Forem: Houssem Reggai The latest articles on Forem by Houssem Reggai (@h_coder). https://forem.com/h_coder https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3856866%2F1dec3925-53a6-481b-a116-8260d57fe70d.jpeg Forem: Houssem Reggai https://forem.com/h_coder en EXPLAIN ANALYZE: The PostgreSQL Command Every Django Developer Should Know Houssem Reggai Wed, 29 Apr 2026 11:34:11 +0000 https://forem.com/h_coder/explain-analyze-the-postgresql-command-every-django-developer-should-know-42b https://forem.com/h_coder/explain-analyze-the-postgresql-command-every-django-developer-should-know-42b <p>PROFESSIONAL DJANGO ENGINEERING SERIES #6</p> <blockquote> <p>If you have never read a query execution plan, you are flying blind on database performance. Here is how to read one — and what the warning signs look like.</p> </blockquote> <p>Django's ORM is excellent at writing SQL. It is not excellent at telling you whether that SQL is fast. For that, you need to go one level deeper — to the database itself, and to the execution plan it generates for every query you run.</p> <p>EXPLAIN ANALYZE is PostgreSQL's most powerful diagnostic tool. It shows you not just what SQL your query produces, but how the database engine plans to execute it, how long it actually takes, and — most usefully — where it is spending that time.</p> <blockquote> <p>Most Django performance problems are database problems. Most database problems are index problems. And most index problems are invisible until you look at the query plan.</p> </blockquote> <h3> Running EXPLAIN ANALYZE from Django </h3> <p>Django 3.2 added QuerySet.explain(), which gives you direct access to the database execution plan:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># In the Django shell (python manage.py shell_plus): </span><span class="n">qs</span> <span class="o">=</span> <span class="n">Order</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">filter</span><span class="p">(</span><span class="n">status</span><span class="o">=</span><span class="sh">'</span><span class="s">paid</span><span class="sh">'</span><span class="p">,</span> <span class="n">user_id</span><span class="o">=</span><span class="mi">42</span><span class="p">).</span><span class="nf">select_related</span><span class="p">(</span><span class="sh">'</span><span class="s">user</span><span class="sh">'</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">qs</span><span class="p">.</span><span class="nf">explain</span><span class="p">(</span><span class="n">verbose</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">analyze</span><span class="o">=</span><span class="bp">True</span><span class="p">))</span> <span class="c1"># Or with raw SQL for more control: </span><span class="kn">from</span> <span class="n">django.db</span> <span class="kn">import</span> <span class="n">connection</span> <span class="k">with</span> <span class="n">connection</span><span class="p">.</span><span class="nf">cursor</span><span class="p">()</span> <span class="k">as</span> <span class="n">cursor</span><span class="p">:</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="sh">'</span><span class="s">EXPLAIN (ANALYZE, BUFFERS, FORMAT TEXT) </span><span class="sh">'</span> <span class="sh">'</span><span class="s">SELECT * FROM orders_order WHERE status = %s AND user_id = %s</span><span class="sh">'</span><span class="p">,</span> <span class="p">[</span><span class="sh">'</span><span class="s">paid</span><span class="sh">'</span><span class="p">,</span> <span class="mi">42</span><span class="p">]</span> <span class="p">)</span> <span class="k">for</span> <span class="n">row</span> <span class="ow">in</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">fetchall</span><span class="p">():</span> <span class="nf">print</span><span class="p">(</span><span class="n">row</span><span class="p">[</span><span class="mi">0</span><span class="p">])</span> </code></pre> </div> <h3> Reading the Output </h3> <p>A typical EXPLAIN ANALYZE output looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Seq Scan on orders_order (cost=0.00..4821.00 rows=3912 width=52) (actual time=0.05..28.4 rows=3912 loops=1) Filter: ((status = 'paid') AND (user_id = 42)) Rows Removed by Filter: 48231 Planning Time: 0.8 ms Execution Time: 28.9 ms </code></pre> </div> <p>Here is what each part means:</p> <p><strong>Seq Scan — the most important warning sign</strong><br> A Seq Scan means the database read every row in the table to find the ones matching your filter. It is sometimes unavoidable on very small tables, but on a table with tens of thousands of rows, a Seq Scan on a filtered column almost always means a missing index.</p> <p><strong>Rows Removed by Filter — measuring inefficiency</strong><br> In the example above, 48,231 rows were read and discarded to find 3,912 matching rows. The database is reading 12 rows for every 1 it keeps. An index on <code>status</code> and <code>user_id</code> would let the database jump directly to the matching rows without reading the discarded ones.</p> <p><strong>cost=X..Y — the planner’s estimate</strong><br> The cost values are the planner's estimates in arbitrary units. The first number is startup cost (getting the first row), the second is total cost. Lower is better, but absolute numbers are less useful than the ratio between different parts of your query plan.</p> <p><strong>actual time — ground truth</strong><br> The actual time values are real milliseconds from the execution. If startup time is high, your query is doing expensive initialization. If total time is high but startup time is low, the bottleneck is in processing the rows.</p> <h3> The Warning Signs to Look For </h3> <p><strong>Seq Scan on a large table</strong> — almost always means a missing index on the filter column.<br> <strong>High Rows Removed by Filter</strong> — large ratio of rows read to rows kept. An index on the filter column would prevent this.<br> <strong>Nested Loop with a large outer side</strong> — the SQL-level manifestation of N+1. The inner side is queried once per outer row.<br> <strong>Sort on an un-indexed column</strong> — if you order by this column frequently, add an index.</p> <h3> Adding the Right Index </h3> <p>Once you have identified a missing index from the query plan, adding it in Django is straightforward:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># models.py </span><span class="k">class</span> <span class="nc">Order</span><span class="p">(</span><span class="n">models</span><span class="p">.</span><span class="n">Model</span><span class="p">):</span> <span class="n">user</span> <span class="o">=</span> <span class="n">models</span><span class="p">.</span><span class="nc">ForeignKey</span><span class="p">(</span><span class="n">settings</span><span class="p">.</span><span class="n">AUTH_USER_MODEL</span><span class="p">,</span> <span class="p">...)</span> <span class="n">status</span> <span class="o">=</span> <span class="n">models</span><span class="p">.</span><span class="nc">CharField</span><span class="p">(</span><span class="n">max_length</span><span class="o">=</span><span class="mi">20</span><span class="p">,</span> <span class="p">...)</span> <span class="k">class</span> <span class="nc">Meta</span><span class="p">:</span> <span class="n">indexes</span> <span class="o">=</span> <span class="p">[</span> <span class="c1"># Composite index: supports queries filtering on both columns </span> <span class="c1"># Also supports queries on 'status' alone (leftmost prefix rule) </span> <span class="n">models</span><span class="p">.</span><span class="nc">Index</span><span class="p">(</span><span class="n">fields</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">status</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">user</span><span class="sh">'</span><span class="p">],</span> <span class="n">name</span><span class="o">=</span><span class="sh">'</span><span class="s">order_status_user_idx</span><span class="sh">'</span><span class="p">),</span> <span class="c1"># Partial index: only index active orders </span> <span class="c1"># Smaller, faster, more selective than a full-table index </span> <span class="n">models</span><span class="p">.</span><span class="nc">Index</span><span class="p">(</span> <span class="n">fields</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">user</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">created_at</span><span class="sh">'</span><span class="p">],</span> <span class="n">condition</span><span class="o">=</span><span class="nc">Q</span><span class="p">(</span><span class="n">status__in</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">pending</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">paid</span><span class="sh">'</span><span class="p">]),</span> <span class="n">name</span><span class="o">=</span><span class="sh">'</span><span class="s">order_active_user_created_idx</span><span class="sh">'</span><span class="p">,</span> <span class="p">),</span> <span class="p">]</span> </code></pre> </div> <h3> Building the Habit </h3> <p>The habit worth building: after you write any query that will be called frequently in production, run it through EXPLAIN ANALYZE in the shell. Look for Seq Scans on large tables. Look at the Rows Removed by Filter ratio. Look at the actual time.