User Authentication
Master Django's authentication system for user management, permissions, and session handling.
60 min•By Priygop Team•Last updated: Feb 2026
Django Authentication System
Django provides a comprehensive authentication system that handles user accounts, groups, permissions, and sessions. It's secure, flexible, and easy to extend.
Authentication Views & Forms
Example
# views.py
from django.contrib.auth import login, logout, authenticate
from django.contrib.auth.decorators import login_required
from django.contrib.auth.mixins import LoginRequiredMixin
from django.contrib.auth.forms import UserCreationForm, AuthenticationForm
from django.shortcuts import render, redirect
from .forms import CustomUserCreationForm
# User registration
def register(request):
if request.method == 'POST':
form = CustomUserCreationForm(request.POST)
if form.is_valid():
user = form.save()
login(request, user)
messages.success(request, 'Account created successfully!')
return redirect('home')
else:
form = CustomUserCreationForm()
return render(request, 'registration/register.html', {'form': form})
# User login
def user_login(request):
if request.method == 'POST':
form = AuthenticationForm(request, data=request.POST)
if form.is_valid():
username = form.cleaned_data.get('username')
password = form.cleaned_data.get('password')
user = authenticate(username=username, password=password)
if user is not None:
login(request, user)
messages.success(request, f'Welcome back, {username}!')
return redirect('home')
else:
form = AuthenticationForm()
return render(request, 'registration/login.html', {'form': form})
# User logout
@login_required
def user_logout(request):
logout(request)
messages.info(request, 'You have been logged out.')
return redirect('home')
# Profile view
@login_required
def profile(request):
return render(request, 'registration/profile.html', {'user': request.user})
# Password change
from django.contrib.auth.forms import PasswordChangeForm
@login_required
def password_change(request):
if request.method == 'POST':
form = PasswordChangeForm(request.user, request.POST)
if form.is_valid():
user = form.save()
update_session_auth_hash(request, user)
messages.success(request, 'Password changed successfully!')
return redirect('profile')
else:
form = PasswordChangeForm(request.user)
return render(request, 'registration/password_change.html', {'form': form})
# Custom user model (optional)
from django.contrib.auth.models import AbstractUser
from django.db import models
class CustomUser(AbstractUser):
bio = models.TextField(max_length=500, blank=True)
birth_date = models.DateField(null=True, blank=True)
avatar = models.ImageField(upload_to='avatars/', blank=True)
def __str__(self):
return self.username
# User permissions and groups
from django.contrib.auth.models import Group, Permission
# Create a group
editors_group, created = Group.objects.get_or_create(name='Editors')
# Add permissions to group
post_permissions = Permission.objects.filter(
content_type__app_label='blog',
content_type__model='post'
)
editors_group.permissions.set(post_permissions)
# Add user to group
user.groups.add(editors_group)
# Check permissions in views
@login_required
def admin_panel(request):
if request.user.has_perm('blog.can_publish_post'):
# Show admin panel
return render(request, 'admin/panel.html')
else:
messages.error(request, 'You do not have permission to access this page.')
return redirect('home')
# Custom permission check
def can_edit_post(user, post):
return user == post.author or user.has_perm('blog.can_edit_all_posts')
@login_required
def post_edit(request, pk):
post = get_object_or_404(Post, pk=pk)
if not can_edit_post(request.user, post):
messages.error(request, 'You do not have permission to edit this post.')
return redirect('post_detail', pk=pk)
# Continue with edit logic...