User management model mixins and api views.
user_management.models.mixins.ActiveUserMixin
provides a base custom user
mixin with a name
, email
, date_joined
, is_staff
, and is_active
.
user_management.models.mixins.VerifyEmailMixin
extends ActiveUserMixin to
provide functionality to verify the email. It includes an additional
email_verification_required
field.
By default users will be created with is_active = False
, a verification email
will be sent including a link to verify the email and activate the account.
user_management.models.mixins.AvatarMixin
adds an avatar field. The
serializers require django-imagekit
.
user_management.api.avatar.views.ProfileAvatar
provides an endpoint to retrieve
and update the logged in user's avatar.
user_management.api.avatar.views.UserAvatar
provides an endpoint to retrieve
and update other user's avatar. Only admin user can update other user's data.
Both avatar views provides an endpoint to retrieve a thumbnail of the authenticated user's avatar.
Thumbnail options can be specified as get parameters. Options are:
width: Specify the width (in pixels) to resize / crop to.
height: Specify the height (in pixels) to resize / crop to.
crop: Whether to crop or not [1,0]
anchor: Where to anchor the crop [t,r,b,l]
upscale: Whether to upscale or not [1,0]
If no options are specified the users avatar is returned.
To crop avatar to 100x100 anchored to the top right:
avatar?width=100&height=100&crop=1&anchor=tr
Install the package
pip install django-user-management
Install with avatar functionality
pip install django-user-management[avatar]
Install with filtering sensitive data out of Sentry
pip install django-user-management[utils]
Create a custom user model
from django.contrib.auth.models import AbstractBaseUser, PermissionsMixin
from user_management.models.mixins import ActiveUserMixin
class User(ActiveUserMixin, PermissionsMixin, AbstractBaseUser):
pass
If you want to use the VerifyEmailMixin
then substitute it for ActiveUserMixin
Make sure your custom user model in added to INSTALLED_APPS
and set
AUTH_USER_MODEL
to your custom user model.
djangorestframework
incuna_mail
The optional AvatarMixin
functionality depends on django-imagekit
.
Add to your INSTALLED_APPS
in settings.py
INSTALLED_APPS = (
...
'user_management.api',
...
)
Set your DEFAULT_AUTHENTICATION_CLASSES
, for example:
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': {
'rest_framework.authentication.TokenAuthentication',
'rest_framework.authentication.SessionAuthentication',
},
}
Add the urls to your ROOT_URLCONF
urlpatterns = patterns(''
...
url('', include('user_management.api.urls', namespace='user_management_api')),
...
)
If you are using the VerifyEmailMixin
then also include
user_management.api.urls.verify_email
urlpatterns = patterns(''
...
url('', include('user_management.api.urls.verify_email')),
...
)
If you are using the AvatarMixin
then also include
user_management.api.avatar.urls.avatar
urlpatterns = patterns(''
...
url('', include('user_management.api.avatar.urls.avatar')),
...
)
If you need more fine-grained control you can replace user_management.api.urls
with a selection from
urlpatterns = patterns(''
...
url('', include('user_management.api.urls.auth')),
url('', include('user_management.api.urls.password_reset')),
url('', include('user_management.api.urls.profile')),
url('', include('user_management.api.urls.register')),
...
)
The /auth/
and /auth/password_reset/
URLs are protected against throttling
using the built-in DRF throttle module.
The default throttle rates are:
'logins': '10/hour'
'passwords': '3/hour'
You can customise the throttling rates by setting REST_FRAMEWORK['DEFAULT_THROTTLE_RATES']
in your settings.py
:
REST_FRAMEWORK = {
'DEFAULT_THROTTLE_RATES': {
'logins': '100/day',
'passwords': 100/day',
},
}
Custom Sentry logging class is available to disallow sensitive data being logged by Sentry client.
Activate it in the settings.py
by adding:
SENTRY_CLIENT = 'user_management.utils.sentry.SensitiveDjangoClient'
By default DRF does not offer expiration for authorization tokens nor any form of validation for the expired tokens.
django-user-management
comes in help here and this functionality can be
easily activated.
Override the authentication class for DRF in settings.py
:
REST_FRAMEWORK = {
...
'DEFAULT_AUTHENTICATION_CLASSES': 'user_management.api.authentication.TokenAuthentication',
...
}
Remember to run the management command (eg via cronjob) to clear expired tokens:
python manage.py remove_expired_tokens
You can set custom expiry time for the auth tokens.
Add below constants in the settings.py
:
AUTH_TOKEN_MAX_AGE = <milliseconds_value> (default: 200 days)
AUTH_TOKEN_MAX_INACTIVITY = <milliseconds_value> (default: 12 hours)