<br> This takes two minutes. It catches the performance problems that will take two hours to diagnose in production after users start complaining. The two-minute habit is always worth it.</p> <blockquote> <p><strong>✓ Use django-debug-toolbar for everyday development:</strong> For development workflow, django-debug-toolbar's SQL panel gives you query counts and execution times on every page load without going to the shell. Reserve EXPLAIN ANALYZE for queries that the toolbar has flagged as slow or that appear suspiciously frequently.</p> </blockquote> <p>Database performance is not a black art. It is a skill built on a small set of fundamentals: understanding what EXPLAIN ANALYZE tells you, knowing when a Seq Scan is a problem, understanding index selection, and measuring before optimizing. EXPLAIN ANALYZE is where all of that starts.</p> <blockquote> <p>Found this useful? There’s a full book. This article is drawn from Professional Django Engineering (Chapter 7 — Database Performance). The book covers 16 chapters across every major aspect of production Django development: architecture, ORM performance, REST APIs, security, testing, caching, async, and deployment. Every chapter follows the same pattern: real anti-patterns, professional solutions, and a pitfall reference table you can bookmark. ▶ Available on Amazon KDP. Link in comments.</p> </blockquote> django database postgres backend The N+1 Query Problem That's Silently Slowing Your Django App Houssem Reggai Fri, 24 Apr 2026 18:37:38 +0000 https://forem.com/h_coder/the-n1-query-problem-thats-silently-slowing-your-django-app-1n2l https://forem.com/h_coder/the-n1-query-problem-thats-silently-slowing-your-django-app-1n2l <p>PROFESSIONAL DJANGO ENGINEERING SERIES #5</p> <blockquote> <p>100 orders. A loop. A template that accesses order.user.email. Result: 701 database queries. Here is how it happens — and how to fix it in one line.</p> </blockquote> <p>The N+1 query problem is the most common performance issue in Django applications. It is also the most invisible one in development, because your local database has twenty records. It only becomes visible in production, where it has twenty thousand — and by then, it is an incident.</p> <blockquote> <p>The ORM does not hide SQL from you. It writes SQL for you. Understanding what SQL it writes — and why — is what separates ORM users from ORM professionals.</p> </blockquote> <h3> How N+1 Happens </h3> <p>Here is a view that looks perfectly innocent:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># views.py — looks clean, causes disaster at scale </span><span class="k">def</span> <span class="nf">order_list</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="n">orders</span> <span class="o">=</span> <span class="n">Order</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">all</span><span class="p">()</span> <span class="c1"># Query 1: SELECT * FROM orders </span> <span class="k">return</span> <span class="nf">render</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">'</span><span class="s">orders/list.html</span><span class="sh">'</span><span class="p">,</span> <span class="p">{</span><span class="sh">'</span><span class="s">orders</span><span class="sh">'</span><span class="p">:</span> <span class="n">orders</span><span class="p">})</span> </code></pre> </div> <p>Then in the template:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>{# orders/list.html #} {% for order in orders %} {{ order.user.email }} {# Query 2,3,...N: SELECT user WHERE id=? #} {% for item in order.items.all %} {{ item.product.name }} {# Query N+1, N+2... for each item #} {% endfor %} {% endfor %} </code></pre> </div> <p>For 100 orders with 5 items each, this template fires:</p> <ul> <li>1 query to fetch all orders</li> <li>100 queries to fetch each order's user</li> <li>100 queries to fetch each order's items</li> <li>500 queries to fetch each item's product — total: 701 queries</li> </ul> <p>Every page load. Every visitor. The database CPU climbs. Response times degrade. And because it works fine locally with your 10 test records, no one notices until production slows to a crawl.</p> <h3> The Fix: <code>select_related</code> and <code>prefetch_related</code> </h3> <p>Django provides two tools for solving N+1, and using the right one matters.</p> <h4> <code>select_related</code> — for <code>ForeignKey</code> and <code>OneToOne</code> </h4> <p>Use <code>select_related</code> when traversing <code>ForeignKey</code> or <code>OneToOneField</code> relationships. It generates a <code>SQL JOIN</code> and fetches everything in one query:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># BAD: 1 + N queries </span><span class="n">orders</span> <span class="o">=</span> <span class="n">Order</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">all</span><span class="p">()</span> <span class="c1"># GOOD: 1 query with a JOIN </span><span class="n">orders</span> <span class="o">=</span> <span class="n">Order</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">select_related</span><span class="p">(</span><span class="sh">'</span><span class="s">user</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">shipping_address</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># Multi-level: traverse FK chains </span><span class="n">orders</span> <span class="o">=</span> <span class="n">Order</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">select_related</span><span class="p">(</span><span class="sh">'</span><span class="s">user__profile</span><span class="sh">'</span><span class="p">)</span> </code></pre> </div> <h4> <code>prefetch_related</code> — for reverse FK and <code>ManyToMany</code> </h4> <p>Use <code>prefetch_related</code> for reverse <code>ForeignKey</code> relationships and <code>ManyToManyFields</code> — relationships where the related object is a collection. It executes a separate query per relationship and joins the results in Python:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># BAD: 1 query for orders + N queries for items + N*M for products </span><span class="n">orders</span> <span class="o">=</span> <span class="n">Order</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">all</span><span class="p">()</span> <span class="c1"># GOOD: 3 queries regardless of order count # Query 1: SELECT * FROM orders # Query 2: SELECT * FROM order_items WHERE order_id IN (...) # Query 3: SELECT * FROM products WHERE id IN (...) </span><span class="n">orders</span> <span class="o">=</span> <span class="n">Order</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">prefetch_related</span><span class="p">(</span><span class="sh">'</span><span class="s">items__product</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># Combine both for the full solution: </span><span class="n">orders</span> <span class="o">=</span> <span class="p">(</span> <span class="n">Order</span><span class="p">.</span><span class="n">objects</span> <span class="p">.</span><span class="nf">select_related</span><span class="p">(</span><span class="sh">'</span><span class="s">user</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">shipping_address</span><span class="sh">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">prefetch_related</span><span class="p">(</span><span class="sh">'</span><span class="s">items__product</span><span class="sh">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">filter</span><span class="p">(</span><span class="n">status</span><span class="o">=</span><span class="sh">'</span><span class="s">paid</span><span class="sh">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">order_by</span><span class="p">(</span><span class="sh">'</span><span class="s">-created_at</span><span class="sh">'</span><span class="p">)</span> <span class="p">)</span> </code></pre> </div> <p><strong>⚠ A common mistake that defeats <code>prefetch_related</code></strong><br> Filtering a prefetched relation inside a loop re-fires a query per object and completely defeats the prefetch. This is the trap:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">for</span> <span class="n">order</span> <span class="ow">in</span> <span class="n">orders</span><span class="p">:</span> <span class="c1"># prefetched </span> <span class="n">active_items</span> <span class="o">=</span> <span class="n">order</span><span class="p">.</span><span class="n">items</span><span class="p">.