忘了在 settings.py 中添加 AUTHENTICATION_BACKENDS 作为
AUTHENTICATION_BACKENDS = ['path_to_your.CustomLoginBackend ',]
目前我在我的站点中添加了一种注册时通过电子邮件确认的方法。我看到的是,当用户注册时,但还没有点击确认 link 并尝试登录,我无法区分错误的 user/password 和未确认的用户。
这是我的登录函数:
def loginUser(request):
if request.user.is_authenticated:
return redirect("decks:index")
if request.method == "POST":
form = AuthenticationForm(request, data=request.POST)
if form.is_valid():
username = form.cleaned_data.get('username')
password = form.cleaned_data.get('password')
user = authenticate(username=username, password=password)
if user is not None and user.is_active:
login(request, user)
return redirect("myApp:portal")
elif user is not None:
messages.error(request, "Email is not confirmed.")
else:
messages.error(request, "Invalid username or password.")
else:
messages.error(request, "Invalid username or password.")
form = AuthenticationForm()
return render(request, "myApp/login.html", context = {'login_form': form})
问题是,当 运行 form.is_valid() 执行 /home/nowork/.local/lib/python3.8/site-packages/django/contrib/auth ModelBackend 中的 authenticate 函数时:
def authenticate(self, request, username=None, password=None, **kwargs):
if username is None:
username = kwargs.get(UserModel.USERNAME_FIELD)
if username is None or password is None:
return
try:
user = UserModel._default_manager.get_by_natural_key(username)
except UserModel.DoesNotExist:
# Run the default password hasher once to reduce the timing
# difference between an existing and a nonexistent user (#20760).
UserModel().set_password(password)
else:
if user.check_password(password) and self.user_can_authenticate(user):
return user
因此当 is_active 标志为 False 时,form.is_valid() 永远不会为真。所以我无法判断是用户+密码的组合不正确还是用户尚未确认。
我不确定这样做的正确方法是什么,我想做类似的事情:
User.objects.get(username=request.POST['username'])
用户能否以某种方式利用它?有没有更好的方法来完成这个?
使用 python3 和 Django 4.0
您可以将自己的CustomLoginBackend设为
from django.contrib.auth import get_user_model
class CustomLoginBackend(object):
def authenticate(self, request, username, password):
User = get_user_model()
try:
user = User.objects.using(db_name).get(username=username)
except User.DoesNotExist:
return None
else:
if user.check_password(password):
return user
return None
然后在你的 views.py
def loginUser(request):
if request.user.is_authenticated:
return redirect("decks:index")
if request.method == "POST":
form = AuthenticationForm(request, data=request.POST)
if form.is_valid():
username = form.cleaned_data.get('username')
password = form.cleaned_data.get('password')
user = authenticate(username=username, password=password)
if user is not None:
if user.is_active == True:
login(request, user)
return redirect("myApp:portal")
else:
messages.error(request, "Email is not confirmed.")
else:
messages.error(request, "Invalid username or password.")
else:
messages.error(request, "Invalid username or password.")
form = AuthenticationForm()
return render(request, "myApp/login.html", context = {'login_form': form})
最后别忘了在 settings.py 中添加 AUTHENTICATION_BACKENDS 作为
AUTHENTICATION_BACKENDS = ['path_to_your.CustomLoginBackend ',]