Using the Django authentication system （使用Django默认的权限系统） 阅读批注

这文章主要是给我的记忆提供索引的，请大家多提宝贵意见，共同进步。

原文： https://docs.djangoproject.com/en/1.6/topics/auth/default/

原文目录：

Contents

• Using the Django authentication system
  • User objects
    • Creating users
    • Creating superusers
    • Changing passwords
    • Authenticating Users
  • Permissions and Authorization
    • Default permissions
    • Groups
    • Programmatically creating permissions
    • Permission caching
  • Authentication in Web requests
    • How to log a user in
    • How to log a user out
    • Limiting access to logged-in users
      • The raw way
      • The login_required decorator
      • Limiting access to logged-in users that pass a test
      • The permission_required decorator
      • Applying permissions to generic views
    • Authentication Views
    • Helper functions
    • Built-in forms
    • Authentication data in templates
      • Users
      • Permissions
  • Managing users in the admin
    • Creating Users
    • Changing Passwords

Using the Django authentication system

This document explains the usage of Django’s authentication system in its default configuration. This configuration has evolved to serve the most common project needs, handling a reasonably wide range of tasks, and has a careful implementation of passwords and permissions, and can handle many projects as is. For projects where authentication needs differ from the default, Django supports extensive extension and customization of authentication.

★ 此文档解释了如何使用 Django 的默认认证系统。默认的认证系统足够满足一般的使用要求。 还可以扩展默认的认证系统。

Django authentication provides both authentication and authorization, together and is generally referred to as the authentication system, as these features somewhat coupled.  ★ Django 的权限系统主要包括“认证身份”和“授予权限”。一般称为“权限系统”，因为二者有很多交集。

User objects

User objects are the core of the authentication system. They typically represent the people interacting with your site and are used to enable things like restricting access, registering user profiles, associating content with creators etc. Only one class of user exists in Django’s authentication framework, i.e.,'superusers' or admin 'staff' users are just user objects with special attributes set, not different classes of user objects.

★User 对象是权限系统的核心， 代表访问网站的用户。 只有一个 user 类存在于 Django 的认证系统， 即 superusers 或者 admin staff 。

The primary attributes of the default user are:

• username
• password
• email
• first_name
• last_name

See the full API documentation for full reference, the documentation that follows is more task oriented.

★ User 包含一些默认的属性 

Creating users

The most direct way to create users is to use the included create_user() helper function:

>>> from django.contrib.auth.models import User
>>> user = User.objects.create_user('john', 'lennon@thebeatles.com', 'johnpassword')

# At this point, user is a User object that has already been saved
# to the database. You can continue to change its attributes
# if you want to change other fields.
>>> user.last_name = 'Lennon'
>>> user.save()

If you have the Django admin installed, you can also create users interactively.

★ 如何创建一个 User

Creating superusers

manage.py syncdb prompts you to create a superuser the first time you run it with 'django.contrib.auth'in your INSTALLED_APPS. If you need to create a superuser at a later date, you can use a command line utility:

$ python manage.py createsuperuser --username=joe --email=joe@example.com

You will be prompted for a password. After you enter one, the user will be created immediately. If you leave off the --username or the --email options, it will prompt you for those values.

★ 如何手动创建 superusers

Changing passwords

Django does not store raw (clear text) passwords on the user model, but only a hash (seedocumentation of how passwords are managed for full details). Because of this, do not attempt to manipulate the password attribute of the user directly. This is why a helper function is used when creating a user.

★ Django 不会明文保存密码。

To change a user’s password, you have several options:

manage.py changepassword *username* offers a method of changing a User’s password from the command line. It prompts you to change the password of a given user which you must enter twice. If they both match, the new password will be changed immediately. If you do not supply a user, the command will attempt to change the password whose username matches the current system user.

★ 用命令行来修改密码 

You can also change a password programmatically, using set_password():

>>> from django.contrib.auth.models import User
>>> u = User.objects.get(username__exact='john')
>>> u.set_password('new password')
>>> u.save()

★ 编程来修改密码， 用 set_password() 方法 

If you have the Django admin installed, you can also change user’s passwords on the authentication system’s admin pages.

★ 如果安装了 Django admin，可以在 authentication system’s admin pages 上修改密码。 

Django also provides views and forms that may be used to allow users to change their own passwords.

★ Django 也提供了 views 和 forms 来允许用户修改他们自己的密码。

Authenticating Users

authenticate( **credentials)

To authenticate a given username and password, use authenticate(). It takes credentials in the form of keyword arguments, for the default configuration this is username and password, and it returns a Userobject if the password is valid for the given username. If the password is invalid, authenticate()returns None. Example:

from django.contrib.auth import authenticate
user = authenticate(username='john', password='secret')
if user is not None:
    # the password verified for the user
    if user.is_active:
        print("User is valid, active and authenticated")
    else:
        print("The password is valid, but the account has been disabled!")
else:
    # the authentication system was unable to verify the username and password
    print("The username and password were incorrect.")

