aacengineering / django-permissions-auditor Goto Github PK
View Code? Open in Web Editor NEWTool to audit access control on your django app.
Home Page: https://django-permissions-auditor.readthedocs.io/en/latest/
License: MIT License
Tool to audit access control on your django app.
Home Page: https://django-permissions-auditor.readthedocs.io/en/latest/
License: MIT License
We really need a way to export this to CSV so we can track this in our change management as well as share with auditor's who are asking for verification we have permissions applied.
It seems there isnt any DRF support yet.
There are lots of aspects to the DRF permissions system.
One re-usable method in DRF which can be used to determine broadly which actions are allowed is via the metadata https://github.com/encode/django-rest-framework/blob/335054a/rest_framework/metadata.py#L73
More info at https://github.com/encode/django-rest-framework/blob/master/docs/api-guide/metadata.md
Using django-smoke-tests, I get the following error. It is obviously sending the wrong URL parameter, but permissions-auditor should handle this a bit better, e.g. even replying with a 404 if it couldnt decode its parameter.
ERROR: test_smoke_GET_admin/permissions_auditor/view/<str:permission>/ (django_smoke_tests.tests.SmokeTests)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/usr/lib/python3.8/site-packages/django_smoke_tests/generator.py", line 90, in test
response = http_method_function(url, {})
File "/usr/lib/python3.8/site-packages/django/test/client.py", line 518, in get
response = super().get(path, data=data, secure=secure, **extra)
File "/usr/lib/python3.8/site-packages/django/test/client.py", line 344, in get
return self.generic('GET', path, secure=secure, **{
File "/usr/lib/python3.8/site-packages/django/test/client.py", line 421, in generic
return self.request(**r)
File "/usr/lib/python3.8/site-packages/django/test/client.py", line 496, in request
raise exc_value
File "/usr/lib/python3.8/site-packages/django/core/handlers/exception.py", line 34, in inner
response = get_response(request)
File "/usr/lib/python3.8/site-packages/django/core/handlers/base.py", line 115, in _get_response
response = self.process_exception_by_middleware(e, request)
File "/usr/lib/python3.8/site-packages/django/core/handlers/base.py", line 113, in _get_response
response = wrapped_callback(request, *callback_args, **callback_kwargs)
File "/usr/lib/python3.8/site-packages/django/utils/decorators.py", line 130, in _wrapped_view
response = view_func(request, *args, **kwargs)
File "/usr/lib/python3.8/site-packages/django/views/decorators/cache.py", line 44, in _wrapped_view_func
response = view_func(request, *args, **kwargs)
File "/usr/lib/python3.8/site-packages/django/contrib/admin/sites.py", line 231, in inner
return view(request, *args, **kwargs)
File "/usr/lib/python3.8/site-packages/permissions_auditor/admin.py", line 76, in permission_detail
obj = self.get_object(request, permission)
File "/usr/lib/python3.8/site-packages/permissions_auditor/admin.py", line 52, in get_object
app_label, codename = permission.split('.')
ValueError: not enough values to unpack (expected 2, got 1)
I have a set of views grouped under "django.views.generic.base" that are all RedirectView
.
They are from a wide variety of installable apps, so grouping them under "django.views.generic.base" is a bit confusing.
Many are paths ending in /
like /admin/socialaccount/socialapp/<path:object_id>/
. These are a special case, redirecting to the same path without the trailing /
. Many of them are under /admin/..
but they have "login required"= false.
It would be nice to hide these by default, behind a setting like "IGNORE_ADMIN_SLASH_REDIRECTS
".
In addition I have the following, again all "login required"= false, yet all except /oscar/
need auth, possibly only needing auth on the redirect target rather than the path being redirected.
RedirectView | /oscar/
RedirectView | /oscar/accounts/notifications/
RedirectView | /admin/rosetta/
RedirectView | /admin/rosetta/files/
RedirectView | /admin/data-browser/.*/<path>
https://github.com/django-oscar/django-oscar views are all marked as "login required" = red, when they should almost all be detected as login required.
