> > As a maintainer of many Django sites, I would often like to see a very > > small feature implemented, that could make life a lot easier for me: > > To force my users to set their own password. > > First, to me, this is not obviously a 'very small feature'. > > Second, is there any reason it has to be in core? Ideally it could be > implemented in 3rd party library. At that point it would be useful to > you, and we could assess whether it is general enough to be in core.
I'm sorry if "core" was the wrong use... "contrib.auth" is what I meant. How so do you find it an invasive change? I think it could be solved easily, even without being backwards incompatible. This type of login behavior is standard in Google Apps, which is why I find it not to be something I've made up just for my own needs! Here's a way to do it: When a user has never been logged in, User.last_login is the same as User.date_joined -- so we actually do not need a new model field! We can rely on this behavior as a sort of "intended" logical derivation from the fact that they are equal :) Furthermore, I would propose of course to make the behavior configurable and turned off by default. The whole conditional redirect could easily be put in django.contrib.auth.views - all we need to do is put 4 lines of code on each side of auth_login(request, user) in the login(...) view - like 'dis: def login(request, template_name='registration/login.html', redirect_field_name=REDIRECT_FIELD_NAME, authentication_form=AuthenticationForm, current_app=None, extra_context=None): """ Displays the login form and handles the login action. """ (...) if form.is_valid(): (...) # The form is valid... and now I would propose inserting something like: user = form.get_user() force_password_reset = False if settings.AUTH_FORCE_USER_PASSWORD_RESET and user.last_login == user.date_joined: force_password_reset = True # Okay, security checks complete. Log the user in. auth_login(request, user) if force_password_reset: # Manipulate last_login so that the user will be consistently redirected on each login, until the password is reset. user.last_login = user.date_joined user.save() redirect_to = reverse('django.contrib.auth.views.password_reset')) -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.