Django Authentication

  • Authentication is connecting crednetials to an incoming request. A person is who they say they are.
  • Authorization is ensuring a user has permission to do what they want to do


Django provides the login_required decorator but they are iffy with class-based views.

So for class based views, django provides mixins (small classes)

    from django.contrib.auth.mixins import LoginRequiredMixin

Thenadd as inherited from:

    class CreatePost(LoginRequiredMixin, generic.CreateView):

Creating a Login View

Might be worth it to make an accounts app:

    ./ startapp accounts



For the actual view in

    class LoginView(generic.FormView):
        form_class = AuthenticationForm
        success_url = reverse_lazy("posts:all")
        template_name = "accounts/login.html"

        def get_form(self, form_class=None):
            if form_class is None:
                form_class = self.get_form_class()
            return form_class(self.request, **self.get_form_kwargs())

        def form_valid(self, form):
            login(self.request, form.get_user())
            return super().form_valid(form)


    urlpatterns = [
        url(r'^login/$', views.LoginView.as_view(), name="login"),

Add the template is accounts/templates/accounts/login.html:

    {% extends 'layout.html' %}

    {% load bootstrap3 %}

    {% block title_tag %}Login | {{ block.super }}{% endblock %}

    {% block body_content %}
    <div class="container">
        <form method="POST">
            {% csrf_token %}
            {% bootstrap_form form %}
            <input type="submit" lue="Login" class="btn btn-default">
    {% endblock %}

The Easier Way

Alas, there is an even easier way that uses the existing django auth

In urlpatterns for prject use:

    url(r'^accounts/', include("django.contrib.auth.urls"))

At accounts/login you will get the TemplateDoesNotExist at /accounts/login/ - registration/login.html error

So create that file in the project level templates with our exisitng template code

Now when you login it will go to accounts/profile if you don’t have a template for this add a setting:

    LOGIN_REDIRECT_URL = "posts:all"

This can be a url or a url name


Import logout:

    from django.contrib.auth import login, logout

Now we just want it to redirect after logout


    class LogoutView(generic.RedirectView):
        url = reverse_lazy('home')

        def get(self, request, *args, **kwargs):
            return super().get(request, *args, **kwargs)


url(r'^logout/$', view.LogoutView.as_view(), name="logout"),

Signing Up

Signing up is usually very site specific so there is no generic

signup view:

    from django.contrib.auth.forms import AuthenticationForm, UserCreationForm

    class SignupView(generic.CreateView):
        form_class = UserCreationForm
        success_url = reverse_lazy("login")
        template_name = "accounts/signup.html"


    {% extends 'layout.html' %}

    {% load bootstrap3 %}

    {% block title_tag %}Signup | {{ block.super }}{% endblock %}

    {% block body_content %}
    <div class="container">
        <form method="POST">
            {% csrf_token %}
            {% bootstrap_form form %}
            <input type="submit" lue="Signup" class="btn btn-default">
    {% endblock %}


    url(r'^signup/$', views.SignupView.as_view(), name="signup")

Make changes to default user create form in

from django.contrib.auth.forms import UserCreationForm from django.contrib.auth.models import User

    class UserCreateForm(UserCreationForm):
        class Mate:
            fields = ['username', 'email', 'password1', 'password2']
            model = User

        def __init__(self, *args, **kwargs):
            super().__init__(self, *args, **kwargs)
            self.fields['username'].label = "Display Name" 
            self.fields['email'].label = "Email Address"

Mailed Activation

There is a good library that works on the wprkflow of your app

Specifically sending activation email etc.

