安全审计>> master>> 返回
项目作者: django-roles-access

项目描述 :
Django view access security by roles (groups).
高级语言: Python
项目地址: git://github.com/django-roles-access/master.git
创建时间: 2019-03-19T18:53:15Z
项目社区:https://github.com/django-roles-access/master
开源协议:MIT License
下载


Django roles access

Django Roles Access



Build Status
codecov

Application for securing access to views with roles
(Django contrib Groups).

django_roles_access is a Django app for securing access to views. It’s
built on top of Django contrib Groups interpreted as role. The objective of
the app are:

  • Provide secure access to views.

  • Be able to administrate access to views without the need to restart the
    server (at run time).

  • Minimize the need of new code, or eliminate it at all (when using
    django_roles_access middleware). Also free developers from the task
    of coding any view access.

  • django_roles_access also provides a security report by registering
    checkviewaccess action.

Works with:

  • Django 1.10+ (Python 2.7, Python 3.5+)

  • Django 2 (Python 3.5+)

  • Documentation

Requirements

Django roles access use Django contrib Groups, Django contrib User. Also
Django
admin interface is necessary to create and administrate views access
(django_roles_access.models.ViewAccess).
So Django roles access is dependent of Django admin site and because of
this it has the same requirements than it. This can be checked in the
official documentation:

Quick start

Installation and configuration

  1. Install django_roles_access from pypi:
  1. pip install django-roles-access
  1. Add ‘django_roles_access’ to your INSTALLED_APPS setting:
  1. INSTALLED_APPS = [
  2.     ...
  3.     'django_roles_access',
  4. ]
  1. Run migrations to create the django_roles_access models:
  1. python manage.py migrate

Note:

If nothing else is done, then Django site security keeps without
modification.

Access configuration

Quick view access configuration in two steps.

Step 1

In Django admin interface create a
django_roles_access.models.ViewAccess
object and configure it:

  1. view attribute: name of the view you to be secured. Format used:
    <app_name:view_name>(
    Namespaces and View name).

  2. type attribute: select the access type for the view:

    • Public: Any visitor can access the view.

    • Authorized: Only authorized (logged) Django contrib User can access
      the view.

    • By roles: Only Django contrib User belonging to any added Django
      contrib user       will access the view.

  3. roles attribute: When By roles is selected as access type, this
    attribute hold any Django contrib Group whose members will access the view.

Step 2

In the view to be secured use:

For example:

In case of view is a function:

  1. from django_roles_access.decorators import access_by_role
  3. @access_by_role()
  4. myview(request):
  5.    ...

In case of classes based views use mixin:

  1. from django_roles_access.mixin import RolesMixin
  3. class MyView(RolesMixin, View):
  5.     ...

Note:

When user has no access to a view, by default django_roles_access
response with django.http.HttpResponseForbidden.

Warning:

Pre existent security behavior can be modified if a django_roles_access
configuration for the same view results in a more restricted view access.

Test Django roles access

You can check the django_roles_access test execution at
Travis CI integration
(Build Status)

You can also check dajngo_roles_access test coverage at
Coverage
(codecov)

Or:

  1. Create a virtual environment.

  2. Get into and activate virtual environment.

  3. Clone django_roles_access:

  1. git clone https://github.com/django-roles-access/master.git
  1. Install tox:
  1. pip install tox
  1. Run the tests:
  1. tox