★ 使用 authenticate() 来验证一个给定的 username 和 password。当用户名和密码合法时，返回一个 User 对 

使用 authenticate() 来验证一个给定的 userna

Permissions and Authorization

Django comes with a simple permissions system. It provides a way to assign permissions to specific users and groups of users.

★ Django 自带一个简单的权限系统，提供了给 User 和 User组 赋予权限的功能。

It’s used by the Django admin site, but you’re welcome to use it in your own code.

★ Django admin site 提供了此功能。 

The Django admin site uses permissions as follows:

• Access to view the “add” form and add an object is limited to users with the “add” permission for that type of object.
• Access to view the change list, view the “change” form and change an object is limited to users with the “change” permission for that type of object.
• Access to delete an object is limited to users with the “delete” permission for that type of object.

★ Django admin site 如何提供的功能。 

Permissions can be set not only per type of object, but also per specific object instance. By using the has_add_permission(), has_change_permission() and has_delete_permission() methods provided by the ModelAdmin class, it is possible to customize permissions for different object instances of the same type.

★ 权限不光可以在每个类别的对象上进行操作，也可以对每个指定的对象实例进行操作。 

★ 通过 ModelAdmin 类提供的三个方法 has_add_permission(), has_change_permission() and has_delete_permission() 来定制同类型的对象（object）的不同实例的权限。 

User objects have two many-to-many fields: groups and user_permissions. User objects can access their related objects in the same way as any other Django model:

★ User 对象有两个many-to-many 属性：groups 和 user_permissions。 User 对象可以像其它 Django model 对象那样访问相关的对象。 

myuser.groups = [group_list]
myuser.groups.add(group, group, ...)
myuser.groups.remove(group, group, ...)
myuser.groups.clear()
myuser.user_permissions = [permission_list]
myuser.user_permissions.add(permission, permission, ...)
myuser.user_permissions.remove(permission, permission, ...)
myuser.user_permissions.clear()

★ user 对自带属性 groups 和 user_permissions 编辑（增删改）

Default permissions

When django.contrib.auth is listed in your INSTALLED_APPS setting, it will ensure that three default permissions – add, change and delete – are created for each Django model defined in one of your installed applications.

★ 当你配置了 django.conntrib.auth 的时候，三个默认的权限（add，change 和 delete ）被生成了，且这三个权限存在于每个你所配置的应用的 Django 模块里。

These permissions will be created when you run manage.py syncdb; the first time you run syncdb after adding django.contrib.auth to INSTALLED_APPS, the default permissions will be created for all previously-installed models, as well as for any new models being installed at that time. Afterward, it will create default permissions for new models each time you run manage.py syncdb.

★ 这三个权限当你 run manage.py syncdb的时候被创建。当你把 django.contrib.auth 写入 INSTALLED_APPS 的时候，默认的权限在你之前被安装过的app和你这次安装的app里被创建。 之后，每当你 run manage.py syncdb 的时候，默认权限会被赋予给新的模块。（讲了默认权限的赋予时机）

Assuming you have an application with an app_label foo and a model named Bar, to test for basic permissions you should use:

• add: user.has_perm('foo.add_bar')
• change: user.has_perm('foo.change_bar')
• delete: user.has_perm('foo.delete_bar')

★ 举例说明如何利用默认的权限，有一个名为foo的应用，在这个应用里有一个名为 Bar 的模块。 

The Permission model is rarely accessed directly.

★ permission 模块极少被直接使用 

Groups

django.contrib.auth.models.Group models are a generic way of categorizing users so you can apply permissions, or some other label, to those users. A user can belong to any number of groups.

★ django.contrib.auth.models.Group 模型是用来给 users 分类的，以便给 user 成组的赋予权限或其它的标签。一个 user 可以属于任意数目的组。 

A user in a group automatically has the permissions granted to that group. For example, if the group Site editors has the permission can_edit_home_page, any user in that group will have that permission.

★ 在组里的 user 自动拥有组所拥有的权限。 例如组 Site editors 有 can_edit_home_page 的权限，任何在那个组的 user 也将有那个权限。 

Beyond permissions, groups are a convenient way to categorize users to give them some label, or extended functionality. For example, you could create a group 'Special users', and you could write code that could, say, give them access to a members-only portion of your site, or send them members-only email messages.

★ 除了控制权限的功能，组也可以给 user 分类（区分 user 的身份）或方便地定制扩展功能。例如，可以创建一个 'Special users' 组，可以给他们提供类似会员的功能或给组成员群发邮件。

Programmatically creating permissions  ★ 编程创建权限

While custom permissions can be defined within a model’s Meta class, you can also create permissions directly. For example, you can create the can_publish permission for a BlogPost model in myapp:

from myapp.models import BlogPost
from django.contrib.auth.models import Group, Permission
from django.contrib.contenttypes.models import ContentType

content_type = ContentType.objects.get_for_model(BlogPost)
permission = Permission.objects.create(codename='can_publish',
                                       name='Can Publish Posts',
                                       content_type=content_type)

The permission can then be assigned to a User via its user_permissions attribute or to a Group via its permissions attribute.

