Only one class of user exists in Django’s authentication framework, i.e., 'superusers' or admin 'staff' users are just user objects with special attributes set, not different classes of user objects.
Django does not store raw (clear text) passwords on the user model, but only a hash.
By default, Django uses the PBKDF2 algorithm with a SHA256 hash, a password stretching mechanism recommended by NIST. This should be sufficient for most users: it’s quite secure, requiring massive amounts of computing time to break.
Its the best algorithm for you ? It depends, if you are looking for a simple but also stable algorithm, meaning its already built in you have no more work to do and its also reliable, its a good solution, however, if you want the best solution possibile you can also go for: Argon2 which is a more robust solution than the PBKDF2, however its not built in and it needs third-part libraries to function properly.
user = User.objects.create_user("john", "[email protected]", "johnpassword")
Because of this, do not attempt to manipulate the password attribute of the user directly. This is why a helper function is used when creating a user.
Use authenticate() to verify a set of credentials.
It takes credentials as keyword arguments, username and password for the default case, checks them against each authentication backend, and returns:
User object if the credentials are valid for a backend.PermissionDenied, it returns None. For example:# To login a user its so simple, you just need to do
def my_view(request):
username = request.POST["username"]
password = request.POST["password"]
user = authenticate(request, username=username, password=password)
if user is not None:
login(request, user)
Django comes with a built-in permissions system. It provides a way to assign permissions to specific users and groups of users.
The Django admin site uses permissions as follows: