Django认证系统
一、今日学习内容概述
学习模块重要程度预计学时主要内容用户认证基础⭐⭐⭐⭐⭐1.5小时User模子、认证机制用户权限管理⭐⭐⭐⭐⭐1.5小时权限系统、权限控制用户组管理⭐⭐⭐⭐1小时组的创建和管理自定义认证⭐⭐⭐⭐2小时自定义用户模子、认证后端 二、用户认证基础实现
2.1 创建自定义用户模子
- # accounts/models.py
- from django.contrib.auth.models import AbstractUser
- from django.db import models
- class CustomUser(AbstractUser):
- phone = models.CharField('手机号', max_length=11, blank=True)
- avatar = models.ImageField('头像', upload_to='avatars/', null=True, blank=True)
- bio = models.TextField('个人简介', max_length=500, blank=True)
-
- class Meta:
- verbose_name = '用户'
- verbose_name_plural = verbose_name
-
- def __str__(self):
- return self.username
- # settings.py
- AUTH_USER_MODEL = 'accounts.CustomUser'
- # 认证相关设置
- LOGIN_URL = '/accounts/login/'
- LOGIN_REDIRECT_URL = '/'
- LOGOUT_REDIRECT_URL = '/accounts/login/'
- # accounts/forms.py
- from django import forms
- from django.contrib.auth.forms import UserCreationForm, AuthenticationForm
- from .models import CustomUser
- class CustomUserCreationForm(UserCreationForm):
- class Meta(UserCreationForm.Meta):
- model = CustomUser
- fields = ('username', 'email', 'phone', 'password1', 'password2')
-
- def __init__(self, *args, **kwargs):
- super().__init__(*args, **kwargs)
- for field in self.fields.values():
- field.widget.attrs['class'] = 'form-control'
- # accounts/views.py
- from django.shortcuts import render, redirect
- from django.contrib.auth import login, logout
- from django.contrib.auth.decorators import login_required
- from django.contrib import messages
- from .forms import CustomUserCreationForm
- def register(request):
- if request.method == 'POST':
- form = CustomUserCreationForm(request.POST)
- if form.is_valid():
- user = form.save()
- login(request, user)
- return redirect('home')
- else:
- form = CustomUserCreationForm()
- return render(request, 'accounts/register.html', {'form': form})
- @login_required
- def profile(request):
- return render(request, 'accounts/profile.html')
- <!-- templates/accounts/login.html -->
- {% extends 'base.html' %}
- {% block content %}
- <div class="row justify-content-center">
- <div class="col-md-6">
- <div class="card">
- <div class="card-body">
- <h2 class="card-title text-center">用户登录</h2>
- <form method="post">
- {% csrf_token %}
- {{ form.as_p }}
- <button type="submit" class="btn btn-primary w-100">登录</button>
- </form>
- <p class="text-center mt-3">
- 还没有账号?<a href="{% url 'register' %}">立即注册</a>
- </p>
- </div>
- </div>
- </div>
- </div>
- {% endblock %}
3.1 创建自定义权限
- # app/models.py
- class Article(models.Model):
- title = models.CharField(max_length=200)
- content = models.TextField()
- author = models.ForeignKey(CustomUser, on_delete=models.CASCADE)
-
- class Meta:
- permissions = [
- ("can_publish_article", "Can publish article"),
- ("can_edit_others_article", "Can edit others article"),
- ]
- # app/views.py
- from django.contrib.auth.decorators import permission_required
- @permission_required('app.can_publish_article', raise_exception=True)
- def publish_article(request):
- # 发布文章的逻辑
- pass
- # 多个权限检查
- @permission_required(['app.can_publish_article', 'app.can_edit_others_article'], raise_exception=True)
- def edit_article(request):
- # 编辑文章的逻辑
- pass
- # 使用用户测试函数
- from django.contrib.auth.decorators import user_passes_test
- def email_verified(user):
- return user.email and user.is_active
- @user_passes_test(email_verified)
- def protected_view(request):
- # 受保护的视图逻辑
- pass
- {% if perms.app.can_publish_article %}
- <a href="{% url 'publish_article' %}" class="btn btn-primary">发布文章</a>
- {% endif %}
