Menu
I hope you can help me figure the best way to implement a manual (server-side initiated) login without using the password. Let me explain the workflow:
What I'm trying to do is log in the user after he has clicked the email link so he can start using the website right away.
I can't use his password since it's encrypted in the DB, is the only option writing a custom authentication backend?
759
Try sudoers file to su to another user account without the need for a password. In this procedure, the user (for example, zoop) who is ready to switch to another user account (for example, User_Account) must be available in the sudoers file or in the sudo group to invoke the Sudo command.
You can create a user without a password on Linux using the “passwd” command as follows : Run the useradd command to create a user account as shown in the example below. Note: we can use the commands “useradd” or “adduser” interchangeably to create a user in Linux. useradd is native binary compiled with the system.
You don't need a password to log a user in. The auth.login function just takes a User object, which you are presumably already getting from the database when you enable the account. So you can pass that straight to login.
Of course, you'll need to be very careful that there's no way a user can spoof a link to an existing already-enabled account, which would then automatically log them in as that user.
from django.contrib.auth import login def activate_account(request, hash): account = get_account_from_hash(hash) if not account.is_active: account.activate() account.save() user = account.user login(request, user) ... etc.
Edited:
Hmm, didn't notice that requirement to use authenticate because of the extra property it adds. Looking at the code, all it does is a backend attribute equivalent to the module path of the authenticating backend. So you could just fake it - before the login call above, do this:
user.backend = 'django.contrib.auth.backends.ModelBackend' As of Django 1.10, the process has been simplified.
In all versions of Django, in order for a user to be logged in, they must be authenticated by one of your app's backends (controlled by the AUTHENTICATION_BACKENDS setting).
If you simply want to force a login, you can just claim that the user was authenticated by the first backend from that list:
from django.conf import settings from django.contrib.auth import login # Django 1.10+ login(request, user, backend=settings.AUTHENTICATION_BACKENDS[0]) # Django <1.10 - fake the authenticate() call user.backend = settings.AUTHENTICATION_BACKENDS[0] login(request, user) If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
