1. =======================

  2. ``django.contrib.auth``

  3. =======================

  4. 

  5. This document provides API reference material for the components of Django's

  6. authentication system. For more details on the usage of these components or

  7. how to customize authentication and authorization see the :doc:`authentication

  8. topic guide </topics/auth/index>`.

  9. 

  10. .. currentmodule:: django.contrib.auth

  11. 

  12. ``User`` model

  13. ==============

  14. 

  15. .. class:: models.User

  16. 

  17. Fields

  18. ------

  19. 

  20. .. class:: models.User

  21.     :noindex:

  22. 

  23.     :class:`~django.contrib.auth.models.User` objects have the following

  24.     fields:

  25. 

  26.     .. attribute:: username

  27. 

  28.         Required. 150 characters or fewer. Usernames may contain alphanumeric,

  29.         ``_``, ``@``, ``+``, ``.`` and ``-`` characters.

  30. 

  31.         The ``max_length`` should be sufficient for many use cases. If you need

  32.         a longer length, please use a :ref:`custom user model

  33.         <specifying-custom-user-model>`. If you use MySQL with the ``utf8mb4``

  34.         encoding (recommended for proper Unicode support), specify at most

  35.         ``max_length=191`` because MySQL can only create unique indexes with

  36.         191 characters in that case by default.

  37. 

  38.     .. attribute:: first_name

  39. 

  40.         Optional (:attr:`blank=True <django.db.models.Field.blank>`). 150

  41.         characters or fewer.

  42. 

  43.     .. attribute:: last_name

  44. 

  45.         Optional (:attr:`blank=True <django.db.models.Field.blank>`). 150

  46.         characters or fewer.

  47. 

  48.     .. attribute:: email

  49. 

  50.         Optional (:attr:`blank=True <django.db.models.Field.blank>`). Email

  51.         address.

  52. 

  53.     .. attribute:: password

  54. 

  55.         Required. A hash of, and metadata about, the password. (Django doesn't

  56.         store the raw password.) Raw passwords can be arbitrarily long and can

  57.         contain any character. See the :doc:`password documentation

  58.         </topics/auth/passwords>`.

  59. 

  60.     .. attribute:: groups

  61. 

  62.         Many-to-many relationship to :class:`~django.contrib.auth.models.Group`

  63. 

  64.     .. attribute:: user_permissions

  65. 

  66.         Many-to-many relationship to :class:`~django.contrib.auth.models.Permission`

  67. 

  68.     .. attribute:: is_staff

  69. 

  70.         Boolean. Designates whether this user can access the admin site.

  71. 

  72.     .. attribute:: is_active

  73. 

  74.         Boolean. Designates whether this user account should be considered

  75.         active. We recommend that you set this flag to ``False`` instead of

  76.         deleting accounts; that way, if your applications have any foreign keys

  77.         to users, the foreign keys won't break.

  78. 

  79.         This doesn't necessarily control whether or not the user can log in.

  80.         Authentication backends aren't required to check for the ``is_active``

  81.         flag but the default backend

  82.         (:class:`~django.contrib.auth.backends.ModelBackend`) and the

  83.         :class:`~django.contrib.auth.backends.RemoteUserBackend` do. You can

  84.         use :class:`~django.contrib.auth.backends.AllowAllUsersModelBackend`

  85.         or :class:`~django.contrib.auth.backends.AllowAllUsersRemoteUserBackend`

  86.         if you want to allow inactive users to login. In this case, you'll also

  87.         want to customize the

  88.         :class:`~django.contrib.auth.forms.AuthenticationForm` used by the

  89.         :class:`~django.contrib.auth.views.LoginView` as it rejects inactive

  90.         users. Be aware that the permission-checking methods such as

  91.         :meth:`~django.contrib.auth.models.User.has_perm` and the

  92.         authentication in the Django admin all return ``False`` for inactive

  93.         users.

  94. 

  95.     .. attribute:: is_superuser

  96. 

  97.         Boolean. Designates that this user has all permissions without

  98.         explicitly assigning them.

  99. 

  100.     .. attribute:: last_login

  101. 

  102.         A datetime of the user's last login.

  103. 

  104.     .. attribute:: date_joined

  105. 

  106.         A datetime designating when the account was created. Is set to the

  107.         current date/time by default when the account is created.

  108. 

  109. Attributes

  110. ----------

  111. 