- {% if user.has_perm('app.can_edit_others_article') %}
- <a href="{% url 'edit_article' article.id %}" class="btn btn-warning">编辑</a>
- {% endif %}
4.1 创建和管理用户组
- # accounts/admin.py
- from django.contrib import admin
- from django.contrib.auth.admin import UserAdmin
- from .models import CustomUser
- class CustomUserAdmin(UserAdmin):
- list_display = ('username', 'email', 'phone', 'is_staff', 'is_active')
- list_filter = ('is_staff', 'is_superuser', 'is_active', 'groups')
- fieldsets = UserAdmin.fieldsets + (
- ('自定义字段', {'fields': ('phone', 'avatar', 'bio')}),
- )
-
- admin.site.register(CustomUser, CustomUserAdmin)
- # accounts/views.py
- from django.contrib.auth.models import Group
- from django.contrib.auth.decorators import user_passes_test
- @user_passes_test(lambda u: u.is_superuser)
- def manage_groups(request):
- if request.method == 'POST':
- # 创建新用户组
- group_name = request.POST.get('group_name')
- permissions = request.POST.getlist('permissions')
-
- group = Group.objects.create(name=group_name)
- group.permissions.set(permissions)
-
- messages.success(request, f'用户组 {group_name} 创建成功')
- return redirect('manage_groups')
-
- groups = Group.objects.all()
- return render(request, 'accounts/manage_groups.html', {'groups': groups})
六、自定义认证后端
6.1 创建自定义认证后端
- # accounts/auth_backends.py
- from django.contrib.auth.backends import ModelBackend
- from django.db.models import Q
- from .models import CustomUser
- class EmailOrPhoneBackend(ModelBackend):
- def authenticate(self, request, username=None, password=None, **kwargs):
- try:
- # 通过邮箱或手机号查找用户
- user = CustomUser.objects.get(
- Q(username=username) |
- Q(email=username) |
- Q(phone=username)
- )
- if user.check_password(password):
- return user
- return None
- except CustomUser.DoesNotExist:
- return None
- # settings.py
- AUTHENTICATION_BACKENDS = [
- 'accounts.auth_backends.EmailOrPhoneBackend',
- 'django.contrib.auth.backends.ModelBackend',
- ]
- # accounts/utils.py
- from django.contrib.auth import get_user_model
- from django.contrib.auth.tokens import default_token_generator
- from django.core.mail import send_mail
- from django.template.loader import render_to_string
- from django.utils.encoding import force_bytes
- from django.utils.http import urlsafe_base64_encode
- User = get_user_model()
- def send_verification_email(user, request):
- """
- 发送邮箱验证邮件
- """
- token = default_token_generator.make_token(user)
- uid = urlsafe_base64_encode(force_bytes(user.pk))
- verification_url = request.build_absolute_uri(
- f'/accounts/verify/{uid}/{token}/'
- )
-
- context = {
- 'user': user,
- 'verification_url': verification_url,
- }
-
- message = render_to_string('accounts/email/verification.html', context)
-
- send_mail(
- '验证您的邮箱',
- message,
- 'noreply@example.com',
- [user.email],
- html_message=message,
- )
- def get_user_permissions(user):
- """
- 获取用户所有权限(包括组权限)
- """
- if user.is_superuser:
- return User.objects.all().values_list('auth.permission__codename', flat=True)
-
- return user.user_permissions.values_list('codename', flat=True) | \
- user.groups.values_list('permissions__codename', flat=True).distinct()
- 密码安全
- 使用强密码策略
- 实现密码过期机制
- 记录密码修改汗青
- 会话管理
- 设置合适的会话超时时间
- 实现"记着我"功能
- 多设备登录控制
- 权限计划
- 安全防护
- 实现登录尝试限定
- 启用CSRF保护
- 实现双因素认证
九、训练任务
- 实现一个完整的用户认证系统,包罗:
- 用户注册(带邮箱验证)
- 登录(支持用户名/邮箱/手机号)
- 找回密码
- 修改个人信息
- 创建一个权限管理系统:
- 实现高级功能:
十、总结
今天我们学习了Django认证系统的核心组件:
- 用户认证基础知识
- 权限系统的实现和使用
- 用户组管理
- 自定义认证系统
怎么样今天的内容还满意吗?再次感谢朋侪们的观看,关注GZH:凡人的AI工具箱,回复666,送您价值199的AI大礼包。最后,祝您早日实现财务自由,还请给个赞,谢谢!
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。 |