★ 可以在 模型的 Meta 类里直接定制权限。例如，可以为一个在 myapp 应用里的 BlogPost 模型创建权限 can_publish。

★ 随后，可以给 user 赋予这个被创建的权限。 User 类有一个 user_permissions 属性，Group 有一个 permissions 属性。

Permission caching

The ModelBackend caches permissions on the User object after the first time they need to be fetched for a permissions check. This is typically fine for the request-response cycle since permissions are not typically checked immediately after they are added (in the admin, for example). If you are adding permissions and checking them immediately afterward, in a test or view for example, the easiest solution is to re-fetch the User from the database. For example:

★ ModelBackend 在User object 第一次检查权限时缓存了 User 的权限信息。有时候添加 User 后不需要检查权限信息，当添加User后需要立即检查（test或view）权限时，最好从db里重新取一次user。 下面是例子。

from django.contrib.auth.models import Permission, User
from django.shortcuts import get_object_or_404

def user_gains_perms(request, user_id):
    user = get_object_or_404(User, pk=user_id)
    # any permission check will cache the current set of permissions
    user.has_perm('myapp.change_bar')

    permission = Permission.objects.get(codename='change_bar')
    user.user_permissions.add(permission)

    # Checking the cached permission set
    user.has_perm('myapp.change_bar')  # False

    # Request new instance of User
    user = get_object_or_404(User, pk=user_id)

    # Permission cache is repopulated from the database
    user.has_perm('myapp.change_bar')  # True

    ...

Authentication in Web requests

Django uses sessions and middleware to hook the authentication system into request objects.

★ Django 用 sessions 和 中间件把权限系统绑定到 request_objects。

These provide a request.user attribute on every request which represents the current user. If the current user has not logged in, this attribute will be set to an instance of AnonymousUser, otherwise it will be an instance of User.

★ Django 给每个 request 提供了 一个 request.user 属性，这个属性代表当前的用户。 如果当前用户没有登录，request.user 就是 AnomousUser（游客） 的一个实例，登录后 request.user 是 User 的一个实例。 

You can tell them apart with is_authenticated(), like so:  ★ 像下面这样和 is_authenticated() 区分开来。 

if request.user.is_authenticated():  ★ 登陆后是 User 的一个实例 
    # Do something for authenticated users.
else:
    # Do something for anonymous users.  ★ 没有登陆，是游客的一个实例。

How to log a user in

If you have an authenticated user you want to attach to the current session - this is done with a login() function.

★ 如果你有一个已经验证过的 user ，并且想把它绑定到 session 上，用 login() 函数。 

login()

  To log a user in, from a view, use login(). It takes an HttpRequest object and a User object. login() saves the user’s ID in the session, using        Django’s session framework.

Note that any data set during the anonymous session is retained in the session after a user logs in.

★ 任何存放在 anonymous session 里的数据，在登陆以后仍然被保留在 session 里。

This example shows how you might use both authenticate() and login():

from django.contrib.auth import authenticate, login

def my_view(request):
    username = request.POST['username']
    password = request.POST['password']
    user = authenticate(username=username, password=password)
    if user is not None:
        if user.is_active:
            login(request, user)
            # Redirect to a success page.
        else:
            # Return a 'disabled account' error message
    else:
        # Return an 'invalid login' error message.

★ 登录一个 user，在 view 里，用 login() 方法。 给 login() 方法传递两个参数 HttpRequest 和 User object。 login() 方法把 user ID 存到 session 里。

Calling authenticate() first

When you’re manually logging a user in, you must call authenticate() before you call login(). authenticate() sets an attribute on the User noting which authentication backend successfully authenticated that user (see the backends documentation for details), and this information is needed later during the login process. An error will be raised if you try to login a user object retrieved from the database directly.

★ 登录 user 时， authenticate() 方法的调用要在 login() 之前。因为 authenticate() 方法要给 User 设置一个 user 已经通过验证的属性标志，这个属性标志在后来的 login 过程中要被用到。 如果直接 login 一个从 database 里取出来的 user ，会引发异常。

How to log a user out

logout()

To log out a user who has been logged in via django.contrib.auth.login(), use django.contrib.auth.logout() within your view. It takes an HttpRequest object and has no return value. Example:

from django.contrib.auth import logout

def logout_view(request):
    logout(request)
    # Redirect to a success page.

Note that logout() doesn’t throw any errors if the user wasn’t logged in.  ★ 如果用户没有登录， logout() 方法不会抛出异常。 

When you call logout(), the session data for the current request is completely cleaned out. All existing data is removed. This is to prevent another person from using the same Web browser to log in and have access to the previous user’s session data. If you want to put anything into the session that will be available to the user immediately after logging out, do that after calling django.contrib.auth.logout().