  112. .. class:: models.User

  113.     :noindex:

  114. 

  115.     .. attribute:: is_authenticated

  116. 

  117.         Read-only attribute which is always ``True`` (as opposed to

  118.         ``AnonymousUser.is_authenticated`` which is always ``False``). This is

  119.         a way to tell if the user has been authenticated. This does not imply

  120.         any permissions and doesn't check if the user is active or has a valid

  121.         session. Even though normally you will check this attribute on

  122.         ``request.user`` to find out whether it has been populated by the

  123.         :class:`~django.contrib.auth.middleware.AuthenticationMiddleware`

  124.         (representing the currently logged-in user), you should know this

  125.         attribute is ``True`` for any :class:`~models.User` instance.

  126. 

  127.     .. attribute:: is_anonymous

  128. 

  129.         Read-only attribute which is always ``False``. This is a way of

  130.         differentiating :class:`~models.User` and :class:`~models.AnonymousUser`

  131.         objects. Generally, you should prefer using

  132.         :attr:`~django.contrib.auth.models.User.is_authenticated` to this

  133.         attribute.

  134. 

  135. Methods

  136. -------

  137. 

  138. .. class:: models.User

  139.     :noindex:

  140. 

  141.     .. method:: get_username()

  142. 

  143.         Returns the username for the user. Since the ``User`` model can be

  144.         swapped out, you should use this method instead of referencing the

  145.         username attribute directly.

  146. 

  147.     .. method:: get_full_name()

  148. 

  149.         Returns the :attr:`~django.contrib.auth.models.User.first_name` plus

  150.         the :attr:`~django.contrib.auth.models.User.last_name`, with a space in

  151.         between.

  152. 

  153.     .. method:: get_short_name()

  154. 

  155.         Returns the :attr:`~django.contrib.auth.models.User.first_name`.

  156. 

  157.     .. method:: set_password(raw_password)

  158. 

  159.         Sets the user's password to the given raw string, taking care of the

  160.         password hashing. Doesn't save the

  161.         :class:`~django.contrib.auth.models.User` object.

  162. 

  163.         When the ``raw_password`` is ``None``, the password will be set to an

  164.         unusable password, as if

  165.         :meth:`~django.contrib.auth.models.User.set_unusable_password()`

  166.         were used.

  167. 

  168.     .. method:: check_password(raw_password)

  169. 

  170.         Returns ``True`` if the given raw string is the correct password for

  171.         the user. (This takes care of the password hashing in making the

  172.         comparison.)

  173. 

  174.     .. method:: set_unusable_password()

  175. 

  176.         Marks the user as having no password set.  This isn't the same as

  177.         having a blank string for a password.

  178.         :meth:`~django.contrib.auth.models.User.check_password()` for this user

  179.         will never return ``True``. Doesn't save the

  180.         :class:`~django.contrib.auth.models.User` object.

  181. 

  182.         You may need this if authentication for your application takes place

  183.         against an existing external source such as an LDAP directory.

  184. 

  185.     .. method:: has_usable_password()

  186. 

  187.         Returns ``False`` if

  188.         :meth:`~django.contrib.auth.models.User.set_unusable_password()` has

  189.         been called for this user.

  190. 

  191.     .. method:: get_user_permissions(obj=None)

  192. 

  193.         Returns a set of permission strings that the user has directly.

  194. 

  195.         If ``obj`` is passed in, only returns the user permissions for this

  196.         specific object.

  197. 

  198.     .. method:: get_group_permissions(obj=None)

  199. 

  200.         Returns a set of permission strings that the user has, through their

  201.         groups.

  202. 

  203.         If ``obj`` is passed in, only returns the group permissions for

  204.         this specific object.

  205. 

  206.     .. method:: get_all_permissions(obj=None)

  207. 

  208.         Returns a set of permission strings that the user has, both through

  209.         group and user permissions.

  210. 

  211.         If ``obj`` is passed in, only returns the permissions for this

  212.         specific object.

  213. 

  214.     .. method:: has_perm(perm, obj=None)

  215. 

  216.         Returns ``True`` if the user has the specified permission, where perm

  217.         is in the format ``"<app label>.<permission codename>"``. (see

  218.         documentation on :ref:`permissions <topic-authorization>`). If the user is

  219.         inactive, this method will always return ``False``. For an active

  220.         superuser, this method will always return ``True``.

  221. 