</span><span class="nf">filter</span><span class="p">(</span><span class="n">is_active</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="c1"># NEW query each time! </span></code></pre> </div> <p><strong>Fix:</strong> use a <code>Prefetch</code> object with a custom queryset to apply the filter at prefetch time.</p> <h3> How to Detect N+1: <code>django-debug-toolbar</code> </h3> <p>Install <code>django-debug-toolbar</code> in your development environment and make the SQL panel part of your workflow. It shows every query executed during a request, the time each took, and whether any are duplicates.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># requirements/local.txt django-debug-toolbar==4.3.0 # config/settings/local.py INSTALLED_APPS += ['debug_toolbar'] MIDDLEWARE.insert(1, 'debug_toolbar.middleware.DebugToolbarMiddleware') INTERNAL_IPS = ['127.0.0.1'] </code></pre> </div> <p>A healthy page has under 10 queries. A page with 50+ has an N+1 problem. Treat the SQL panel as a mandatory check before every feature is considered done.</p> <h3> Lock it in with Query Count Tests </h3> <p>The best way to prevent N+1 regressions is to assert query counts in your test suite:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">django.test</span> <span class="kn">import</span> <span class="n">TestCase</span> <span class="k">class</span> <span class="nc">OrderListViewTest</span><span class="p">(</span><span class="n">TestCase</span><span class="p">):</span> <span class="k">def</span> <span class="nf">test_query_count_is_bounded</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">user</span> <span class="o">=</span> <span class="nc">UserFactory</span><span class="p">()</span> <span class="n">OrderFactory</span><span class="p">.</span><span class="nf">create_batch</span><span class="p">(</span><span class="mi">20</span><span class="p">,</span> <span class="n">user</span><span class="o">=</span><span class="n">user</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">client</span><span class="p">.</span><span class="nf">force_login</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> <span class="k">with</span> <span class="n">self</span><span class="p">.</span><span class="nf">assertNumQueries</span><span class="p">(</span><span class="mi">3</span><span class="p">):</span> <span class="c1"># orders + users + items </span> <span class="n">response</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">client</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">/orders/</span><span class="sh">'</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="nf">assertEqual</span><span class="p">(</span><span class="n">response</span><span class="p">.</span><span class="n">status_code</span><span class="p">,</span> <span class="mi">200</span><span class="p">)</span> </code></pre> </div> <p>This test will fail the moment someone adds a line to the view that introduces an N+1. That failure, caught in CI before it reaches production, is exactly what the test is for.</p> <p>The N+1 problem is not unique to Django — it appears in every ORM-based framework. But Django's ORM makes it particularly invisible because querysets are lazy and the query only fires at iteration time, often deep in a template. <code>select_related</code> and <code>prefetch_related</code> are the tools designed to solve it. Learn to reach for them automatically whenever you access a related object.</p> django database backend python null=True on CharField Is Always Wrong — Here Is Why Houssem Reggai Wed, 22 Apr 2026 11:37:23 +0000 https://forem.com/h_coder/nulltrue-on-charfield-is-always-wrong-here-is-why-1bop https://forem.com/h_coder/nulltrue-on-charfield-is-always-wrong-here-is-why-1bop <p>PROFESSIONAL DJANGO ENGINEERING SERIES #4</p> <blockquote> <p>Two ways to represent 'no value' means every query that checks for empty strings has to handle both. The rule is simple once you know it.</p> </blockquote> <p>Django provides two separate flags for handling empty values on model fields. They are frequently confused, and conflating them leads to subtle bugs, inconsistent data, and queries that are harder to write than they should be.</p> <p>Here is the rule stated plainly, and then the reasoning behind it.</p> <blockquote> <p>null=True is a database directive. <code>blank=True</code> is a validation directive. They are independent. Think about each one separately for every field you define.</p> </blockquote> <p><strong>The Rule</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># String-based fields (CharField, TextField, EmailField, SlugField, URLField) # ───────────────────────────────────────────────────────────────────── # Required field: </span><span class="n">name</span> <span class="o">=</span> <span class="n">models</span><span class="p">.</span><span class="nc">CharField</span><span class="p">(</span><span class="n">max_length</span><span class="o">=</span><span class="mi">100</span><span class="p">)</span> <span class="c1"># Optional field — use blank=True ONLY. Never null=True. </span><span class="n">nickname</span> <span class="o">=</span> <span class="n">models</span><span class="p">.</span><span class="nc">CharField</span><span class="p">(</span><span class="n">max_length</span><span class="o">=</span><span class="mi">100</span><span class="p">,</span> <span class="n">blank</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="c1"># WRONG: creates two possible 'empty' values for a string field </span><span class="n">nickname</span> <span class="o">=</span> <span class="n">models</span><span class="p">.</span><span class="nc">CharField</span><span class="p">(</span><span class="n">max_length</span><span class="o">=</span><span class="mi">100</span><span class="p">,</span> <span class="n">null</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">blank</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="c1"># BAD </span> <span class="c1"># Non-string fields (IntegerField, DateField, ForeignKey, DecimalField) # ───────────────────────────────────────────────────────────────────── # Optional non-string: use null=True. Add blank=True if used in forms. </span><span class="n">date_of_birth</span> <span class="o">=</span> <span class="n">models</span><span class="p">.</span><span class="nc">DateField</span><span class="p">(</span><span class="n">null</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">blank</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">manager</span> <span class="o">=</span> <span class="n">models</span><span class="p">.</span><span class="nc">ForeignKey</span><span class="p">(</span> <span class="n">settings</span><span class="p">.</span><span class="n">AUTH_USER_MODEL</span><span class="p">,</span> <span class="n">null</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">blank</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">on_delete</span><span class="o">=</span><span class="n">models</span><span class="p">.</span><span class="n">SET_NULL</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># BooleanField: never null=True unless you genuinely need three states </span><span class="n">is_active</span> <span class="o">=</span> <span class="n">models</span><span class="p">.</span><span class="nc">BooleanField</span><span class="p">(</span><span class="n">default</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="c1"># correct </span><span class="n">is_verified</span> <span class="o">=</span> <span class="n">models</span><span class="p">.</span><span class="nc">BooleanField</span><span class="p">(</span><span class="n">default</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="c1"># correct </span></code></pre> </div> <h3> Why null=True on CharField Causes Problems </h3> <p>When you set <code>null=True</code> on a string field, your database can now store two different representations of ‘no value’: the empty string '' and <code>NULL</code>. This forces every query that checks for an empty value to handle both cases:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># With null=True on CharField, you need this everywhere: </span><span class="n">User</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">filter</span><span class="p">(</span><span class="nc">Q</span><span class="p">(</span><span class="n">nickname</span><span class="o">=</span><span class="sh">''</span><span class="p">)</span> <span class="o">|</span> <span class="nc">Q</span><span class="p">(</span><span class="n">nickname__isnull</span><span class="o">=</span><span class="bp">True</span><span class="p">))</span> <span class="c1"># Without null=True, this simple query is correct and complete: </span><span class="n">User</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">filter</span><span class="p">(</span><span class="n">nickname</span><span class="o">=</span><span class="sh">''</span><span class="p">)</span> <span class="c1"># Or using the cleaner Django convention for 'has a nickname': </span><span class="n">User</span><span class="p">.