0

I am building a system where many accounts will not have login credentials (e.g companies) unless specifically provided. In order to achieve this, I have the following account model (not implemented yet, currently designing on a piece of paper):

Table: Account
  Fields: ID, fname, lname, type, created_at, activated_at

Table: AccountCredentials
  Fields: Account ID, email, password

Relations:
  Account <- 1-to-1 -> AccountCredentials

All permissions, operations etc will be performed over the Account model; so, the Account model will be the django auth user model.

I have used custom User models and managers before; however, this is something I am not sure how to implement.

How should I tell the AbstractBaseUser model to authenticate using credentials.email and credentials.password (credentials being the relation name between Account and AccountCredentials)? From checking AbstractBaseUser source code and checking some files, it seems like I can override get_username method; so that, the username field is being read from credentials. However, I am not sure how to do the same for password as it is hard coded in model.

Gasim
  • 7,615
  • 14
  • 64
  • 131
  • 1
    If a company had an `Account` but not the ability to login, what would they do & what would be the purpose of the system to them. – markwalker_ Jan 04 '19 at 23:03
  • Only users (not companies and not necessarily all users -- some users can just be created for bookkeeping purposes). I did not show rest of the tables but I have a table for mapping accounts to each other. This way, a single user can access resources of other accounts given the permissions. – Gasim Jan 04 '19 at 23:12
  • 1
    In that case, you can create a user account without a password, so you could just keep it simple & use the standard `User` model. Otherwise you can create a custom user model, which would probably be best as your credentials model because they'd authenticate. But you can also change the authentication backend but consider the security implications of doing that yourself. Start with the custom user; https://docs.djangoproject.com/en/2.1/topics/auth/customizing/#specifying-a-custom-user-model – markwalker_ Jan 04 '19 at 23:19
  • In the past, I have created custom User using AbstractBaseUser + Custom Manager and typically I am very happy with the results. However, the problem that I have for this scenario is that, I want to remove password field when subclassing AbstractBaseUser. If I can achieve that, I have essentially solved my biggest problem. I am going to play with this for a bit and see what happens. Thank you for the help! – Gasim Jan 04 '19 at 23:29
  • 1
    Well consider that a user without a password isn't a user. Maybe create a `Company` or `Client` model with an optional FK to the `User` so that you can add companies, or users, or both. – markwalker_ Jan 04 '19 at 23:44
  • I know what you mean but that’s not the case though. I am planning on having service accounts where they are going to have API keys etc. Their username is going to be not an email address but some form of GUID. These are the issues that I want to avoid by separating credentials from the user. Secondly, Django’s auth user is used everywhere; that’s why I want to change it. Currently I have a dummy user field that is always NULL because I am not allowed to remove it. However, I already separated credentials to another field. – Gasim Jan 05 '19 at 10:11

0 Answers0