use the correct django authentication mechanism, and store _auth_user_id and _auth_user_backend in session
diff --git a/xos/core/xoslib/methods/loginview.py b/xos/core/xoslib/methods/loginview.py
index b212068..8a25ea4 100644
--- a/xos/core/xoslib/methods/loginview.py
+++ b/xos/core/xoslib/methods/loginview.py
@@ -17,6 +17,7 @@
from xos.exceptions import *
from django.contrib.sessions.backends.db import SessionStore
from django.contrib.sessions.models import Session
+from django.contrib.auth import authenticate
class LoginView(APIView):
method_kind = "list"
@@ -29,17 +30,14 @@
if not password:
raise XOSMissingField("No password specified")
- u = User.objects.filter(email=username)
+ u=authenticate(username=username, password=password)
if not u:
- raise XOSNotFound("User %s does not exist" % username)
-
- u=u[0]
-
- if not u.check_password(password):
- raise PermissionDenied("Incorrect password")
+ raise PermissionDenied("Failed to authenticate user %s" % username)
auth = {"username": username, "password": password}
request.session["auth"] = auth
+ request.session['_auth_user_id'] = u.pk
+ request.session['_auth_user_backend'] = u.backend
request.session.save()
return Response({"xoscsrftoken": django.middleware.csrf.get_token(request),
@@ -76,6 +74,9 @@
if "auth" in session:
del session["auth"]
session.save()
+ if "_auth_user_id" in session:
+ del session["_auth_user_id"]
+ session.save()
return Response("Logged Out")