openwisp-users is the OpenWISP Django app that provides user management, organizations, groups, authentication helpers, and multi-tenancy utilities.
Core code lives in openwisp_users/:
models.pydefines the swappable user, organization, group, and membership models.api/contains DRF views, serializers, authentication, permissions, filters, and throttling.accounts/customizes django-allauth account flows.- Tests live in
openwisp_users/tests/,openwisp_users/tests/test_api/,tests/testapp/tests/, andtests/openwisp2/sample_users/.
- Use
docs/developer/installation.rstanddocs/developer/index.rstfor local setup, services, and baseline test commands. - Use
.github/workflows/ci.ymlfor CI-tested dependencies, QA/test commands, env vars, and supported Python/Django versions. - Use GitHub issue/PR templates when asked to open issues or PRs.
Follow the DRY principle: do not duplicate information or code across files.
If instructions conflict, repository config and CI workflows win first, official docs next, and this file is supplemental.
- Keep changes focused. Avoid unrelated refactors and formatting churn.
- Preserve swappable model support, public APIs, migrations, and multi-tenant permission behavior unless explicitly required.
- Mark user-facing strings for translation with Django i18n helpers in Django code.
- Place imports at the top of the file. Only defer imports when necessary (e.g., Django model imports inside functions or methods where the app registry is not yet ready).
- Avoid unnecessary blank lines inside function and method bodies.
- Update docs when behavior, settings, public APIs, setup steps, or supported versions change.
- Add or update tests for every behavior change.
- For bug fixes, write the regression test first, run it against the unfixed code, confirm it fails for the expected reason, then implement the fix.
- Use targeted tests while iterating, then run the documented full test command before considering the change complete.
- Run
openwisp-qa-formatafter editing when available. - Run
./run-qa-checkswhen present. Treat failures as blocking unless confirmed unrelated and reported. - Prefer in-process tests so coverage tools can measure changed code.
- Authentication flows integrate with
django-allauth; API auth includes token auth and request throttling inopenwisp_users/api/. - Be careful with cache invalidation, permissions, organization membership, authentication backends, and tenant isolation.
- If you change swapped-model behavior, tenant isolation, auth flows, or admin/API permissions, cover both package-level and integration tests.
- Write comments and docstrings only when they explain why code is shaped a certain way. Put comments before the relevant code block instead of scattering them inside it.
- If setup, QA, or tests fail, check docs first, then compare with CI. If commands diverge, follow CI.