Check it out at django-registration

Autologin after registration

    class SignUp(generic.CreateView):
        form_class = forms.UserCreateForm
        template_name = 'accounts/signup.html'
        success_url = reverse_lazy('products:list')

        def form_valid(self, form):
            res = super().form_valid(form)
            user = authenticate(username=form.cleaned_data['username'], password=form.cleaned_data['password1'])
            if user is not None:
                if user.is_active:
                    login(self.request, user)
            return res

Password Reset

Django has built-in except the tmeplates look like django admin

So to change that template you can override it at <root_templates>/registration/password_reset_form.html

Then to change the email template change: <root_templates>/registration/password_reset_done.html

Then the password reset page: <root_templates>/registration/password_reset_confirm.html

Update password reset complete: <root_templates>/registration/password_reset_complete.html

To catch the email during development use: the Django debug bar mail panel

Customising Users

  • Create a custom model that has a 1-to-1 relationship with Django’s User model - extra non-critical data
  • Extend the abstract User model in an absract form
  • Replace the User model and extend AbstractBaseUser

Replacing the existing user model

    from django.contrib.auth.models import (
    from django.db import models
    from django.utils import timezone

    class UserManager(BaseUserManager):
        def create_user(self, email, username, display_name=None, password=None):
            if not email:
                raise ValueError("Users must have an email address")
            if not display_name:
                display_name = username

            user = self.model(
            return user

        def create_super_user(self, email, username, display_name, password):
            '''Create a custom super user
            mainly run through the commandline
            user = self.create_user(email, username, display_name, password)
            user.is_staff = True
            user.is_superuser = True
            return user

Also create the actual User class with:

    class User(AbstractBaseUser, PermissionsMixin):
        email = models.EmailField(unique=True)
        username = models.Charfield(max_length=40, unique=True)
        display_name = models.CharField(max_length=140)
        bio = models.CharField(max_length=140, blank=True, default="")
        avatar = models.ImageField(blank=True, null=True)
        date_joined = models.DateTimeField(
        is_active = models.BooleanField(default=True)
        is_staff = models.BooleanField(default=False)

        # So calling User.object.all()
        objects = UserManager()

        # Unique identifier to search user
        USERNAME_FIELD = 'email'

        REQUIRED_FIELDS = ['display_name', 'username']

        def __str__(self):
            return "@{}".format(self.username)

        def get_short_name(self):
            return self.display_name

        def get_long_name(self):
            return "{} @({})".format(display_name, username)

You need to tell django in what User mdoel to use:

    # Tells django what model to use for the user model
    AUTH_USER_MODEL = "accounts.user"

Then in related models user use this instead of normal User from django.contrb.auth.models:

    from django.conf import settings


In other places where you need the actual model:

    from django.contrib.auth import get_user_model



For every new Non-Abstract model you create with django, it creates a content_type instance. Stores model and model_name. So you can link to model without knowing where it is defined.

Add, Change, delete permissions

Permissions are about models, not the instances. So user does not have permission for objects just belonging to them.

Groups can also be used to clumping together permissions

Adding a permission

In a model add to class Meta:

    permissions = (
        ('ban_member', 'Can ban members'),

When you add a permission you need to migrate, as adds to permissions table

Check if a user has a permission:

if self.request.user.has_perm("products.can_give_discount")

So it uses model plural name + permission_name


  • add - View the add form and add an object
  • change - View the change form and change an object
  • delete - View the delete form

Checking if a user has a specific permission

App name foo, model name Bar

  • add: user.has_perm('foo.add_bar')
  • change: user.has_perm('foo.change_bar')
  • delete: user.has_perm('foo.delete_bar')

Creating groups

    from django.contrib.auth.models import (

    new_group, group = Group.objects.get_or_create(name="Editors")

Creating permissions

    content_type = ContentType.objects.get_for_model(models.Product)
    permission = Permission.objects.get_or_create(
        name='Can Give Discount',




Create group, create permission and add to permission

def create_editor(self, email, dob, password):
    user = self.create_user(

        editors = Group.objects.get(name__iexact="Editors")
    except Group.DoesNotExist:
        editors = Group.objects.create(name="Editors")

    # add can_give_discount permission
    return user