Overriding authenticate method - Django admin

Question

I'm trying to figure out how to enhance the authenticate method with additional functionality.

e.g.

Expiring passwords
special password formats
length requirements
etc...

It is pretty straight forward for the site's frontend, but what about the admin panel?

I reckon that I should override the User's Manager object, as authenticate probably resides there. This is quite a tough one to figure out I think.

Thanks in advance! :)

eddie_c · Accepted Answer · 2010-11-17T17:46:59.550

6

You can create custom authentication backend by following the instructions in http://docs.djangoproject.com/en/dev/topics/auth/#authentication-backends. Essentially, you create a backend class that has an authenticate method:

class MyBackend:
    def authenticate(self, username=None, password=None):
        # Check the username/password and return a User.

Then add the class to AUTHENTICATION_BACKENDS in settings.py.

Though this is for authentication, you could do all the password validation things you mentioned simply by redirecting a user to a change password page if the password is correct but expired, for instance. Consider using the messaging framework to give a user a hint about what is going on when directing him to a generic change password page.

edited Nov 17 '10 at 17:46

answered Nov 16 '10 at 19:42

eddie_c

3,403
1
16
6

Hi you have covered virtually everything :O This is such a good reply! Thank you so much. – RadiantHex Nov 17 '10 at 11:18
Hi I'm implementing the auth backend, I am kind of confused about the signals. There is no way I can implement proper validation within the admin? – RadiantHex Nov 17 '10 at 11:38
@RadiantHex I apologize for the django signal part. It is not applicable in your case, since you cannot read the raw password from the model (it has been hashed already) and therefore you cannot do your validation. Jordan's suggestion about hijacking password page to a custom view is better. You just need to hijack all the pages that can change password. Another approach is to try [monkey-patching](http://stackoverflow.com/questions/192649/can-you-monkey-patch-methods-on-core-types-in-python) of `set_password` method of the `User` model. – eddie_c Nov 17 '10 at 17:55

score 0 · Answer 2 · edited May 23 '17 at 10:33

0

If you want the validation for passwords to be built into the model, then you'll probably want to extend the django User model.

Otherwise, you could do the following:

override admin password options by creating your own views for changing and setting passwords, then putting the relevant URLS just above (r'^admin/', include(admin.site.urls)). Regex would look something like (r'^admin/auth/user/(\d+)/password/', new_change_password).
Keep track of password age in a separate model and then when they expire, redirect to a change password once it expires.

edited May 23 '17 at 10:33

Community

1
1

answered Nov 17 '10 at 04:10

Jordan Reiter

20,467
11
95
161

Hi I'm finding this reply more useful actually, do you have a clue on how to forward a view to the password change view? – RadiantHex Nov 17 '10 at 12:40
Do you mean a redirect? You can use `HttpResponseRedirect` to redirect the user to the url for the change password page. I think if you look at the urls file for django/contrib/auth then you can find which url name to use. – Jordan Reiter Nov 17 '10 at 16:14

Overriding authenticate method - Django admin

2 Answers2