★ log out 一个已经登录的 user，在 view 里用 django.contrib.auth.logout() 方法。

★ 当调用 logout() 方法的时候，当前 request 里的 session 数据被完全的清除。所有既存数据被 remove 掉，防止其他用户用同一个浏览器上之前用户的 session 数据 login。所以你想给 logout 之后的 user 传递数据的话，时机只能在调用 django.contrib.auth.logout() 方法之后。

Limiting access to logged-in users

The raw way

The simple, raw way to limit access to pages is to check request.user.is_authenticated() and either redirect to a login page:

from django.shortcuts import redirect

def my_view(request):
    if not request.user.is_authenticated():
        return redirect('/login/?next=%s' % request.path)
    # ...

...or display an error message:

from django.shortcuts import render

def my_view(request):
    if not request.user.is_authenticated():
        return render(request, 'myapp/login_error.html')
    # ...

★ 传统的限制页面访问的方式是检查 request.user.is_authenticated() 方法。没有登陆，则重定向到登陆页面，或显示错误信息。

The login_required decorator

login_required( [ redirect_field_name=REDIRECT_FIELD_NAME, login_url=None ])

As a shortcut, you can use the convenient login_required() decorator:    ★ 用 login_required() 装饰器来检查用户是否登录。

from django.contrib.auth.decorators import login_required

@login_required
def my_view(request):
    ...

login_required() does the following:    

• If the user isn’t logged in, redirect to settings.LOGIN_URL, passing the current absolute path in the query string. Example: /accounts/login/?next=/polls/3/.
• If the user is logged in, execute the view normally. The view code is free to assume the user is logged in.

★ login_required 在用户没有登录时，会重定向到 settings.LOGIN_URL，通过 query string 传递当前的绝对路径。如果用户已经登录，正常执行 view ，此时 view 里的代码假设 user 是已经登录的。 

By default, the path that the user should be redirected to upon successful authentication is stored in a query string parameter called "next". If you would prefer to use a different name for this parameter, login_required() takes an optional redirect_field_name parameter:                                ★ 默认，当成功的认证后重定向的 path 在 next 里存储。 如果你想用不同的名字，login_required() 提供了一个可选的参数 redirect_field_name  

from django.contrib.auth.decorators import login_required

@login_required(redirect_field_name='my_redirect_field')
def my_view(request):
    ...

Note that if you provide a value to redirect_field_name, you will most likely need to customize your login template as well, since the template context variable which stores the redirect path will use the value of redirect_field_name as its key rather than "next" (the default).     ★ 如果给 redirect_field_name 提供了值， 那么必须定制登录模板，因为模板上下文要使用这个值。

login_required() also takes an optional login_url parameter. Example:  ★ login_required() 也提供了一个可选的 login_url 参数。

from django.contrib.auth.decorators import login_required

@login_required(login_url='/accounts/login/')
def my_view(request):
    ...

Note that if you don’t specify the login_url parameter, you’ll need to ensure that the settings.LOGIN_URL and your login view are properly associated. For example, using the defaults, add the following line to your URLconf:  ★ 如果没有提供 login_url 参数，必须确保 settings.LOGIN_URL 和 login view 被恰当的关联在一起。 例如，使用默认的，把下面这些东西加到 URLconf 里。 

(r'^accounts/login/$', 'django.contrib.auth.views.login'),

Changed in Django 1.5:

The settings.LOGIN_URL also accepts view function names and named URL patterns. This allows you to freely remap your login view within your URLconf without having to update the setting.

Note

The login_required decorator does NOT check the is_active flag on a user.   ★ login_required 装饰器不检查 is_active

Limiting access to logged-in users that pass a test

To limit access based on certain permissions or some other test, you’d do essentially the same thing as described in the previous section.

The simple way is to run your test on request.user in the view directly. For example, this view checks to make sure the user has an email in the desired domain:

def my_view(request):
    if not '@example.com' in request.user.email:
        return HttpResponse("You can't vote in this poll.")
    # ...

★测试用户是否具备某种登录的资格，硬编码到 view 里是原始的做法。

user_passes_test( func [,  login_url=None ])

As a shortcut, you can use the convenient user_passes_test decorator:1★ 用 user_passes_test 装饰器来测试这种资格（这样做代码可读性更好）

from django.contrib.auth.decorators import user_passes_test

def email_check(user):
    return '@example.com' in user.email

@user_passes_test(email_check)
def my_view(request):
    ...

user_passes_test() takes a required argument: a callable that takes a User object and returns True if the user is allowed to view the page. Note that user_passes_test() does not automatically check that the User is not anonymous.   ★ user_passes_test() 只要一个 User 对象作为参数，当 user 被验证通过可以执行 view 时返回 True 。user_passes_test() 不自动检查 User 是不是游客（anonymous）身份。

user_passes_test() takes an optional login_url argument, which lets you specify the URL for your login page (settings.LOGIN_URL by default).   ★ user_passes_test() 有一个额外可选的 login_url 参数，提供 login 的URL（默认为 settings.LOGIN_URL ）。

For example:0

@user_passes_test(email_check, login_url='/login/')
def my_view(request):
    ...