  222.         If ``obj`` is passed in, this method won't check for a permission for

  223.         the model, but for this specific object.

  224. 

  225.     .. method:: has_perms(perm_list, obj=None)

  226. 

  227.         Returns ``True`` if the user has each of the specified permissions,

  228.         where each perm is in the format

  229.         ``"<app label>.<permission codename>"``. If the user is inactive,

  230.         this method will always return ``False``. For an active superuser, this

  231.         method will always return ``True``.

  232. 

  233.         If ``obj`` is passed in, this method won't check for permissions for

  234.         the model, but for the specific object.

  235. 

  236.     .. method:: has_module_perms(package_name)

  237. 

  238.         Returns ``True`` if the user has any permissions in the given package

  239.         (the Django app label). If the user is inactive, this method will

  240.         always return ``False``. For an active superuser, this method will

  241.         always return ``True``.

  242. 

  243.     .. method:: email_user(subject, message, from_email=None, **kwargs)

  244. 

  245.         Sends an email to the user. If ``from_email`` is ``None``, Django uses

  246.         the :setting:`DEFAULT_FROM_EMAIL`. Any ``**kwargs`` are passed to the

  247.         underlying :meth:`~django.core.mail.send_mail()` call.

  248. 

  249. Manager methods

  250. ---------------

  251. 

  252. .. class:: models.UserManager

  253. 

  254.     The :class:`~django.contrib.auth.models.User` model has a custom manager

  255.     that has the following helper methods (in addition to the methods provided

  256.     by :class:`~django.contrib.auth.models.BaseUserManager`):

  257. 

  258.     .. method:: create_user(username, email=None, password=None, **extra_fields)

  259. 

  260.         Creates, saves and returns a :class:`~django.contrib.auth.models.User`.

  261. 

  262.         The :attr:`~django.contrib.auth.models.User.username` and

  263.         :attr:`~django.contrib.auth.models.User.password` are set as given. The

  264.         domain portion of :attr:`~django.contrib.auth.models.User.email` is

  265.         automatically converted to lowercase, and the returned

  266.         :class:`~django.contrib.auth.models.User` object will have

  267.         :attr:`~django.contrib.auth.models.User.is_active` set to ``True``.

  268. 

  269.         If no password is provided,

  270.         :meth:`~django.contrib.auth.models.User.set_unusable_password()` will

  271.         be called.

  272. 

  273.         The ``extra_fields`` keyword arguments are passed through to the

  274.         :class:`~django.contrib.auth.models.User`’s ``__init__`` method to

  275.         allow setting arbitrary fields on a :ref:`custom user model

  276.         <auth-custom-user>`.

  277. 

  278.         See :ref:`Creating users <topics-auth-creating-users>` for example usage.

  279. 

  280.     .. method:: create_superuser(username, email=None, password=None, **extra_fields)

  281. 

  282.         Same as :meth:`create_user`, but sets :attr:`~models.User.is_staff` and

  283.         :attr:`~models.User.is_superuser` to ``True``.

  284. 

  285.     .. method:: with_perm(perm, is_active=True, include_superusers=True, backend=None, obj=None)

  286. 

  287.         Returns users that have the given permission ``perm`` either in the

  288.         ``"<app label>.<permission codename>"`` format or as a

  289.         :class:`~django.contrib.auth.models.Permission` instance. Returns an

  290.         empty queryset if no users who have the ``perm`` found.

  291. 

  292.         If ``is_active`` is ``True`` (default), returns only active users, or

  293.         if ``False``, returns only inactive users. Use ``None`` to return all

  294.         users irrespective of active state.

  295. 

  296.         If ``include_superusers`` is ``True`` (default), the result will

  297.         include superusers.

  298. 

  299.         If ``backend`` is passed in and it's defined in

  300.         :setting:`AUTHENTICATION_BACKENDS`, then this method will use it.

  301.         Otherwise, it will use the ``backend`` in

  302.         :setting:`AUTHENTICATION_BACKENDS`, if there is only one, or raise an

  303.         exception.

  304. 

  305. ``AnonymousUser`` object

  306. ========================

  307. 

  308. .. class:: models.AnonymousUser

  309. 

  310.     :class:`django.contrib.auth.models.AnonymousUser` is a class that

  311.     implements the :class:`django.contrib.auth.models.User` interface, with

  312.     these differences:

  313. 

  314.     * :ref:`id <automatic-primary-key-fields>` is always ``None``.

