aacengineering / django-permissions-auditor Goto Github PK
View Code? Open in Web Editor NEWTool to audit access control on your django app.
Home Page: https://django-permissions-auditor.readthedocs.io/en/latest/
License: MIT License
django-permissions-auditor's People
Contributors
Stargazers
Watchers
django-permissions-auditor's Issues
Export to CSV
We really need a way to export this to CSV so we can track this in our change management as well as share with auditor's who are asking for verification we have permissions applied.
DRF metadata processor
It seems there isnt any DRF support yet.
There are lots of aspects to the DRF permissions system.
One re-usable method in DRF which can be used to determine broadly which actions are allowed is via the metadata https://github.com/encode/django-rest-framework/blob/335054a/rest_framework/metadata.py#L73
More info at https://github.com/encode/django-rest-framework/blob/master/docs/api-guide/metadata.md
Exception if <str:permission> is invalid
Using django-smoke-tests, I get the following error. It is obviously sending the wrong URL parameter, but permissions-auditor should handle this a bit better, e.g. even replying with a 404 if it couldnt decode its parameter.
ERROR: test_smoke_GET_admin/permissions_auditor/view/<str:permission>/ (django_smoke_tests.tests.SmokeTests)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/usr/lib/python3.8/site-packages/django_smoke_tests/generator.py", line 90, in test
response = http_method_function(url, {})
File "/usr/lib/python3.8/site-packages/django/test/client.py", line 518, in get
response = super().get(path, data=data, secure=secure, **extra)
File "/usr/lib/python3.8/site-packages/django/test/client.py", line 344, in get
return self.generic('GET', path, secure=secure, **{
File "/usr/lib/python3.8/site-packages/django/test/client.py", line 421, in generic
return self.request(**r)
File "/usr/lib/python3.8/site-packages/django/test/client.py", line 496, in request
raise exc_value
File "/usr/lib/python3.8/site-packages/django/core/handlers/exception.py", line 34, in inner
response = get_response(request)
File "/usr/lib/python3.8/site-packages/django/core/handlers/base.py", line 115, in _get_response
response = self.process_exception_by_middleware(e, request)
File "/usr/lib/python3.8/site-packages/django/core/handlers/base.py", line 113, in _get_response
response = wrapped_callback(request, *callback_args, **callback_kwargs)
File "/usr/lib/python3.8/site-packages/django/utils/decorators.py", line 130, in _wrapped_view
response = view_func(request, *args, **kwargs)
File "/usr/lib/python3.8/site-packages/django/views/decorators/cache.py", line 44, in _wrapped_view_func
response = view_func(request, *args, **kwargs)
File "/usr/lib/python3.8/site-packages/django/contrib/admin/sites.py", line 231, in inner
return view(request, *args, **kwargs)
File "/usr/lib/python3.8/site-packages/permissions_auditor/admin.py", line 76, in permission_detail
obj = self.get_object(request, permission)
File "/usr/lib/python3.8/site-packages/permissions_auditor/admin.py", line 52, in get_object
app_label, codename = permission.split('.')
ValueError: not enough values to unpack (expected 2, got 1)django.views.generic.base and RedirectView
I have a set of views grouped under "django.views.generic.base" that are all RedirectView.
They are from a wide variety of installable apps, so grouping them under "django.views.generic.base" is a bit confusing.
Many are paths ending in / like /admin/socialaccount/socialapp/<path:object_id>/. These are a special case, redirecting to the same path without the trailing /. Many of them are under /admin/.. but they have "login required"= false.
It would be nice to hide these by default, behind a setting like "IGNORE_ADMIN_SLASH_REDIRECTS".
In addition I have the following, again all "login required"= false, yet all except /oscar/ need auth, possibly only needing auth on the redirect target rather than the path being redirected.
RedirectView | /oscar/
RedirectView | /oscar/accounts/notifications/
RedirectView | /admin/rosetta/
RedirectView | /admin/rosetta/files/
RedirectView | /admin/data-browser/.*/<path>
django-oscar
https://github.com/django-oscar/django-oscar views are all marked as "login required" = red, when they should almost all be detected as login required.