</span><span class="n">objects</span><span class="p">.</span><span class="nf">exclude</span><span class="p">(</span><span class="n">nickname</span><span class="o">=</span><span class="sh">''</span><span class="p">)</span> </code></pre> </div> <p>Django’s own convention for optional string fields is to store '' for ‘no value’, giving you a single canonical empty representation. <code>null=True</code> creates ambiguity that has to be accounted for in every query, every form, every comparison, and every piece of code that displays or validates the field.</p> <h3> The Full Decision Table </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># FIELD TYPE | REQUIRED | OPTIONAL # ───────────────────────────────────────────────────────────── # CharField / TextField | (no flags) | blank=True # EmailField / SlugField | (no flags) | blank=True # IntegerField | (no flags) | null=True, blank=True # DecimalField | (no flags) | null=True, blank=True # DateField / DateTimeField | (no flags) | null=True, blank=True # ForeignKey | (no flags) | null=True, blank=True # OneToOneField | (no flags) | null=True, blank=True # BooleanField | default=True/False | (no flags, use default) # JSONField | default=dict/list | blank=True (or null=True) # ImageField / FileField | (no flags) | blank=True </code></pre> </div> <h3> Two More Field Type Mistakes Worth Noting </h3> <h4> Never use FloatField for money </h4> <p>Floating point arithmetic is imprecise. 0.1 + 0.2 in Python is not 0.3. For monetary values, always use DecimalField(max_digits=10, decimal_places=2). Or store integer cents: price_cents = models.PositiveIntegerField(). Never use FloatField or CharField for money.</p> <h4> Use TextChoices instead of integer status codes </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># BAD: magic integers with no context </span><span class="k">class</span> <span class="nc">Order</span><span class="p">(</span><span class="n">models</span><span class="p">.</span><span class="n">Model</span><span class="p">):</span> <span class="n">STATUS_PENDING</span> <span class="o">=</span> <span class="mi">1</span> <span class="n">status</span> <span class="o">=</span> <span class="n">models</span><span class="p">.</span><span class="nc">IntegerField</span><span class="p">(</span><span class="n">default</span><span class="o">=</span><span class="mi">1</span><span class="p">)</span> <span class="c1"># GOOD: self-documenting, validated, admin-friendly </span><span class="k">class</span> <span class="nc">Order</span><span class="p">(</span><span class="n">models</span><span class="p">.</span><span class="n">Model</span><span class="p">):</span> <span class="k">class</span> <span class="nc">Status</span><span class="p">(</span><span class="n">models</span><span class="p">.</span><span class="n">TextChoices</span><span class="p">):</span> <span class="n">PENDING</span> <span class="o">=</span> <span class="sh">'</span><span class="s">pending</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Pending</span><span class="sh">'</span> <span class="n">PAID</span> <span class="o">=</span> <span class="sh">'</span><span class="s">paid</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Paid</span><span class="sh">'</span> <span class="n">SHIPPED</span> <span class="o">=</span> <span class="sh">'</span><span class="s">shipped</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Shipped</span><span class="sh">'</span> <span class="n">status</span> <span class="o">=</span> <span class="n">models</span><span class="p">.</span><span class="nc">CharField</span><span class="p">(</span> <span class="n">max_length</span><span class="o">=</span><span class="mi">20</span><span class="p">,</span> <span class="n">choices</span><span class="o">=</span><span class="n">Status</span><span class="p">.</span><span class="n">choices</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="n">Status</span><span class="p">.</span><span class="n">PENDING</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># Your database rows are now self-documenting. # A raw SQL query shows 'paid', not '2'. # Invalid values are rejected at the model level. </span></code></pre> </div> <p>Field design decisions are among the most expensive to change once a table has data in it. Getting them right at the start — following the null/blank rule, using <code>DecimalField</code> for money, using <code>TextChoices</code> for enumerables — is one of the highest-leverage habits a Django developer can build.</p> django python database backend The Custom User Model Mistake 90% of Django Projects Make Houssem Reggai Fri, 17 Apr 2026 17:54:09 +0000 https://forem.com/h_coder/the-custom-user-model-mistake-90-of-django-projects-make-4e1p https://forem.com/h_coder/the-custom-user-model-mistake-90-of-django-projects-make-4e1p <p>PROFESSIONAL DJANGO ENGINEERING SERIES #3</p> <blockquote> <p>Change your user model after the first migration and you will spend a painful day fixing it. Here is what to do instead — before your first commit.</p> </blockquote> <p>This is the single piece of Django advice that appears in the official documentation, in every serious Django resource, and from every experienced Django developer who has ever ignored it on an early project and paid the price: <strong><em>create a custom user model before your first migration.</em></strong></p> <p>If you are starting a new project today, this article will save you hours. If you are working on an existing project that uses the default user model, this article will help you understand exactly what you are dealing with.</p> <p>The best time to create a custom user model was before your first commit. The second best time is right now, before you run <code>makemigrations</code> for the first time.</p> <h3> Why the Default User Model Is a Problem? </h3> <p>Django’s default <code>auth.User</code> model makes decisions for you: username is the primary identifier, the field names are fixed, and the model lives in Django’s own package where you cannot modify it. The most common pain point:</p> <ul> <li>Most modern applications want email as the login identifier. The default model has both a username field and an email field, and uses username for authentication. Working around this requires a custom authentication backend — possible, but inelegant.</li> <li>Every field you want to add to the user (bio, avatar, preferences, organisation) requires either a separate Profile model (an extra database join on every user access) or monkey-patching (an anti-pattern).</li> <li>Once you have migrations that reference auth.User, changing to a custom model requires either a fresh database or a complex, risky surgical migration.</li> </ul> <h3> <code>AbstractUser</code> vs <code>AbstractBaseUser</code> — Which to Choose </h3> <h4> <code>AbstractUser</code>: extend the default behaviour </h4> <p>If you are happy with Django’s authentication behaviour and just want to add fields, inherit from <code>AbstractUser</code>. You get everything Django provides, plus the ability to add your own fields:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># apps/users/models.py </span><span class="kn">from</span> <span class="n">django.contrib.auth.models</span> <span class="kn">import</span> <span class="n">AbstractUser</span> <span class="kn">from</span> <span class="n">django.db</span> <span class="kn">import</span> <span class="n">models</span> <span class="k">class</span> <span class="nc">User</span><span class="p">(</span><span class="n">AbstractUser</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Custom user model. Add project-specific fields here. Even if you add nothing now, this gives you flexibility later. </span><span class="sh">"""</span> <span class="n">bio</span> <span class="o">=</span> <span class="n">models</span><span class="p">.</span><span class="nc">TextField</span><span class="p">(</span><span class="n">blank</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">avatar</span> <span class="o">=</span> <span class="n">models</span><span class="p">.</span><span class="nc">ImageField</span><span class="p">(</span><span class="n">upload_to</span><span class="o">=</span><span class="sh">'</span><span class="s">avatars/</span><span class="sh">'</span><span class="p">,</span> <span class="n">blank</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">null</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">def</span> <span class="nf">__str__</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="n">email</span> </code></pre> </div> <h4> <code>AbstractBaseUser</code>: full control </h4> <p>If you need fundamentally different logic like authentication, inherit from <code>AbstractBaseUser</code>. You build everything yourself, which gives full control at the cost of more setup.