Hi,
I'm started using it recently and notice that in cases where Django's CBVs are used with from django.utils.decorators.method_decorator
it does not work. You can see such behavior in django.contrib.auth.view
.
https://github.com/django/django/blob/master/django/contrib/auth/views.py
Have you are tried to cover this "case"?
P.S.: great project, very useful. I'll certainly keep using it in my projects hahahaha
All of the views grouped under "django.contrib.admin.sites" are listed as "requires login" = false.
index | /admin/ | | |
-- | -- | -- | -- | --
login | /admin/login/ | | |
logout | /admin/logout/ | | |
password_change | /admin/password_change/ | | |
password_change_done | /admin/password_change/done/ | | |
i18n_javascript | /admin/jsi18n/ | | |
app_index | /admin/<app_label>/ | |
Currently the list of views is grouped by base class.
It would be very nice to have an additional list of views ordered by route, similar to the django-extensions command show_urls
.
I have a lot list of views grouped under "django.contrib.admin.options" and all with "login required" = false, which does not appear logical. This is with Django 2.2
changelist_view | /admin/admin_interface/theme/ | | |
add_view | /admin/admin_interface/theme/add/ | | |
autocomplete_view | /admin/admin_interface/theme/autocomplete/ | | |
history_view | /admin/admin_interface/theme/<path:object_id>/history/ | | |
delete_view | /admin/admin_interface/theme/<path:object_id>/delete/ | | |
change_view | /admin/admin_interface/theme/<path:object_id>/change/ | | |
changelist_view | /admin/advanced_filters/advancedfilter/ | | |
add_view | /admin/advanced_filters/advancedfilter/add/ | | |
autocomplete_view | /admin/advanced_filters/advancedfilter/autocomplete/ | | |
history_view | /admin/advanced_filters/advancedfilter/<path:object_id>/history/ | | |
delete_view | /admin/advanced_filters/advancedfilter/<path:object_id>/delete/ | | |
changelist_view | /admin/siteprefs/preference/ | | |
add_view | /admin/siteprefs/preference/add/ | | |
autocomplete_view | /admin/siteprefs/preference/autocomplete/ | | |
history_view | /admin/siteprefs/preference/<path:object_id>/history/ | | |
delete_view | /admin/siteprefs/preference/<path:object_id>/delete/ | | |
change_view | /admin/siteprefs/preference/<path:object_id>/change/ | | |
changelist_view | /admin/qsessions/session/ | | |
add_view | /admin/qsessions/session/add/ | | |
autocomplete_view | /admin/qsessions/session/autocomplete/ | | |
history_view | /admin/qsessions/session/<path:object_id>/history/ | | |
delete_view | /admin/qsessions/session/<path:object_id>/delete/ | | |
change_view | /admin/qsessions/session/<path:object_id>/change/ | | |
changelist_view | /admin/authtoken/tokenproxy/ | | |
add_view | /admin/authtoken/tokenproxy/add/ | | |
autocomplete_view | /admin/authtoken/tokenproxy/autocomplete/ | | |
history_view | /admin/authtoken/tokenproxy/<path:object_id>/history/ | | |
delete_view | /admin/authtoken/tokenproxy/<path:object_id>/delete/ | | |
change_view | /admin/authtoken/tokenproxy/<path:object_id>/change/ | | |
changelist_view | /admin/blacklist/blacklistedtoken/ | | |
add_view | /admin/blacklist/blacklistedtoken/add/ | | |
autocomplete_view | /admin/blacklist/blacklistedtoken/autocomplete/ | | |
history_view | /admin/blacklist/blacklistedtoken/<path:object_id>/history/ | | |
delete_view | /admin/blacklist/blacklistedtoken/<path:object_id>/delete/ | | |
change_view | /admin/blacklist/blacklistedtoken/<path:object_id>/change/ | | |
changelist_view | /admin/sites/site/ | | |
add_view | /admin/sites/site/add/ | | |
autocomplete_view | /admin/sites/site/autocomplete/ | | |
history_view | /admin/sites/site/<path:object_id>/history/ | | |
delete_view | /admin/sites/site/<path:object_id>/delete/ | | |
change_view | /admin/sites/site/<path:object_id>/change/ | | |
...
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.