  315.     * :attr:`~django.contrib.auth.models.User.username` is always the empty

  316.       string.

  317.     * :meth:`~django.contrib.auth.models.User.get_username()` always returns

  318.       the empty string.

  319.     * :attr:`~django.contrib.auth.models.User.is_anonymous` is ``True``

  320.       instead of ``False``.

  321.     * :attr:`~django.contrib.auth.models.User.is_authenticated` is

  322.       ``False`` instead of ``True``.

  323.     * :attr:`~django.contrib.auth.models.User.is_staff` and

  324.       :attr:`~django.contrib.auth.models.User.is_superuser` are always

  325.       ``False``.

  326.     * :attr:`~django.contrib.auth.models.User.is_active` is always ``False``.

  327.     * :attr:`~django.contrib.auth.models.User.groups` and

  328.       :attr:`~django.contrib.auth.models.User.user_permissions` are always

  329.       empty.

  330.     * :meth:`~django.contrib.auth.models.User.set_password()`,

  331.       :meth:`~django.contrib.auth.models.User.check_password()`,

  332.       :meth:`~django.db.models.Model.save` and

  333.       :meth:`~django.db.models.Model.delete()` raise :exc:`NotImplementedError`.

  334. 

  335. In practice, you probably won't need to use

  336. :class:`~django.contrib.auth.models.AnonymousUser` objects on your own, but

  337. they're used by web requests, as explained in the next section.

  338. 

  339. ``Permission`` model

  340. ====================

  341. 

  342. .. class:: models.Permission

  343. 

  344. Fields

  345. ------

  346. 

  347. :class:`~django.contrib.auth.models.Permission` objects have the following

  348. fields:

  349. 

  350. .. class:: models.Permission

  351.     :noindex:

  352. 

  353.     .. attribute:: name

  354. 

  355.         Required. 255 characters or fewer. Example: ``'Can vote'``.

  356. 

  357.     .. attribute:: content_type

  358. 

  359.         Required. A reference to the ``django_content_type`` database table,

  360.         which contains a record for each installed model.

  361. 

  362.     .. attribute:: codename

  363. 

  364.         Required. 100 characters or fewer. Example: ``'can_vote'``.

  365. 

  366. Methods

  367. -------

  368. 

  369. :class:`~django.contrib.auth.models.Permission` objects have the standard

  370. data-access methods like any other :doc:`Django model </ref/models/instances>`.

  371. 

  372. ``Group`` model

  373. ===============

  374. 

  375. .. class:: models.Group

  376. 

  377. Fields

  378. ------

  379. 

  380. :class:`~django.contrib.auth.models.Group` objects have the following fields:

  381. 

  382. .. class:: models.Group

  383.     :noindex:

  384. 

  385.     .. attribute:: name

  386. 

  387.         Required. 150 characters or fewer. Any characters are permitted.

  388.         Example: ``'Awesome Users'``.

  389. 

  390.     .. attribute:: permissions

  391. 

  392.         Many-to-many field to :class:`~django.contrib.auth.models.Permission`::

  393. 

  394.             group.permissions.set([permission_list])

  395.             group.permissions.add(permission, permission, ...)

  396.             group.permissions.remove(permission, permission, ...)

  397.             group.permissions.clear()

  398. 

  399. Validators

  400. ==========

  401. 

  402. .. class:: validators.ASCIIUsernameValidator

  403. 

  404.     A field validator allowing only ASCII letters and numbers, in addition to

  405.     ``@``, ``.``, ``+``, ``-``, and ``_``.

  406. 

  407. .. class:: validators.UnicodeUsernameValidator

  408. 

  409.     A field validator allowing Unicode characters, in addition to ``@``, ``.``,

  410.     ``+``, ``-``, and ``_``. The default validator for ``User.username``.

  411. 

  412. .. _topics-auth-signals:

  413. 

  414. Login and logout signals

  415. ========================

  416. 

  417. .. module:: django.contrib.auth.signals

  418. 

  419. The auth framework uses the following :doc:`signals </topics/signals>` that

  420. can be used for notification when a user logs in or out.

  421. 

  422. .. data:: user_logged_in

  423. 

  424.     Sent when a user logs in successfully.

  425. 

  426.     Arguments sent with this signal:

  427. 

  428.     ``sender``

  429.         The class of the user that just logged in.

  430. 

  431.     ``request``

  432.         The current :class:`~django.http.HttpRequest` instance.

  433. 