</p> <h4> Email-as-username </h4> <p>If you want to create email-based-authentication system (instead of the default username) it's achievable with both <code>AbstractBaseUser</code> and <code>AbstractUser</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># apps/users/managers.py — email-as-username pattern </span><span class="kn">from</span> <span class="n">django.contrib.auth.hashers</span> <span class="kn">import</span> <span class="n">make_password</span> <span class="kn">from</span> <span class="n">django.contrib.auth.models</span> <span class="kn">import</span> <span class="n">UserManager</span> <span class="kn">from</span> <span class="n">django.utils.translation</span> <span class="kn">import</span> <span class="n">gettext_lazy</span> <span class="k">as</span> <span class="n">_</span> <span class="k">class</span> <span class="nc">EmailBasedUserManager</span><span class="p">(</span><span class="n">UserManager</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Custom user model manager where email is the unique identifier for authentication instead of username. </span><span class="sh">"""</span> <span class="k">def</span> <span class="nf">create_user</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">email</span><span class="p">,</span> <span class="n">password</span><span class="p">,</span> <span class="o">**</span><span class="n">extra_fields</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> create and save new user with the given email and password </span><span class="sh">"""</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">email</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="nf">_</span><span class="p">(</span><span class="sh">"</span><span class="s">Email must be set</span><span class="sh">"</span><span class="p">))</span> <span class="n">email</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">normalize_email</span><span class="p">(</span><span class="n">email</span><span class="p">)</span> <span class="n">user</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">model</span><span class="p">(</span><span class="n">email</span><span class="o">=</span><span class="n">email</span><span class="p">,</span> <span class="o">**</span><span class="n">extra_fields</span><span class="p">)</span> <span class="n">user</span><span class="p">.</span><span class="n">password</span> <span class="o">=</span> <span class="nf">make_password</span><span class="p">(</span><span class="n">password</span><span class="p">)</span> <span class="n">user</span><span class="p">.</span><span class="nf">save</span><span class="p">(</span><span class="n">using</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">_db</span><span class="p">)</span> <span class="k">return</span> <span class="n">user</span> <span class="k">def</span> <span class="nf">create_superuser</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">email</span><span class="p">,</span> <span class="n">password</span><span class="p">,</span> <span class="o">**</span><span class="n">extra_fields</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> create and save new superuser with the given email and password </span><span class="sh">"""</span> <span class="n">extra_fields</span><span class="p">.</span><span class="nf">setdefault</span><span class="p">(</span><span class="sh">"</span><span class="s">is_staff</span><span class="sh">"</span><span class="p">,</span> <span class="bp">True</span><span class="p">)</span> <span class="n">extra_fields</span><span class="p">.</span><span class="nf">setdefault</span><span class="p">(</span><span class="sh">"</span><span class="s">is_superuser</span><span class="sh">"</span><span class="p">,</span> <span class="bp">True</span><span class="p">)</span> <span class="n">extra_fields</span><span class="p">.</span><span class="nf">setdefault</span><span class="p">(</span><span class="sh">"</span><span class="s">is_active</span><span class="sh">"</span><span class="p">,</span> <span class="bp">True</span><span class="p">)</span> <span class="k">if</span> <span class="n">extra_fields</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">is_staff</span><span class="sh">"</span><span class="p">)</span> <span class="ow">is</span> <span class="ow">not</span> <span class="bp">True</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="nf">_</span><span class="p">(</span><span class="sh">"</span><span class="s">Superuser must have is_staff=True.</span><span class="sh">"</span><span class="p">))</span> <span class="k">if</span> <span class="n">extra_fields</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">is_superuser</span><span class="sh">"</span><span class="p">)</span> <span class="ow">is</span> <span class="ow">not</span> <span class="bp">True</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="nf">_</span><span class="p">(</span><span class="sh">"</span><span class="s">Superuser must have is_superuser=True.</span><span class="sh">"</span><span class="p">))</span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="nf">create_user</span><span class="p">(</span><span class="n">email</span><span class="p">,</span> <span class="n">password</span><span class="p">,</span> <span class="o">**</span><span class="n">extra_fields</span><span class="p">)</span> </code></pre> </div> <p>then in models.py:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># apps/users/models.py — email-as-username pattern # using AbstractUser </span><span class="kn">from</span> <span class="n">django.contrib.auth.models</span> <span class="kn">import</span> <span class="n">AbstractUser</span> <span class="kn">from</span> <span class="n">.managers</span> <span class="kn">import</span> <span class="n">EmailBasedUserManager</span> <span class="k">class</span> <span class="nc">User</span><span class="p">(</span><span class="n">AbstractUser</span><span class="p">):</span> <span class="n">username</span> <span class="o">=</span> <span class="bp">None</span> <span class="n">email</span> <span class="o">=</span> <span class="n">models</span><span class="p">.</span><span class="nc">EmailField</span><span class="p">(</span><span class="n">unique</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">first_name</span> <span class="o">=</span> <span class="n">models</span><span class="p">.</span><span class="nc">CharField</span><span class="p">(</span><span class="n">max_length</span><span class="o">=</span><span class="mi">150</span><span class="p">,</span> <span class="n">blank</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">last_name</span> <span class="o">=</span> <span class="n">models</span><span class="p">.</span><span class="nc">CharField</span><span class="p">(</span><span class="n">max_length</span><span class="o">=</span><span class="mi">150</span><span class="p">,</span> <span class="n">blank</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">is_active</span> <span class="o">=</span> <span class="n">models</span><span class="p">.</span><span class="nc">BooleanField</span><span class="p">(</span><span class="n">default</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">is_staff</span> <span class="o">=</span> <span class="n">models</span><span class="p">.</span><span class="nc">BooleanField</span><span class="p">(</span><span class="n">default</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="n">date_joined</span> <span class="o">=</span> <span class="n">models</span><span class="p">.</span><span class="nc">DateTimeField</span><span class="p">(</span><span class="n">auto_now_add</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">USERNAME_FIELD</span> <span class="o">=</span> <span class="sh">'</span><span class="s">email</span><span class="sh">'</span> <span class="c1"># email is the login identifier </span> <span class="n">REQUIRED_FIELDS</span> <span class="o">=</span> <span class="p">[]</span> <span class="c1"># email is already required via USERNAME_FIELD </span> <span class="n">objects</span> <span class="o">=</span> <span class="nc">EmailBasedUserManager</span><span class="p">()</span> </code></pre> </div> <h4> The Three Things You Must Do </h4> <ol> <li>Register it in settings </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># config/settings/base.py </span><span class="n">AUTH_USER_MODEL</span> <span class="o">=</span> <span class="sh">'</span><span class="s">users.User</span><span class="sh">'</span> <span class="c1"># This one line must be in place BEFORE running the very first makemigrations. # Everything in Django resolves 'the user model' through this setting. </span></code></pre> </div> <ol> <li>Reference it correctly in code </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># In Python code: use get_user_model() </span><span class="kn">from</span> <span class="n">django.contrib.auth</span> <span class="kn">import</span> <span class="n">get_user_model</span> <span class="n">User</span> <span class="o">=</span> <span class="nf">get_user_model</span><span class="p">()</span> <span class="c1"># respects AUTH_USER_MODEL </span> <span class="c1"># In model ForeignKey fields: use settings.AUTH_USER_MODEL </span><span class="kn">from</span> <span class="n">django.conf</span> <span class="kn">import</span> <span class="n">settings</span> <span class="k">class</span> <span class="nc">Order</span><span class="p">(</span><span class="n">models</span><span class="p">.