The permission_required decorator

permission_required( perm [,  login_url=None,  raise_exception=False ])

It’s a relatively common task to check whether a user has a particular permission. For that reason, Django provides a shortcut for that case: the permission_required() decorator.:★ 检查用户是否有某种特定的权限，Django 为此提供了一个便利的方法： permission_required() 装饰器。

from django.contrib.auth.decorators import permission_required

@permission_required('polls.can_vote')
def my_view(request):
    ...

As for the has_perm() method, permission names take the form "<app label>.<permission codename>"(i.e. polls.can_vote for a permission on a model in the polls application).

Note that permission_required() also takes an optional login_url parameter. Example:   ★ permission_required() 也有一个可选的 login_url 参数。 

from django.contrib.auth.decorators import permission_required

@permission_required('polls.can_vote', login_url='/loginpage/')
def my_view(request):
    ...

As in the login_required() decorator, login_url defaults to settings.LOGIN_URL.  ★ 和 login_required() 装饰器一样，login_url 的默认值也是 settings.LOGIN_URL 

If the raise_exception parameter is given, the decorator will raise PermissionDenied, prompting the 403 (HTTP Forbidden) view instead of redirecting to the login page.   ★ 如果给出 raise_exception 参数，装饰器会抛出 PermissionDenied，会转到 403view而不是登陆页面 

Applying permissions to generic views   ★ 这一小节是讲如何给通用视图提供权限认证 

To apply a permission to a class-based generic view, decorate the View.dispatch method on the class. See Decorating the class for details.

Authentication Views        ★ Django 发明了轮子，使得你可以方便的做登陆的验证

★ Django 提供了数个 view 处理 login，logout 和 password管理。这些充分利用了stock auth forms ,你也可以利用自己的 forms 

Django provides several views that you can use for handling login, logout, and password management. These make use of the stock auth forms but you can pass in your own forms as well.

★ Django 虽然提供了view和form，但是没有提供模板，下面提供了模板需要的上下文数据 

Django provides no default template for the authentication views - however the template context is documented for each view below.

★ 内建视图会返回一个 TemplateResponse 的实例，允许在渲染之前定制 response 数据。更多细节，参考下面的链接。

The built-in views all return a TemplateResponse instance, which allows you to easily customize the response data before rendering. For more details, see the TemplateResponse documentation.

★ 绝大多数内建的鉴定视图提供了 URL name。

Most built-in authentication views provide a URL name for easier reference. See the URL documentation for details on using named URL patterns.

login( request [,  template_name,  redirect_field_name,  authentication_form, current_app,  extra_context ])

URL name: login

See the URL documentation for details on using named URL patterns.

Optional arguments:  ★ 各种参数的设定

• template_name: The name of a template to display for the view used to log the user in. Defaults to registration/login.html.
• redirect_field_name: The name of a GET field containing the URL to redirect to after login. Defaults to next.
• authentication_form: A callable (typically just a form class) to use for authentication. Defaults to AuthenticationForm.
• current_app: A hint indicating which application contains the current view. See the namespaced URL resolution strategy for more information.
• extra_context: A dictionary of context data that will be added to the default context data passed to the template.

Here’s what django.contrib.auth.views.login does:  ★ 此方法的工作流程 

• If called via GET, it displays a login form that POSTs to the same URL. More on this in a bit.
• If called via POST with user submitted credentials, it tries to log the user in. If login is successful, the view redirects to the URL specified in next. If next isn’t provided, it redirects to settings.LOGIN_REDIRECT_URL (which defaults to /accounts/profile/). If login isn’t successful, it redisplays the login form.

It’s your responsibility to provide the html for the login template , called registration/login.html by default. This template gets passed four template context variables:  ★ 如何为 login 写 template

• form: A Form object representing the AuthenticationForm.   ★ form代表 AuthenticationForm
• next: The URL to redirect to after successful login. This may contain a query string, too.  ★ 成功登陆后，重定向到哪个 URL
• site: The current Site, according to the SITE_ID setting. If you don’t have the site framework installed, this will be set to an instance of RequestSite, which derives the site name and domain from the current HttpRequest.    ★ 参考The "Sites" framework 
• site_name: An alias for site.name. If you don’t have the site framework installed, this will be set to the value of request.META['SERVER_NAME']. For more on sites, see The “sites” framework.

