#36204: Request to Add User Login & Authentication Example to the Official
Django
First Steps tutorial
-------------------------------+--------------------------------------
Reporter: dj-user-10 | Owner: (none)
Type: New feature | Status: new
Component: Documentation | Version: 5.1
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------------------------
Changes (by Tim Graham):
* component: Uncategorized => Documentation
* resolution: invalid =>
* status: closed => new
* summary: Ticket rejected as spam =>
Request to Add User Login & Authentication Example to the Official
Django First Steps tutorial
* type: Uncategorized => New feature
Old description:
> I'm trying to write a legitimate ticket yet I keep getting:
>
> SpamBayes determined spam probability of 79.88%
> StopForumSpam says this is spam (ip [0.43])
>
> How can I submit a ticket?
New description:
A new user starts a Django project. What's the first thing they do? Look
at the documentation? No, the documentation is a bit overwhelming. They
first thing they want is a simple example. The first thing they do is to
walk through the tutorial (
https://docs.djangoproject.com/en/5.1/intro/tutorial01/ ) and try to
imitate it.
However, there is a problem. The tutorial has a huge hole: there's no
information how to create user accounts for the website. What dynamic
website does *not* have user accounts? There are precious few cases where
you'd want a dynamic, python-, database-powered website which does not
have users. Yet, the tutorial---surprisingly---omits this. Tutorial 5 is
already delving into automated testing. What Django user would care about
the advanced topic of writing automated testing before the basic necessity
of creating users? Every Django developer needs this. It should be
included in the tutorial.
The page https://docs.djangoproject.com/en/5.1/ even has examples of ‘Part
7: Customizing the admin site’ and ‘Part 8: Adding third-party packages’.
As a long time Django user, I’ve never once had the faintest desire to
customize the admin site. Not to say it shouldn’t be included—the more
examples the better—but the priorities seem misplaced. Contrast this state
of affairs to, say, Ruby on Rails
(https://guides.rubyonrails.org/security.html#authentication) :
"Authentication is often one of the first features implemented in a web
application. It serves as the foundation for securing user data and is
part of most modern web applications... Starting with version 8.0, Rails
comes with a default authentication generator, which provides a solid
starting point for securing your application by only allowing access to
verified users."
I couldn't have said it better myself. Rails foregrounds this, while in
Django it seems like an ugly secret hidden behind a curtain.
Further evidence: as of this writing, the first hit on Google for "django
tutorial" is the official docs: "Writing your first Django app, part 1" (
https://docs.djangoproject.com/en/5.1/intro/tutorial01/ ), as it should
be. However, the first hit on Google for "django users tutorial" or
"django users login tutorial" is Mozilla's "Django Tutorial Part 8: User
authentication and permissions" ( https://developer.mozilla.org/en-
US/docs/Learn/Server-side/Django/Authentication ), not the Django page
itself.
Aside from the tutorial omission, the user login/logout/authentication
setup in Django seems clunky. My suspicion is that this is the real reason
it's left out of the Django tutorial. For example, to do something every
user needs, like password rest, in your own project you have to borrow it
from 'site-
packages/django/contrib/admin/templates/registration/password_reset_done.html'.
Copying stuff from deep in contrib/admin and repurposing it doesn't seem
like it should be a first choice. Maybe all of this is supposed to be
outsourced to Django AllAuth, or something, but it seems like a big
shortcoming to me — especially given how delicate authentication matters
are. Or maybe I have this all wrong, and this is not the way to proceed.
But I don't know because there's no simple example to follow in the
tutorial!
I could even try writing this portion of the tutorial myself and filing a
pull request if you would like. But I'm not sure I'd get it right. (And
forgive my polemical style --- it's out of love!)
--
--
Ticket URL: <https://code.djangoproject.com/ticket/36204#comment:3>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/0107019528c5ea4e-6b7ec4c4-ad6a-48b0-a4e4-5e5b53a56f91-000000%40eu-central-1.amazonses.com.
