I have an end point to allow a user to log in and a super user can log in no problem but any other user is denied.
Here is the view:
@api_view(["POST"])
def LoginUser(request, *args, **kwargs):
email = request.data["email"]
password = request.data["password"]
exists = User.objects.filter(email=email)
if exists:
user = authenticate(email=email, password=password)
if user:
serializer = LoginSerializer(user)
token, created = Token.objects.get_or_create(user=user)
return Response(
{"id": serializer.data["id"], "Authorization": token.key},
status=HTTP_200_OK,
)
else:
return Response("Wrong email and/or password", status=HTTP_401_UNAUTHORIZED)
else:
return Response("Email is not registered, please register")
If I try and log another user in I get a unauthorized error n the console. But then why allow a superuser to login? It’s the same machine, same browser, same window
The user trying to authenticate has is_active=True?
it uses a custom backend for authentication here that is:
class EmailBackend(ModelBackend):
def authenticate(self, request, **kwargs):
UserModel = get_user_model()
try:
email = kwargs.get('email', None)
if email is None:
email = kwargs.get('username', None)
user = UserModel.objects.get(email=email)
if user.check_password(kwargs.get('password', None)):
return user
except UserModel.DoesNotExist:
return None
return None
Alright, can you show your User model?
Here you go:
class UserManager(BaseUserManager):
def create_user(self, email, password, username=None, role=None):
user = self.model(email=self.normalize_email(email))
user.set_password(password)
user.save()
return user
def create_superuser(self, email, password, role, username=None):
user = self.model(email=self.normalize_email(email))
user.set_password(password)
user.role = role
user.is_staff = True
user.is_active = True
user.is_superuser = True
user.save()
return user
class User(AbstractBaseUser, PermissionsMixin):
EM = 'EM'
SM = 'SM'
DH = 'DH'
ST = 'ST'
US = 'US'
ROLES = [
(EM, 'Executive Management'),
(SM, 'Senior Management'),
(DH, 'Department Head'),
(ST, 'Staff Member'),
(US, 'User'),
]
objects = UserManager()
role = models.CharField(max_length=2, choices=ROLES, default=US, blank=True)
username = models.CharField(max_length=20, unique=True, blank=True, null=True)
email = models.EmailField(max_length=255, unique=True)
slug = models.SlugField(blank=True, null=True)
is_active = models.BooleanField(default=False)
is_staff = models.BooleanField(default=False)
has_profile = models.BooleanField(default=False)
email_verified_at = models.DateTimeField(auto_now=False, null=True, blank=True)
code = models.CharField(max_length=8, null=True, blank=True)
created_at = models.DateTimeField(auto_now_add=True, verbose_name="Created at")
updated_at = models.DateTimeField(auto_now=True, verbose_name="Updated at")
class Meta:
verbose_name = "User"
verbose_name_plural = "Users"
ordering = ["username"]
db_table = "users"
def get_absolute_url(self):
return f"{self.slug}"
USERNAME_FIELD = 'email'
REQUIRED_FIELDS = ['role']
On your settings, do you have only your custom authentication backend?
Yes
AUTHENTICATION_BACKENDS = ["users.backends.EmailBackend"]
Have you already ran on a debug session through your EmailBackend?
Since you’re only using this backend to authenticate, even if the user has is_active=False your backend would being authenticating.
If you’re not familiar or comfortable using the debugger, throw some print statements in your EmailBackend, maybe you can figure it out the error with the output
Ok thank you I will do that