</span><span class="n">Model</span><span class="p">):</span> <span class="n">user</span> <span class="o">=</span> <span class="n">models</span><span class="p">.</span><span class="nc">ForeignKey</span><span class="p">(</span> <span class="n">settings</span><span class="p">.</span><span class="n">AUTH_USER_MODEL</span><span class="p">,</span> <span class="c1"># string reference, not the class </span> <span class="n">on_delete</span><span class="o">=</span><span class="n">models</span><span class="p">.</span><span class="n">CASCADE</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># NEVER: from django.contrib.auth.models import User # NEVER: from apps.users.models import User (in ForeignKey fields) </span></code></pre> </div> <ol> <li>Update the Admin When you replace the default user model, Django’s built-in UserAdmin breaks because it references the username field. Subclass it and remove the references: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># apps/users/admin.py </span><span class="kn">from</span> <span class="n">django.contrib</span> <span class="kn">import</span> <span class="n">admin</span> <span class="kn">from</span> <span class="n">django.contrib.auth.admin</span> <span class="kn">import</span> <span class="n">UserAdmin</span> <span class="k">as</span> <span class="n">BaseUserAdmin</span> <span class="kn">from</span> <span class="n">.models</span> <span class="kn">import</span> <span class="n">User</span> <span class="nd">@admin.register</span><span class="p">(</span><span class="n">User</span><span class="p">)</span> <span class="k">class</span> <span class="nc">UserAdmin</span><span class="p">(</span><span class="n">BaseUserAdmin</span><span class="p">):</span> <span class="n">list_display</span> <span class="o">=</span> <span class="p">(</span><span class="sh">'</span><span class="s">email</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">first_name</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">last_name</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">is_staff</span><span class="sh">'</span><span class="p">)</span> <span class="n">search_fields</span> <span class="o">=</span> <span class="p">(</span><span class="sh">'</span><span class="s">email</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">first_name</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">last_name</span><span class="sh">'</span><span class="p">)</span> <span class="n">ordering</span> <span class="o">=</span> <span class="p">(</span><span class="sh">'</span><span class="s">-date_joined</span><span class="sh">'</span><span class="p">,)</span> <span class="n">fieldsets</span> <span class="o">=</span> <span class="p">(</span> <span class="p">(</span><span class="bp">None</span><span class="p">,</span> <span class="p">{</span><span class="sh">'</span><span class="s">fields</span><span class="sh">'</span><span class="p">:</span> <span class="p">(</span><span class="sh">'</span><span class="s">email</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">password</span><span class="sh">'</span><span class="p">)}),</span> <span class="p">(</span><span class="sh">'</span><span class="s">Personal info</span><span class="sh">'</span><span class="p">,</span> <span class="p">{</span><span class="sh">'</span><span class="s">fields</span><span class="sh">'</span><span class="p">:</span> <span class="p">(</span><span class="sh">'</span><span class="s">first_name</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">last_name</span><span class="sh">'</span><span class="p">)}),</span> <span class="p">(</span><span class="sh">'</span><span class="s">Permissions</span><span class="sh">'</span><span class="p">,</span> <span class="p">{</span><span class="sh">'</span><span class="s">fields</span><span class="sh">'</span><span class="p">:</span> <span class="p">(</span><span class="sh">'</span><span class="s">is_active</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">is_staff</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">is_superuser</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">groups</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">user_permissions</span><span class="sh">'</span><span class="p">)}),</span> <span class="p">)</span> <span class="n">add_fieldsets</span> <span class="o">=</span> <span class="p">(</span> <span class="p">(</span><span class="bp">None</span><span class="p">,</span> <span class="p">{</span><span class="sh">'</span><span class="s">classes</span><span class="sh">'</span><span class="p">:</span> <span class="p">(</span><span class="sh">'</span><span class="s">wide</span><span class="sh">'</span><span class="p">,),</span> <span class="sh">'</span><span class="s">fields</span><span class="sh">'</span><span class="p">:</span> <span class="p">(</span><span class="sh">'</span><span class="s">email</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">password1</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">password2</span><span class="sh">'</span><span class="p">)}),</span> <span class="p">)</span> </code></pre> </div> <h3> ⚠ Already past the first migration? </h3> <p>If your project has existing migrations that reference auth.User, you have two options. In development: drop the database, delete all migration files (not Django's own), set <code>AUTH_USER_MODEL</code>, and run makemigrations and migrate fresh. In production with existing data: this is a documented but complex multi-step migration that requires a maintenance window. Django's official documentation covers it, but it is a significant operation.</p> <p>The lesson for every future project: <code>AUTH_USER_MODEL</code> before the first makemigrations.</p> django python systemdesign backenddevelopment Stop Putting Everything in settings.py Houssem Reggai Sun, 12 Apr 2026 17:57:56 +0000 https://forem.com/h_coder/stop-putting-everything-in-settingspy-9op https://forem.com/h_coder/stop-putting-everything-in-settingspy-9op <p>PROFESSIONAL DJANGO ENGINEERING SERIES #2</p> <blockquote> <p>One settings file for all environments is a production incident waiting to happen. Here is the professional split that prevents it.</p> </blockquote> <p>Let me guess. Your <code>settings.py</code> has a block that checks <code>os.environ.get('DEBUG')</code>. It has database configuration for two different backends. It has a comment that says <code># only in production</code> next to something that also runs locally. And somewhere near the top there is a <code>SECRET_KEY</code> that has been in version control since the project started.</p> <p>This is the natural end state of a single settings file. It is not a failure of discipline, it is the predictable outcome of a structure that was never designed to handle multiple environments. Here is the fix.</p> <blockquote> <p>The rule is simple and absolute: no secret, credential, or environment-specific value belongs in a file that is committed to version control. Ever. Without exception.</p> </blockquote> <h3> The Four-File Split </h3> <p>Instead of one <code>settings.py</code>, you maintain four files in a <code>config/settings/</code> directory:<br> <strong><code>base.py</code></strong> — everything that is the same across all environments: installed apps, middleware, template configuration, authentication backends.</p> <p><strong><code>local.py</code></strong> — development overrides: <code>DEBUG=True</code>, SQLite or local Postgres, console email backend, debug toolbar.</p> <p><strong><code>production.py</code></strong> — production configuration: HTTPS enforcement, real database URL, S3 storage, structured logging.</p> <p><strong><code>test.py</code></strong> — test-specific: in-memory SQLite, MD5 password hasher for speed, local email backend.</p> <h4> base.py — The foundation </h4> <p>The base file contains configuration that never changes between environments. Crucially, it reads secrets from the environment rather than defining them inline. This is where <code>django-environ</code> earns its place:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># config/settings/base.py </span><span class="kn">import</span> <span class="n">environ</span> <span class="kn">from</span> <span class="n">pathlib</span> <span class="kn">import</span> <span class="n">Path</span> <span class="n">env</span> <span class="o">=</span> <span class="n">environ</span><span class="p">.