Skip to main content

Django view access security by roles (groups).

Project description

Django roles access

Django Roles Access

Build Status codecov

Application for securing access to views with roles (Django contrib Groups).

django_roles_access is a Django app for securing access to views. It's built on top of Django contrib Groups interpreted as role. The objective of the app are:

  • Provide secure access to views.

  • Be able to administrate access to views without the need to restart the server (at run time).

  • Minimize the need of new code, or eliminate it at all (when using django_roles_access middleware). Also free developers from the task of coding any view access.

  • django_roles_access also provides a security report by registering checkviewaccess action.

Works with:

  • Django 1.10+ (Python 2.7, Python 3.5+)

  • Django 2 (Python 3.5+)

  • Documentation

Requirements

Django roles access use Django contrib Groups, Django contrib User. Also Django admin interface is necessary to create and administrate views access (django_roles_access.models.ViewAccess). So Django roles access is dependent of Django admin site and because of this it has the same requirements than it. This can be checked in the official documentation:

Quick start

Installation and configuration

  1. Install django_roles_access from pypi:

    pip install django-roles-access

  2. Add 'django_roles_access' to your INSTALLED_APPS setting:

    INSTALLED_APPS = [ ... 'django_roles_access', ]

  3. Run migrations to create the django_roles_access models:

    python manage.py migrate

Note:

If nothing else is done, then Django site security keeps without modification.

Access configuration

Quick view access configuration in two steps.

Step 1

In Django admin interface create a django_roles_access.models.ViewAccess object and configure it:

  1. view attribute: name of the view you to be secured. Format used: <app_name:view_name>( Namespaces and View name).

  2. type attribute: select the access type for the view:

    • Public: Any visitor can access the view.

    • Authorized: Only authorized (logged) Django contrib User can access the view.

    • By roles: Only Django contrib User belonging to any added Django contrib user will access the view.

  3. roles attribute: When By roles is selected as access type, this attribute hold any Django contrib Group whose members will access the view.

Step 2

In the view to be secured use:

For example:

In case of view is a function:

from django_roles_access.decorators import access_by_role

@access_by_role()
myview(request):
   ...

In case of classes based views use mixin:

from django_roles_access.mixin import RolesMixin

class MyView(RolesMixin, View):

    ...

Note:

When user has no access to a view, by default django_roles_access response with django.http.HttpResponseForbidden.

Warning:

Pre existent security behavior can be modified if a django_roles_access configuration for the same view results in a more restricted view access.

Test Django roles access

You can check the django_roles_access test execution at Travis CI integration (Build Status)

You can also check dajngo_roles_access test coverage at Coverage (codecov)

Or:

  1. Create a virtual environment.

  2. Get into and activate virtual environment.

  3. Clone django_roles_access:

    git clone https://github.com/django-roles-access/master.git

  4. Install tox:

    pip install tox

  5. Run the tests:

    tox

Related sites

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

django_roles_access-0.9.4.tar.gz (56.6 kB view hashes)

Uploaded Source

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page