★ 如果不使用 login.html默认的位置，如何设置自己的 template 并传递参数。 

If you’d prefer not to call the template registration/login.html, you can pass the template_name parameter via the extra arguments to the view in your URLconf. For example, this URLconf line would use myapp/login.html instead:

(r'^accounts/login/$', 'django.contrib.auth.views.login', {'template_name': 'myapp/login.html'}),

You can also specify the name of the GET field which contains the URL to redirect to after login by passing redirect_field_name to the view. By default, the field is called next.

★ 这是一个 login.html 的简单例子 

Here’s a sample registration/login.html template you can use as a starting point. It assumes you have a base.html template that defines a content block:

{% extends "base.html" %}

{% block content %}

{% if form.errors %}
<p>Your username and password didn't match. Please try again.</p>
{% endif %}

<form method="post" action="{% url 'django.contrib.auth.views.login' %}">
{% csrf_token %}
<table>
<tr>
    <td>{{ form.username.label_tag }}</td>
    <td>{{ form.username }}</td>
</tr>
<tr>
    <td>{{ form.password.label_tag }}</td>
    <td>{{ form.password }}</td>
</tr>
</table>

<input type="submit" value="login" />
<input type="hidden" name="next" value="{{ next }}" />
</form>

{% endblock %}

If you have customized authentication (see Customizing Authentication) you can pass a custom authentication form to the login view via the authentication_form parameter. This form must accept a request keyword argument in its __init__ method, and provide a get_user method which returns the authenticated user object (this method is only ever called after successful form validation).

★ 如果定制了权限检查，必须通过authentication_form 参数传递一个定制的 form 给 login view 。

logout( request [,  next_page,  template_name,  redirect_field_name,  current_app, extra_context ])

Logs a user out.  ★ 登出一个用户

URL name: logout

Optional arguments:    ★  可选的参数 

• next_page: The URL to redirect to after logout.
• template_name: The full name of a template to display after logging the user out. Defaults to registration/logged_out.html if no argument is supplied.
• redirect_field_name: The name of a GET field containing the URL to redirect to after log out. Defaults to next. Overrides the next_page URL if the given GET parameter is passed.
• current_app: A hint indicating which application contains the current view. See the namespaced URL resolution strategy for more information.
• extra_context: A dictionary of context data that will be added to the default context data passed to the template.

Template context:   ★ 模板上下文

• title: The string “Logged out”, localized.
• site: The current Site, according to the SITE_ID setting. If you don’t have the site framework installed, this will be set to an instance of RequestSite, which derives the site name and domain from the current HttpRequest.
• site_name: An alias for site.name. If you don’t have the site framework installed, this will be set to the value of request.META['SERVER_NAME']. For more on sites, see The “sites” framework.
• current_app: A hint indicating which application contains the current view. See the namespaced URL resolution strategy for more information.
• extra_context: A dictionary of context data that will be added to the default context data passed to the template.

logout_then_login( request [,  login_url,  current_app,  extra_context ])

Logs a user out, then redirects to the login page.  ★ 登出用户，重定向到 login 页面 

URL name: No default URL provided

Optional arguments:

• login_url: The URL of the login page to redirect to. Defaults to settings.LOGIN_URL if not supplied.
• current_app: A hint indicating which application contains the current view. See the namespaced URL resolution strategy for more information.
• extra_context: A dictionary of context data that will be added to the default context data passed to the template.

password_change( request [,  template_name,  post_change_redirect, password_change_form,  current_app,  extra_context ])

Allows a user to change their password.   ★ 改密码 

URL name: password_change

Optional arguments:

• template_name: The full name of a template to use for displaying the password change form. Defaults to registration/password_change_form.html if not supplied.
• post_change_redirect: The URL to redirect to after a successful password change.
• password_change_form: A custom “change password” form which must accept a user keyword argument. The form is responsible for actually changing the user’s password. Defaults to PasswordChangeForm.
• current_app: A hint indicating which application contains the current view. See the namespaced URL resolution strategy for more information.
• extra_context: A dictionary of context data that will be added to the default context data passed to the template.

Template context:

• form: The password change form (see password_change_form above).

password_change_done( request [,  template_name,  current_app,  extra_context ])

The page shown after a user has changed their password.  ★ 在用户密码修改成功后显示的页面 

URL name: password_change_done

Optional arguments:

• template_name: The full name of a template to use. Defaults to registration/password_change_done.html if not supplied.
• current_app: A hint indicating which application contains the current view. See the namespaced URL resolution strategy for more information.
• extra_context: A dictionary of context data that will be added to the default context data passed to the template.

password_reset( request [,  is_admin_site,  template_name,  email_template_name, password_reset_form,  token_generator,  post_reset_redirect,  from_email, current_app,  extra_context ])

Allows a user to reset their password by generating a one-time use link that can be used to reset the password, and sending that link to the user’s registered email address.  ★ 生成一次性链接，然后发给用户注册时的邮箱，帮助用户修改用户修改密码

If the email address provided does not exist in the system, this view won’t send an email, but the user won’t receive any error message either. This prevents information leaking to potential attackers. If you want to provide an error message in this case, you can subclass PasswordResetForm and use the password_reset_form argument.

