django用户将电子邮件作为pk-可能被黑客入侵了吗? [英] django user with email as pk - hack possible?

问题描述

我阅读了很多有关该主题的文章，但没有发现任何听起来像我的想法那样令人满意的东西，也看不出为什么它会引起问题.因此，如果您可以看一下...

I read a lot about the topic, but didn't find anything that sounded as satisfactory as an idea of mine, and also don't see why it would raise problems. So if you can give it a look...

我想在项目中期更改用户身份验证，即避免使用自定义用户模型，因为这需要在第一次迁移之前完成.

I want to change user authentication in mid-project, i.e. avoid using a custom user model, since this requires to be done before the first migration.

我可以只将django.contrib.user.models中的电子邮件字段修改为editable=False并添加修改后的save()，以便从用户名更新电子邮件吗?还是反过来?专业

Can I just modify the email field to editable=False in the django.contrib.user.models and add a modified save(), so the email is updated from the username? Or the other way round? Pro

还有另一个截然不同的一般性问题:我会在venv中做这些事情，还是可以将整个auth文件夹复制为本地应用程序?

And another distict general question: Would I do such things in the venv, or can I copy the whole auth-folder as a local app?

推荐答案

首先，您的标题似乎与您的问题无关；这是一件好事，因为使用电子邮件作为主键是一个非常糟糕的主意.人们一直在更改电子邮件地址，但是PK必须保持不变.

Firstly, your title doesn't seem to have anything to do with your question; which is a good thing, because using email as a primary key is an incredibly bad idea. People change email addresses all the time, but a PK must stay constant.

其次，您绝对不应复制contrib.auth代码.除了其他方面，这不能解决您的迁移问题，只会使问题变得更糟.

Secondly, you should absolutely not copy the contrib.auth code. Apart from anything else, this wouldn't solve your problems with the migrations, it would just make them worse.

更好的解决方案是在User上添加一个预保存信号，您可以从项目中的任何位置进行此操作(最好是在AppConfig ready方法中).而且，您无需更改模型即可使电子邮件不可编辑.您应该使用该模型的形式进行操作.

A much better solution would be add a pre-save signal on User, which you can do from anywhere in your project (ideally in an AppConfig ready method). And you don't need to change the model in order to make email uneditable; you should do that in the forms that use that model.

这篇关于django用户将电子邮件作为pk-可能被黑客入侵了吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！