  434.     ``user``

  435.         The user instance that just logged in.

  436. 

  437. .. data:: user_logged_out

  438. 

  439.     Sent when the logout method is called.

  440. 

  441.     ``sender``

  442.         As above: the class of the user that just logged out or ``None``

  443.         if the user was not authenticated.

  444. 

  445.     ``request``

  446.         The current :class:`~django.http.HttpRequest` instance.

  447. 

  448.     ``user``

  449.         The user instance that just logged out or ``None`` if the

  450.         user was not authenticated.

  451. 

  452. .. data:: user_login_failed

  453. 

  454.     Sent when the user failed to login successfully

  455. 

  456.     ``sender``

  457.         The name of the module used for authentication.

  458. 

  459.     ``credentials``

  460.         A dictionary of keyword arguments containing the user credentials that were

  461.         passed to :func:`~django.contrib.auth.authenticate()` or your own custom

  462.         authentication backend. Credentials matching a set of 'sensitive' patterns,

  463.         (including password) will not be sent in the clear as part of the signal.

  464. 

  465.     ``request``

  466.         The :class:`~django.http.HttpRequest` object, if one was provided to

  467.         :func:`~django.contrib.auth.authenticate`.

  468. 

  469. .. _authentication-backends-reference:

  470. 

  471. Authentication backends

  472. =======================

  473. 

  474. .. module:: django.contrib.auth.backends

  475.    :synopsis: Django's built-in authentication backend classes.

  476. 

  477. This section details the authentication backends that come with Django. For

  478. information on how to use them and how to write your own authentication

  479. backends, see the :ref:`Other authentication sources section

  480. <authentication-backends>` of the :doc:`User authentication guide

  481. </topics/auth/index>`.

  482. 

  483. Available authentication backends

  484. ---------------------------------

  485. 

  486. The following backends are available in :mod:`django.contrib.auth.backends`:

  487. 

  488. .. class:: BaseBackend

  489. 

  490.     A base class that provides default implementations for all required

  491.     methods. By default, it will reject any user and provide no permissions.

  492. 

  493.     .. method:: get_user_permissions(user_obj, obj=None)

  494. 

  495.         Returns an empty set.

  496. 

  497.     .. method:: get_group_permissions(user_obj, obj=None)

  498. 

  499.         Returns an empty set.

  500. 

  501.     .. method:: get_all_permissions(user_obj, obj=None)

  502. 

  503.         Uses :meth:`get_user_permissions` and :meth:`get_group_permissions` to

  504.         get the set of permission strings the ``user_obj`` has.

  505. 

  506.     .. method:: has_perm(user_obj, perm, obj=None)

  507. 

  508.         Uses :meth:`get_all_permissions` to check if ``user_obj`` has the

  509.         permission string ``perm``.

  510. 

  511. .. class:: ModelBackend

  512. 

  513.     This is the default authentication backend used by Django.  It

  514.     authenticates using credentials consisting of a user identifier and

  515.     password.  For Django's default user model, the user identifier is the

  516.     username, for custom user models it is the field specified by

  517.     USERNAME_FIELD (see :doc:`Customizing Users and authentication

  518.     </topics/auth/customizing>`).

  519. 

  520.     It also handles the default permissions model as defined for

  521.     :class:`~django.contrib.auth.models.User` and

  522.     :class:`~django.contrib.auth.models.PermissionsMixin`.

  523. 

  524.     :meth:`has_perm`, :meth:`get_all_permissions`, :meth:`get_user_permissions`,

  525.     and :meth:`get_group_permissions` allow an object to be passed as a

  526.     parameter for object-specific permissions, but this backend does not

  527.     implement them other than returning an empty set of permissions if

  528.     ``obj is not None``.

  529. 

  530.     :meth:`with_perm` also allows an object to be passed as a parameter, but

  531.     unlike others methods it returns an empty queryset if ``obj is not None``.

  532. 

  533.     .. method:: authenticate(request, username=None, password=None, **kwargs)

  534. 

  535.         Tries to authenticate ``username`` with ``password`` by calling

  536.         :meth:`User.check_password

  537.         <django.contrib.auth.models.User.check_password>`. If no ``username``

  538.         is provided, it tries to fetch a username from ``kwargs`` using the

  539.         key :attr:`CustomUser.USERNAME_FIELD

  540.         <django.contrib.auth.models.CustomUser.USERNAME_FIELD>`. Returns an

  541.         authenticated user or ``None``.