</span><span class="nc">Env</span><span class="p">()</span> <span class="n">BASE_DIR</span> <span class="o">=</span> <span class="nc">Path</span><span class="p">(</span><span class="n">__file__</span><span class="p">).</span><span class="nf">resolve</span><span class="p">().</span><span class="n">parent</span><span class="p">.</span><span class="n">parent</span><span class="p">.</span><span class="n">parent</span> <span class="n">sys</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">insert</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="nf">str</span><span class="p">(</span><span class="n">BASE_DIR</span> <span class="o">/</span> <span class="sh">'</span><span class="s">apps</span><span class="sh">'</span><span class="p">))</span> <span class="c1"># Read from environment — never from the file itself </span><span class="n">SECRET_KEY</span> <span class="o">=</span> <span class="nf">env</span><span class="p">(</span><span class="sh">'</span><span class="s">DJANGO_SECRET_KEY</span><span class="sh">'</span><span class="p">)</span> <span class="n">ALLOWED_HOSTS</span> <span class="o">=</span> <span class="n">env</span><span class="p">.</span><span class="nf">list</span><span class="p">(</span><span class="sh">'</span><span class="s">DJANGO_ALLOWED_HOSTS</span><span class="sh">'</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="p">[])</span> <span class="c1"># Split INSTALLED_APPS by origin — immediately readable </span><span class="n">DJANGO_APPS</span> <span class="o">=</span> <span class="p">[</span><span class="sh">'</span><span class="s">django.contrib.admin</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">django.contrib.auth</span><span class="sh">'</span><span class="p">,</span> <span class="p">...]</span> <span class="n">THIRD_PARTY_APPS</span> <span class="o">=</span> <span class="p">[</span><span class="sh">'</span><span class="s">rest_framework</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">celery</span><span class="sh">'</span><span class="p">,</span> <span class="p">...]</span> <span class="n">LOCAL_APPS</span> <span class="o">=</span> <span class="p">[</span><span class="sh">'</span><span class="s">users</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">orders</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">products</span><span class="sh">'</span><span class="p">]</span> <span class="n">INSTALLED_APPS</span> <span class="o">=</span> <span class="n">DJANGO_APPS</span> <span class="o">+</span> <span class="n">THIRD_PARTY_APPS</span> <span class="o">+</span> <span class="n">LOCAL_APPS</span> <span class="n">AUTH_USER_MODEL</span> <span class="o">=</span> <span class="sh">'</span><span class="s">users.User</span><span class="sh">'</span> </code></pre> </div> <h4> local.py — Development overrides </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># config/settings/local.py </span><span class="kn">from</span> <span class="n">.base</span> <span class="kn">import</span> <span class="o">*</span> <span class="c1"># noqa </span><span class="kn">from</span> <span class="n">.base</span> <span class="kn">import</span> <span class="n">env</span> <span class="n">DEBUG</span> <span class="o">=</span> <span class="bp">True</span> <span class="n">SECRET_KEY</span> <span class="o">=</span> <span class="nf">env</span><span class="p">(</span><span class="sh">'</span><span class="s">DJANGO_SECRET_KEY</span><span class="sh">'</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="sh">'</span><span class="s">local-dev-key-not-for-production</span><span class="sh">'</span><span class="p">)</span> <span class="n">ALLOWED_HOSTS</span> <span class="o">=</span> <span class="p">[</span><span class="sh">'</span><span class="s">localhost</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">127.0.0.1</span><span class="sh">'</span><span class="p">]</span> <span class="n">DATABASES</span> <span class="o">=</span> <span class="p">{</span><span class="sh">'</span><span class="s">default</span><span class="sh">'</span><span class="p">:</span> <span class="n">env</span><span class="p">.</span><span class="nf">db</span><span class="p">(</span><span class="sh">'</span><span class="s">DATABASE_URL</span><span class="sh">'</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="sh">'</span><span class="s">sqlite:///db.sqlite3</span><span class="sh">'</span><span class="p">)}</span> <span class="c1"># Emails print to the console during development </span><span class="n">EMAIL_BACKEND</span> <span class="o">=</span> <span class="sh">'</span><span class="s">django.core.mail.backends.console.EmailBackend</span><span class="sh">'</span> <span class="c1"># Debug toolbar </span><span class="n">INSTALLED_APPS</span> <span class="o">+=</span> <span class="p">[</span><span class="sh">'</span><span class="s">debug_toolbar</span><span class="sh">'</span><span class="p">]</span> <span class="n">MIDDLEWARE</span><span class="p">.</span><span class="nf">insert</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="sh">'</span><span class="s">debug_toolbar.middleware.DebugToolbarMiddleware</span><span class="sh">'</span><span class="p">)</span> <span class="n">INTERNAL_IPS</span> <span class="o">=</span> <span class="p">[</span><span class="sh">'</span><span class="s">127.0.0.1</span><span class="sh">'</span><span class="p">]</span> </code></pre> </div> <h4> production.py — Hardened for real traffic </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># config/settings/production.py </span><span class="kn">from</span> <span class="n">.base</span> <span class="kn">import</span> <span class="o">*</span> <span class="c1"># noqa </span><span class="kn">from</span> <span class="n">.base</span> <span class="kn">import</span> <span class="n">env</span> <span class="n">DEBUG</span> <span class="o">=</span> <span class="bp">False</span> <span class="n">SECRET_KEY</span> <span class="o">=</span> <span class="nf">env</span><span class="p">(</span><span class="sh">'</span><span class="s">DJANGO_SECRET_KEY</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># required — no default </span><span class="n">ALLOWED_HOSTS</span> <span class="o">=</span> <span class="n">env</span><span class="p">.</span><span class="nf">list</span><span class="p">(</span><span class="sh">'</span><span class="s">DJANGO_ALLOWED_HOSTS</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># required </span> <span class="n">DATABASES</span> <span class="o">=</span> <span class="p">{</span><span class="sh">'</span><span class="s">default</span><span class="sh">'</span><span class="p">:</span> <span class="n">env</span><span class="p">.</span><span class="nf">db</span><span class="p">(</span><span class="sh">'</span><span class="s">DATABASE_URL</span><span class="sh">'</span><span class="p">)}</span> <span class="n">DATABASES</span><span class="p">[</span><span class="sh">'</span><span class="s">default</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">CONN_MAX_AGE</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="n">env</span><span class="p">.</span><span class="nf">int</span><span class="p">(</span><span class="sh">'</span><span class="s">CONN_MAX_AGE</span><span class="sh">'</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="mi">60</span><span class="p">)</span> <span class="c1"># HTTPS enforcement </span><span class="n">SECURE_SSL_REDIRECT</span> <span class="o">=</span> <span class="bp">True</span> <span class="n">SESSION_COOKIE_SECURE</span> <span class="o">=</span> <span class="bp">True</span> <span class="n">CSRF_COOKIE_SECURE</span> <span class="o">=</span> <span class="bp">True</span> <span class="n">SECURE_HSTS_SECONDS</span> <span class="o">=</span> <span class="mi">31536000</span> <span class="n">SECURE_HSTS_INCLUDE_SUBDOMAINS</span> <span class="o">=</span> <span class="bp">True</span> <span class="n">SECURE_CONTENT_TYPE_NOSNIFF</span> <span class="o">=</span> <span class="bp">True</span> <span class="c1"># Email via SMTP </span><span class="n">EMAIL_BACKEND</span> <span class="o">=</span> <span class="sh">'</span><span class="s">django.core.mail.backends.smtp.EmailBackend</span><span class="sh">'</span> <span class="n">EMAIL_HOST</span> <span class="o">=</span> <span class="nf">env</span><span class="p">(</span><span class="sh">'</span><span class="s">EMAIL_HOST</span><span class="sh">'</span><span class="p">)</span> <span class="n">EMAIL_HOST_PASSWORD</span> <span class="o">=</span> <span class="nf">env</span><span class="p">(</span><span class="sh">'</span><span class="s">EMAIL_HOST_PASSWORD</span><span class="sh">'</span><span class="p">)</span> </code></pre> </div> <h3> Secrets Management: the <code>.env</code> Pattern </h3> <p>In development, secrets live in a <code>.env</code> file in the project root. This file is in <code>.gitignore</code> and