ansaurus

Question

Django - auth user with the email domain and no password

Answer 1

+1 A:

If your user has an openid with the email [email protected] then you can use an OpenId solution (say Django-openid; there are others too) to verify his identity and allow him access.

If that is unlikely, then you'll need to find a custom way of ensuring that the user is who he claims to be.

Manoj Govindan 2010-08-27 11:05:04

Answer 2

A:

Somehow like this:

if cleaned_data['email'].endswith('@example.com'):
    user = None
    try:
        user = User.objects.get(email = cleaned_data['email'])
    except:
        pass
    if user:
        login(request, user)

Your concept allows everyone knowing or guessing one of the affected email-addresses to login without using a password!

Best regards!

o.elias 2010-08-27 11:08:00

Answer 3

+4 A:

Assuming that 'being on the correct domain' means they have an email address for the relevant domain, you could write a custom authentication backend that

looks to check that there is a single user with that email address (and not more than one, which will also mean updating registration flows to ensure email addresses are guaranteed unique, plus possibly checking your DB for duplicates already, just in case)
gets that User and splits off the domain of their email address to check it against a list/whatever of allowed no-password-required domains
return the User from your custom auth backend as if the normal password check had been satisfied, even though it was never checked with check_password(). The Django docs and various djangosnippets.org snippets show how to do this.

In addition:

you will have to use a new/overridden authentication Form class for the admin login view that doesn't require a password field (but still shows it for non-special logins), so that it doesn't complain if there is no password entered.

And finally:

get religion, if you don't already have it
pray to your G/god(s) that no one else learns that the site that will allow no-password authentication with an email address, and especially that they don't also get hold of the email address(es) in question, particularly if your site holds ANY personal data about third parties or has to be PCI-DSS compliant etc, etc.
strongly consider saying 'No' to your client/user/manager/whoever requested this, for the reason immediately above. Passwords are used for a reason.

Or, finally, finally:

skip all of the above and tell your client/user/manager about some of the various password storage tools out there - eg this and this

stevejalim 2010-08-27 11:13:51

+1 for covering a lot of possibilities.

Manoj Govindan 2010-08-27 11:21:42

+1 on saying **No!** to the client. Unless this thing is completely inside a company's firewall, or you don't really care if the access method is posted on 133thaxors.org, then it needs to manage accounts and passwords correctly.

Peter Rowell 2010-08-27 16:05:45

Answer 4

A:

Thanks all. I managed to convince the client of the BAD idea of no password. However, they do want a single password, but [email protected] ... So, it looks like a "custom authentication backend". I'm completely new to Django .. and am not having much fun here .. (no-one else available to help that does know it .. great ... at least the deadline isn't today .. oh wait ..)

elyob 2010-08-31 11:45:40

www.djangobook.com and #django on IRC should help ease the pain, Nick. And if you want to accept my answer, that'd be appreciated.

stevejalim 2010-08-31 12:14:30

I really want to acept the answer .. but this is first time on SO, and nonw that I am registered, I don't see a tick to accept it ...

elyob 2010-08-31 14:01:10

(The name was the same, I've only just changed it). Am now on IRC trying to figure out all these issues.

elyob 2010-08-31 14:01:50

ansaurus

tags:

views:

answers:

Django - auth user with the email domain and no password

related questions