  542. 

  543.         ``request`` is an :class:`~django.http.HttpRequest` and may be ``None``

  544.         if it wasn't provided to :func:`~django.contrib.auth.authenticate`

  545.         (which passes it on to the backend).

  546. 

  547.     .. method:: get_user_permissions(user_obj, obj=None)

  548. 

  549.         Returns the set of permission strings the ``user_obj`` has from their

  550.         own user permissions. Returns an empty set if

  551.         :attr:`~django.contrib.auth.models.AbstractBaseUser.is_anonymous` or

  552.         :attr:`~django.contrib.auth.models.CustomUser.is_active` is ``False``.

  553. 

  554.     .. method:: get_group_permissions(user_obj, obj=None)

  555. 

  556.         Returns the set of permission strings the ``user_obj`` has from the

  557.         permissions of the groups they belong. Returns an empty set if

  558.         :attr:`~django.contrib.auth.models.AbstractBaseUser.is_anonymous` or

  559.         :attr:`~django.contrib.auth.models.CustomUser.is_active`  is ``False``.

  560. 

  561.     .. method:: get_all_permissions(user_obj, obj=None)

  562. 

  563.         Returns the set of permission strings the ``user_obj`` has, including both

  564.         user permissions and group permissions. Returns an empty set if

  565.         :attr:`~django.contrib.auth.models.AbstractBaseUser.is_anonymous` or

  566.         :attr:`~django.contrib.auth.models.CustomUser.is_active` is ``False``.

  567. 

  568.     .. method:: has_perm(user_obj, perm, obj=None)

  569. 

  570.         Uses :meth:`get_all_permissions` to check if ``user_obj`` has the

  571.         permission string ``perm``. Returns ``False`` if the user is not

  572.         :attr:`~django.contrib.auth.models.CustomUser.is_active`.

  573. 

  574.     .. method:: has_module_perms(user_obj, app_label)

  575. 

  576.         Returns whether the ``user_obj`` has any permissions on the app

  577.         ``app_label``.

  578. 

  579.     .. method:: user_can_authenticate()

  580. 

  581.         Returns whether the user is allowed to authenticate. To match the

  582.         behavior of :class:`~django.contrib.auth.forms.AuthenticationForm`

  583.         which :meth:`prohibits inactive users from logging in

  584.         <django.contrib.auth.forms.AuthenticationForm.confirm_login_allowed>`,

  585.         this method returns ``False`` for users with :attr:`is_active=False

  586.         <django.contrib.auth.models.User.is_active>`. Custom user models that

  587.         don't have an :attr:`~django.contrib.auth.models.CustomUser.is_active`

  588.         field are allowed.

  589. 

  590.     .. method:: with_perm(perm, is_active=True, include_superusers=True, obj=None)

  591. 

  592.         Returns all active users who have the permission ``perm`` either in

  593.         the form of ``"<app label>.<permission codename>"`` or a

  594.         :class:`~django.contrib.auth.models.Permission` instance. Returns an

  595.         empty queryset if no users who have the ``perm`` found.

  596. 

  597.         If ``is_active`` is ``True`` (default), returns only active users, or

  598.         if ``False``, returns only inactive users. Use ``None`` to return all

  599.         users irrespective of active state.

  600. 

  601.         If ``include_superusers`` is ``True`` (default), the result will

  602.         include superusers.

  603. 

  604. .. class:: AllowAllUsersModelBackend

  605. 

  606.     Same as :class:`ModelBackend` except that it doesn't reject inactive users

  607.     because :meth:`~ModelBackend.user_can_authenticate` always returns ``True``.

  608. 

  609.     When using this backend, you'll likely want to customize the

  610.     :class:`~django.contrib.auth.forms.AuthenticationForm` used by the

  611.     :class:`~django.contrib.auth.views.LoginView` by overriding the

  612.     :meth:`~django.contrib.auth.forms.AuthenticationForm.confirm_login_allowed`

  613.     method as it rejects inactive users.

  614. 

  615. .. class:: RemoteUserBackend

  616. 

  617.     Use this backend to take advantage of external-to-Django-handled

  618.     authentication.  It authenticates using usernames passed in

  619.     :attr:`request.META['REMOTE_USER'] <django.http.HttpRequest.META>`.  See

  620.     the :doc:`Authenticating against REMOTE_USER </howto/auth-remote-user>`

  621.     documentation.

  622. 

  623.     If you need more control, you can create your own authentication backend

  624.     that inherits from this class and override these attributes or methods:

  625. 

  626.     .. attribute:: create_unknown_user

  627. 

  628.         ``True`` or ``False``. Determines whether or not a user object is

  629.         created if not already in the database  Defaults to ``True``.

  630. 

  631.     .. method:: authenticate(request, remote_user)

  632. 

  633.         The username passed as ``remote_user`` is considered trusted. This

  634.         method returns the user object with the given username, creating a new

  635.         user object if :attr:`~RemoteUserBackend.create_unknown_user` is

  636.         ``True``.

  637. 

  638.         Returns ``None`` if :attr:`~RemoteUserBackend.create_unknown_user` is

  639.         ``False`` and a ``User`` object with the given username is not found in

  640.         the database.

  641. 

  642.         ``request`` is an :class:`~django.http.HttpRequest` and may be ``None``

  643.         if it wasn't provided to :func:`~django.contrib.auth.authenticate`

  644.         (which passes it on to the backend).

  645. 

  646.     .. method:: clean_username(username)

  647. 

  648.         Performs any cleaning on the ``username`` (e.g. stripping LDAP DN

  649.         information) prior to using it to get or create a user object. Returns

  650.         the cleaned username.

  651. 

  652.     .. method:: configure_user(request, user, created=True)

  653. 

  654.         Configures the user on each authentication attempt. This method is

  655.         called immediately after fetching or creating the user being

  656.         authenticated, and can be used to perform custom setup actions, such as

  657.         setting the user's groups based on attributes in an LDAP directory.

  658.         Returns the user object.

  659. 

  660.         The setup can be performed either once when the user is created

  661.         (``created`` is ``True``) or on existing users (``created`` is

  662.         ``False``) as a way of synchronizing attributes between the remote and

  663.         the local systems.

  664. 

  665.         ``request`` is an :class:`~django.http.HttpRequest` and may be ``None``

  666.         if it wasn't provided to :func:`~django.contrib.auth.authenticate`

  667.         (which passes it on to the backend).

  668. 

  669.         .. versionchanged:: 4.1

  670. 

  671.             The ``created`` argument was added.

  672. 

  673.     .. method:: user_can_authenticate()

  674. 

  675.         Returns whether the user is allowed to authenticate. This method

  676.         returns ``False`` for users with :attr:`is_active=False

  677.         <django.contrib.auth.models.User.is_active>`. Custom user models that

  678.         don't have an :attr:`~django.contrib.auth.models.CustomUser.is_active`

  679.         field are allowed.

  680. 

  681. .. class:: AllowAllUsersRemoteUserBackend

  682. 

  683.     Same as :class:`RemoteUserBackend` except that it doesn't reject inactive

  684.     users because :attr:`~RemoteUserBackend.user_can_authenticate` always

  685.     returns ``True``.

  686. 

  687. Utility functions

  688. =================

  689. 

  690. .. currentmodule:: django.contrib.auth

  691. 

  692. .. function:: get_user(request)

  693. 

  694.     Returns the user model instance associated with the given ``request``’s

  695.     session.

  696. 

  697.     It checks if the authentication backend stored in the session is present in

  698.     :setting:`AUTHENTICATION_BACKENDS`. If so, it uses the backend's

  699.     ``get_user()`` method to retrieve the user model instance and then verifies

  700.     the session by calling the user model's

  701.     :meth:`~django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash`

  702.     method. If the verification fails and :setting:`SECRET_KEY_FALLBACKS` are

  703.     provided, it verifies the session against each fallback key using

  704.     :meth:`~django.contrib.auth.models.AbstractBaseUser.\

  705.     get_session_auth_fallback_hash`.

  706. 

  707.     Returns an instance of :class:`~django.contrib.auth.models.AnonymousUser`

  708.     if the authentication backend stored in the session is no longer in

  709.     :setting:`AUTHENTICATION_BACKENDS`, if a user isn't returned by the

  710.     backend's ``get_user()`` method, or if the session auth hash doesn't

  711.     validate.

  712. 

  713.     .. versionchanged:: 4.1.8

  714. 

  715.         Fallback verification with :setting:`SECRET_KEY_FALLBACKS` was added.
About Sign Up Leave Feedback Contact