Users flagged with an unusable password (see set_unusable_password() aren’t allowed to request a password reset to prevent misuse when using an external authentication source like LDAP. Note that they won’t receive any error message since this would expose their account’s existence but no mail will be sent either.

Changed in Django 1.6:

Previously, error messages indicated whether a given email was registered.

URL name: password_reset

Optional arguments:

• template_name: The full name of a template to use for displaying the password reset form. Defaults to registration/password_reset_form.html if not supplied.
• email_template_name: The full name of a template to use for generating the email with the reset password link. Defaults to registration/password_reset_email.html if not supplied.
• subject_template_name: The full name of a template to use for the subject of the email with the reset password link. Defaults to registration/password_reset_subject.txt if not supplied.
• password_reset_form: Form that will be used to get the email of the user to reset the password for. Defaults to PasswordResetForm.
• token_generator: Instance of the class to check the one time link. This will default to default_token_generator, it’s an instance of django.contrib.auth.tokens.PasswordResetTokenGenerator.
• post_reset_redirect: The URL to redirect to after a successful password reset request.
• from_email: A valid email address. By default Django uses the DEFAULT_FROM_EMAIL.
• current_app: A hint indicating which application contains the current view. See the namespaced URL resolution strategy for more information.
• extra_context: A dictionary of context data that will be added to the default context data passed to the template.

Template context:

• form: The form (see password_reset_form above) for resetting the user’s password.

Email template context:

• email: An alias for user.email
• user: The current User, according to the email form field. Only active users are able to reset their passwords (User.is_active is True).
• site_name: An alias for site.name. If you don’t have the site framework installed, this will be set to the value of request.META['SERVER_NAME']. For more on sites, see The “sites” framework.
• domain: An alias for site.domain. If you don’t have the site framework installed, this will be set to the value of request.get_host().
• protocol: http or https
• uid: The user’s primary key encoded in base 64.
• token: Token to check that the reset link is valid.

Sample registration/password_reset_email.html (email body template):

Someone asked for password reset for email {{ email }}. Follow the link below:
{{ protocol}}://{{ domain }}{% url 'password_reset_confirm' uidb64=uid token=token %}

Changed in Django 1.6:

Reversing password_reset_confirm takes a uidb64 argument instead of uidb36.

The same template context is used for subject template. Subject must be single line plain text string.

password_reset_done( request [,  template_name,  current_app,  extra_context ])

The page shown after a user has been emailed a link to reset their password. This view is called by default if the password_reset() view doesn’t have an explicit post_reset_redirect URL set.   ★ 你懂得

URL name: password_reset_done

Optional arguments:

• template_name: The full name of a template to use. Defaults to registration/password_reset_done.html if not supplied.
• current_app: A hint indicating which application contains the current view. See the namespaced URL resolution strategy for more information.
• extra_context: A dictionary of context data that will be added to the default context data passed to the template.

password_reset_confirm( request [,  uidb64,  token,  template_name, token_generator,  set_password_form,  post_reset_redirect,  current_app, extra_context ])

Presents a form for entering a new password.

URL name: password_reset_confirm

Optional arguments:

• uidb64: The user’s id encoded in base 64. Defaults to None.

  Changed in Django 1.6:

  The uidb64 parameter was previously base 36 encoded and named uidb36.

• token: Token to check that the password is valid. Defaults to None.

• template_name: The full name of a template to display the confirm password view. Default value is registration/password_reset_confirm.html.

• token_generator: Instance of the class to check the password. This will default to default_token_generator, it’s an instance of django.contrib.auth.tokens.PasswordResetTokenGenerator.

• set_password_form: Form that will be used to set the password. Defaults to SetPasswordForm

• post_reset_redirect: URL to redirect after the password reset done. Defaults to None.

• current_app: A hint indicating which application contains the current view. See the namespaced URL resolution strategy for more information.

• extra_context: A dictionary of context data that will be added to the default context data passed to the template.

Template context:

• form: The form (see set_password_form above) for setting the new user’s password.
• validlink: Boolean, True if the link (combination of uidb64 and token) is valid or unused yet.

password_reset_complete( request [,  template_name,  current_app, extra_context ])

Presents a view which informs the user that the password has been successfully changed.

URL name: password_reset_complete

Optional arguments:

• template_name: The full name of a template to display the view. Defaults to registration/password_reset_complete.html.

• current_app: A hint indicating which application contains the current view. See the namespaced URL resolution strategy for more information.
• extra_context: A dictionary of context data that will be added to the default context data passed to the template.

Helper functions

redirect_to_login( next [,  login_url,  redirect_field_name ])    ★ 重定向到 login ，登陆成功后返回到另一个 URL

Redirects to the login page, and then back to another URL after a successful login.

Required arguments:

• next: The URL to redirect to after a successful login.