Detects login_required through @method_decorator
Hi,
I'm started using it recently and notice that in cases where Django's CBVs are used with from django.utils.decorators.method_decorator it does not work. You can see such behavior in django.contrib.auth.view.
https://github.com/django/django/blob/master/django/contrib/auth/views.py
Have you are tried to cover this "case"?
P.S.: great project, very useful. I'll certainly keep using it in my projects hahahaha
django.contrib.admin.sites
All of the views grouped under "django.contrib.admin.sites" are listed as "requires login" = false.
index | /admin/ | | |
-- | -- | -- | -- | --
login | /admin/login/ | | |
logout | /admin/logout/ | | |
password_change | /admin/password_change/ | | |
password_change_done | /admin/password_change/done/ | | |
i18n_javascript | /admin/jsi18n/ | | |
app_index | /admin/<app_label>/ | |
Route based ordering
Currently the list of views is grouped by base class.
It would be very nice to have an additional list of views ordered by route, similar to the django-extensions command show_urls.
django.contrib.admin.options
I have a lot list of views grouped under "django.contrib.admin.options" and all with "login required" = false, which does not appear logical. This is with Django 2.2
changelist_view | /admin/admin_interface/theme/ | | |
add_view | /admin/admin_interface/theme/add/ | | |
autocomplete_view | /admin/admin_interface/theme/autocomplete/ | | |
history_view | /admin/admin_interface/theme/<path:object_id>/history/ | | |
delete_view | /admin/admin_interface/theme/<path:object_id>/delete/ | | |
change_view | /admin/admin_interface/theme/<path:object_id>/change/ | | |
changelist_view | /admin/advanced_filters/advancedfilter/ | | |
add_view | /admin/advanced_filters/advancedfilter/add/ | | |
autocomplete_view | /admin/advanced_filters/advancedfilter/autocomplete/ | | |
history_view | /admin/advanced_filters/advancedfilter/<path:object_id>/history/ | | |
delete_view | /admin/advanced_filters/advancedfilter/<path:object_id>/delete/ | | |
changelist_view | /admin/siteprefs/preference/ | | |
add_view | /admin/siteprefs/preference/add/ | | |
autocomplete_view | /admin/siteprefs/preference/autocomplete/ | | |
history_view | /admin/siteprefs/preference/<path:object_id>/history/ | | |
delete_view | /admin/siteprefs/preference/<path:object_id>/delete/ | | |
change_view | /admin/siteprefs/preference/<path:object_id>/change/ | | |
changelist_view | /admin/qsessions/session/ | | |
add_view | /admin/qsessions/session/add/ | | |
autocomplete_view | /admin/qsessions/session/autocomplete/ | | |
history_view | /admin/qsessions/session/<path:object_id>/history/ | | |
delete_view | /admin/qsessions/session/<path:object_id>/delete/ | | |
change_view | /admin/qsessions/session/<path:object_id>/change/ | | |
changelist_view | /admin/authtoken/tokenproxy/ | | |
add_view | /admin/authtoken/tokenproxy/add/ | | |
autocomplete_view | /admin/authtoken/tokenproxy/autocomplete/ | | |
history_view | /admin/authtoken/tokenproxy/<path:object_id>/history/ | | |
delete_view | /admin/authtoken/tokenproxy/<path:object_id>/delete/ | | |
change_view | /admin/authtoken/tokenproxy/<path:object_id>/change/ | | |
changelist_view | /admin/blacklist/blacklistedtoken/ | | |
add_view | /admin/blacklist/blacklistedtoken/add/ | | |
autocomplete_view | /admin/blacklist/blacklistedtoken/autocomplete/ | | |
history_view | /admin/blacklist/blacklistedtoken/<path:object_id>/history/ | | |
delete_view | /admin/blacklist/blacklistedtoken/<path:object_id>/delete/ | | |
change_view | /admin/blacklist/blacklistedtoken/<path:object_id>/change/ | | |
changelist_view | /admin/sites/site/ | | |
add_view | /admin/sites/site/add/ | | |
autocomplete_view | /admin/sites/site/autocomplete/ | | |
history_view | /admin/sites/site/<path:object_id>/history/ | | |
delete_view | /admin/sites/site/<path:object_id>/delete/ | | |
change_view | /admin/sites/site/<path:object_id>/change/ | | |
...
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.