> > As a maintainer of many Django sites, I would often like to see a very
> > small feature implemented, that could make life a lot easier for me:
> > To force my users to set their own password.
>
> First, to me, this is not obviously a 'very small feature'.
>
> Second, is there any reason it has to be in core? Ideally it could be
> implemented in 3rd party library. At that point it would be useful to
> you, and we could assess whether it is general enough to be in core.
I'm sorry if "core" was the wrong use... "contrib.auth" is what I
meant.
How so do you find it an invasive change? I think it could be solved
easily, even without being backwards incompatible.
This type of login behavior is standard in Google Apps, which is why I
find it not to be something I've made up just for my own needs!
Here's a way to do it:
When a user has never been logged in, User.last_login is the same as
User.date_joined -- so we actually do not need a new model field! We
can rely on this behavior as a sort of "intended" logical derivation
from the fact that they are equal :) Furthermore, I would propose of
course to make the behavior configurable and turned off by default.
The whole conditional redirect could easily be put in
django.contrib.auth.views - all we need to do is put 4 lines of code
on each side of auth_login(request, user) in the login(...) view -
like 'dis:
def login(request, template_name='registration/login.html',
redirect_field_name=REDIRECT_FIELD_NAME,
authentication_form=AuthenticationForm,
current_app=None, extra_context=None):
"""
Displays the login form and handles the login action.
"""
(...)
if form.is_valid():
(...)
# The form is valid... and now I would propose inserting
something like:
user = form.get_user()
force_password_reset = False
if settings.AUTH_FORCE_USER_PASSWORD_RESET and
user.last_login == user.date_joined:
force_password_reset = True
# Okay, security checks complete. Log the user in.
auth_login(request, user)
if force_password_reset:
# Manipulate last_login so that the user will be
consistently redirected on each login, until the password is reset.
user.last_login = user.date_joined
user.save()
redirect_to =
reverse('django.contrib.auth.views.password_reset'))
--
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en.