Optional arguments:

• login_url: The URL of the login page to redirect to. Defaults to settings.LOGIN_URL if not supplied.
• redirect_field_name: The name of a GET field containing the URL to redirect to after log out. Overrides next if the given GET parameter is passed.

Built-in forms  

If you don’t want to use the built-in views, but want the convenience of not having to write forms for this functionality, the authentication system provides several built-in forms located in django.contrib.auth.forms: ★ 如果不想使用内建的视图，还不想重新写 forms （重新发明轮子），authentication 系统提供了数个内建的 form ，内建的 forms 在 django.contrib.auth.forms 里

Note

The built-in authentication forms make certain assumptions about the user model that they are working with. If you’re using a custom User model, it may be necessary to define your own forms for the authentication system. For more information, refer to the documentation about using the built-in authentication forms with custom user models.

class  AdminPasswordChangeForm

A form used in the admin interface to change a user’s password.

Takes the user as the first positional argument.

class  AuthenticationForm

A form for logging a user in.

Takes request as its first positional argument, which is stored on the form instance for use by sub-classes.

class  PasswordChangeForm

A form for allowing a user to change their password.

class  PasswordResetForm

A form for generating and emailing a one-time use link to reset a user’s password.

class  SetPasswordForm

A form that lets a user change his/her password without entering the old password.

class  UserChangeForm

A form used in the admin interface to change a user’s information and permissions.

class  UserCreationForm

A form for creating a new user.

Authentication data in templates

The currently logged-in user and his/her permissions are made available in the template context when you use RequestContext.

Technicality  ★ 变量当你设定后才可获得

Technically, these variables are only made available in the template context if you use RequestContext and your TEMPLATE_CONTEXT_PROCESSORS setting contains"django.contrib.auth.context_processors.auth", which is default. For more, see the RequestContext docs.

Users

When rendering a template  RequestContext , the currently logged-in user, either a  User  instance or an  AnonymousUser  instance, is stored in the template variable  {{ user }} :

{% if user.is_authenticated %}
    <p>Welcome, {{ user.username }}. Thanks for logging in.</p>
{% else %}
    <p>Welcome, new user. Please log in.</p>
{% endif %}

This template context variable is not available if a RequestContext is not being used.   ★ 当渲染一个 模板 RequestContext 时，当前无论是已经登陆的用户还是游客，他们的实例都存到模板变量 {{ user }} 里。

Permissions

The currently logged-in user’s permissions are stored in the template variable {{ perms }}. This is an instance of django.contrib.auth.context_processors.PermWrapper, which is a template-friendly proxy of permissions.  ★ 当前登陆用户的权限信息存在 {{ perms }} 里。 

In the {{ perms }} object, single-attribute lookup is a proxy to User.has_module_perms. This example would display True if the logged-in user had any permissions in the foo app:

{{ perms.foo }}

Two-level-attribute lookup is a proxy to User.has_perm. This example would display True if the logged-in user had the permission foo.can_vote:

{{ perms.foo.can_vote }}

Thus, you can check permissions in template {% if %} statements:

{% if perms.foo %}
    <p>You have permission to do something in the foo app.</p>
    {% if perms.foo.can_vote %}
        <p>You can vote!</p>
    {% endif %}
    {% if perms.foo.can_drive %}
        <p>You can drive!</p>
    {% endif %}
{% else %}
    <p>You don't have permission to do anything in the foo app.</p>
{% endif %}

New in Django 1.5:

Permission lookup by “if in”.   ★ v1.5 以后，可以用 in 来查找是否拥有权限。 

It is possible to also look permissions up by {% if in %} statements. For example:

{% if 'foo' in perms %}
    {% if 'foo.can_vote' in perms %}
        <p>In lookup works, too.</p>
    {% endif %}
{% endif %}

Managing users in the admin   ★ 讲如何利用 admin 来管理 Users 

When you have both django.contrib.admin and django.contrib.auth installed, the admin provides a convenient way to view and manage users, groups, and permissions. Users can be created and deleted like any Django model. Groups can be created, and permissions can be assigned to users or groups. A log of user edits to models made within the admin is also stored and displayed.

Creating Users

You should see a link to “Users” in the “Auth” section of the main admin index page. The “Add user” admin page is different than standard admin pages in that it requires you to choose a username and password before allowing you to edit the rest of the user’s fields.

Also note: if you want a user account to be able to create users using the Django admin site, you’ll need to give them permission to add users and change users (i.e., the “Add user” and “Change user” permissions). If an account has permission to add users but not to change them, that account won’t be able to add users. Why? Because if you have permission to add users, you have the power to create superusers, which can then, in turn, change other users. So Django requires add and change permissions as a slight security measure.

Changing Passwords

User passwords are not displayed in the admin (nor stored in the database), but the password storage details are displayed. Included in the display of this information is a link to a password change form that allows admins to change user passwords.