never committed. Instead, you commit a <code>.env.example</code> file with placeholder values that documents every variable the project needs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="c"># .env.example — commit this file </span><span class="py">DJANGO_SECRET_KEY</span><span class="p">=</span><span class="s">your-secret-key-here</span> <span class="py">DJANGO_DEBUG</span><span class="p">=</span><span class="s">True</span> <span class="py">DJANGO_ALLOWED_HOSTS</span><span class="p">=</span><span class="s">localhost,127.0.0.1</span> <span class="py">DATABASE_URL</span><span class="p">=</span><span class="s">postgres://user:password@localhost:5432/myproject</span> <span class="py">REDIS_URL</span><span class="p">=</span><span class="s">redis://localhost:6379/0</span> <span class="py">EMAIL_HOST</span><span class="p">=</span><span class="s">smtp.example.com</span> <span class="py">EMAIL_HOST_PASSWORD</span><span class="p">=</span><span class="s">your-password-here</span> </code></pre> </div> <h3> ⚠ Your SECRET_KEY is probably in your git history </h3> <p>If you ever committed a real <code>SECRET_KEY</code> to version control, it is compromised regardless of whether you have since removed it. Git history is permanent. Generate a new key immediately using: <code>python -c "from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())"</code><br> Then rotate it in production and ensure every developer generates their own local key rather than sharing one.</p> <h3> One Final Step: Run the Deploy Check </h3> <p>Before every production deployment, run python <code>manage.py check --deploy</code>. Django will verify your settings against a list of known security requirements and flag anything that is misconfigured. It takes ten seconds and has caught real issues in real deployments. Make it part of your CI pipeline.</p> <p>The split settings pattern is one of those changes that feels like overhead until the first time it prevents a <code>SECRET_KEY</code> leak, an accidental <code>DEBUG=True</code> in production, or an hours-long search for why the staging environment is behaving differently from production. After that, it feels obvious.</p> django python systemdesign softwareengineering Why django-admin startproject Is a Trap Houssem Reggai Wed, 08 Apr 2026 20:57:36 +0000 https://forem.com/h_coder/why-django-admin-startproject-is-a-trap-1ba4 https://forem.com/h_coder/why-django-admin-startproject-is-a-trap-1ba4 <p>PROFESSIONAL DJANGO ENGINEERING SERIES #1</p> <blockquote> <p><em>The default layout Django hands you is a starting point. Most teams treat it as a destination.</em></p> </blockquote> <p>Every Django project begins the same way. You type <code>django-admin startproject myproject</code> and in three seconds you have a tidy directory: <code>settings.py</code>, <code>urls.py</code>, <code>wsgi.py</code>. It is clean. It is simple. And for a project that will never grow beyond a prototype, it is perfectly fine.</p> <p>The problem is that most projects do grow. And when they do, the default layout starts to work against you.</p> <blockquote> <p><em>Project structure is not a style preference. It is a load-bearing architectural decision that determines how easily your codebase can be understood, tested, and extended by people who were not there when it was written.</em></p> </blockquote> <h2> The Three Ways the Default Layout Breaks Down </h2> <p><strong>1. The God Settings File</strong><br> The default settings.py is a single file. By the time you have added database configuration, static files, installed apps, logging, cache backends, email settings, third-party integrations, and a few environment-specific overrides, that file is six hundred lines long.<br> More dangerous than the length is the assumption baked in: that your local development environment and your production environment want the same configuration. They do not. The usual solution is to litter settings with conditionals:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># BAD: conditional spaghetti in settings.py </span><span class="n">DEBUG</span> <span class="o">=</span> <span class="bp">True</span> <span class="k">if</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">ENVIRONMENT</span><span class="sh">'</span><span class="p">)</span> <span class="o">==</span> <span class="sh">'</span><span class="s">production</span><span class="sh">'</span><span class="p">:</span> <span class="n">DEBUG</span> <span class="o">=</span> <span class="bp">False</span> <span class="n">DATABASES</span> <span class="o">=</span> <span class="p">{</span><span class="sh">'</span><span class="s">default</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">ENGINE</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">django.db.backends.postgresql</span><span class="sh">'</span><span class="p">,</span> <span class="p">...}}</span> <span class="k">else</span><span class="p">:</span> <span class="n">DATABASES</span> <span class="o">=</span> <span class="p">{</span><span class="sh">'</span><span class="s">default</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">ENGINE</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">django.db.backends.sqlite3</span><span class="sh">'</span><span class="p">,</span> <span class="p">...}}</span> </code></pre> </div> <p>This works. Until a developer forgets to set the environment variable and deploys debug mode to production. Until you need a staging environment. Until the nesting is three levels deep and nobody is sure which branch is actually active.</p> <p><strong>2. The Flat App Structure</strong><br> startapp creates apps in the root directory alongside <code>manage.py</code>. For one app this is fine. For ten, it is a flat list that communicates nothing about your architecture. The deeper problem is apps that are either too large (one giant core app with every model in the project) or too small (one app per database table, with a web of circular imports connecting them).</p> <p><strong>3. The Missing Business Logic Layer</strong><br> The default structure gives you models and views. It gives you no guidance on where business logic lives. The result in most codebases: it lives everywhere. Some in models, some in views, some in serializers, some in a file called helpers.py that grows to contain everything that did not fit anywhere else.</p> <h2> What a Professional Layout Looks Like </h2> <p>Here is the structure that fixes all three problems:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>myproject/ .env # Environment variables — never commit .env.example # Template — always commit requirements/ base.txt # Shared dependencies local.txt # Development only production.txt # Production only Makefile # Common dev commands manage.py config/ # Project configuration (renamed from myproject/) settings/ base.py # Shared settings local.py # Development overrides production.py # Production overrides test.py # Test-specific settings urls.py wsgi.py asgi.py apps/ # All Django applications users/ services.py # Business logic models.py views.py tests/ orders/ ... </code></pre> </div> <h2> Three Changes That Matter Most </h2> <p><strong>1. Rename the inner directory to config/</strong><br> The inner directory named after your project (myproject/myproject/) tells a new developer nothing. Renaming it config/ communicates its purpose immediately. To do this at project creation time: django-admin startproject config . — note the dot.</p> <p><strong>2. Group all apps under apps/</strong><br> Add apps/ to your Python path in settings and your apps can be referenced as 'users' rather than 'apps.users'. Your project root stays clean. New developers can orient themselves in seconds.</p> <p><strong>3. Split requirements by environment</strong><br> Three files, not one. local.txt starts with -r base.txt and adds django-debug-toolbar, factory-boy, pytest. production.txt adds gunicorn and sentry-sdk. Your production environment never installs your development tools.</p> <blockquote> <p><strong><em>✓ The one rule worth memorizing</em></strong><br> <em>The config/ directory contains project-level configuration only. The apps/ directory contains all domain code. Nothing else belongs at the project root.</em></p> </blockquote> <h2> The Payoff </h2> <p>These are not cosmetic changes. They are the decisions that determine whether, six months from now, a new developer can navigate your project in an afternoon or spend a week getting oriented. Structure is the first thing everyone inherits and the last thing anyone wants to refactor.</p> <p>If you are starting a new project this week, spend the extra ten minutes getting this right. If you are inheriting an existing project, understanding why it is structured the way it is will tell you most of what you need to know about the decisions made before you arrived.</p> django python backend webdev