Search code examples
djangotastypie

In Tastypie, why the password is not written in database when creating new user?

I'm trying to create new users (+ their profile), and it seems to be good (response 201) but the password is empty on the database.

I have the following model:

class CliProfile(models.Model):
    user = models.OneToOneField(User, related_name='cliuser')
    # other stuff

and the following resources:

class CliProfileResource(ModelResource):

    user = fields.ForeignKey(UserResource, 'user', full=True)

    class Meta(CommonResourceMeta):
        queryset = CliProfile.objects.all()
        resource_name = 'client_infos'
        fields = ['id']
        list_allowed_methods = ['post']


    def obj_create(self, bundle, request=None, **kwargs):
        '''
        We only need the email-adress to register a user. 
        '''

        ema = bundle.data['user']['email']
        usn = ema[:30] # Dirty, will be changed
        raw_pwd = mkpasswd() # Returns a 8 characters random password

        try:
            # Launches model validation
            User(username=usn, email=ema, password=raw_pwd).full_clean()
        except ValidationError as e:
            raise CustomBadRequest(
                code="wrong_user_infos_exception",
                message="Information is wrong as detailed: {0}".
                    format(e))
        else:
            bundle.data['user']['username'] = usn
            bundle.data['user']['password'] = make_password(raw_pwd)
            bundle = super(ClientInfoResource, self).obj_create(bundle, **kwargs)

        return bundle

     # The UserResource is not paste here, but it has nothing special (no override)

The data payload for the POST request is something as simple as:

data_post = {
        "user":{
            "email": "[email protected]",
        }

Another question. I have the feeling I'm doing things wrong since I suppose user creation should be in the UserResource, not in the CliProfileResource. Indeed, I have BusinessProfileResource (linked to a user too), and I'll have to put the same user creation in this resource, which is NOT dry. Is there a clean way to split: user creation in UserResource and cliprofile informations in CliProfileResource?

Thank you.

Solution

  • I found the reason, it's because of the fields field of my UserResource that does not contain password in the allowed fields. When I add it, it works.

    Nevertheless, as it was a problem for the GET requests to have the password, that's why I overrided the dehydrate() method of UserResource then.

    The working version is:

    class Meta(CommonResourceMeta):
    queryset = User.objects.all()
    resource_name = 'users'
    fields = ['id', 'username', 'email', 'password', 'bizuser']
    detail_allowed_methods = ['get']

    ...

    def dehydrate(self, bundle):
    '''Remove pwd from data bundle for obvious security purposes'''
    try:
        bundle.data.pop('password')
    except:
        pass
    return bundle