Django view access security by roles (groups).
Project description
=================== Django Roles Access
Application for securing access to views with roles (Django contrib Groups).
django_roles_access is a Django app for securing access to views. It's
built on top of Django contrib Groups interpreted as role. The objective of
the app are:
-
Provide secure access to views.
-
Be able to administrate access to views without the need to restart the server (at run time).
-
Minimize the need of new code, or eliminate it at all (when using
django_roles_accessmiddleware). Also free developers from the task of coding about view access. -
django_roles_accessalso provides a security report by registeringcheckviewaccessaction.
Works with:
-
Django 1.10+ (Python 2.7, Python 3.5+)
-
Django 2 (Python 3.5+)
============ Requirements
Django roles access use Django contrib Groups, Django contrib User. Also
Django
admin interface is necessary to create and administrate views access
(django_roles_access.models.ViewAccess).
So Django roles access is dependent of Django admin site and because of
this it has the same requirements than it. This can be checked in the
official documentation: https://docs.djangoproject.com/en/dev/ref/contrib/admin/
.. _QuickStart:
=========== Quick start
Installation and configuration
- Install
django_roles_accessfrom pypi:
.. code_block:: python
pip install django-roles-access
- Add 'django_roles_access' to your INSTALLED_APPS setting:
::
INSTALLED_APPS = [ ... 'django_roles_access', ]
-
Run migrations to create the
django_roles_accessmodels: ::python manage.py migrate
.. note::
If nothing else is done, then Django site security keeps without modification.
Access configuration
Quick access configuration in two steps.
Step 1
In Django admin interface create a django_roles_access.models.ViewAccess
object and configure it:
-
view attribute: type the name of the view you want to secure.
-
type attribute: select the access type for the view:
-
Public: Any visitor can access the view.
-
Authorized: Only authorized (logged) Django contrib User can access the view.
-
By roles: Only Django contrib User belonging to any added Django contrib user will access the view.
-
-
roles attribute: When By roles is selected as access type, this attribute hold any Django contrib Group whose members will access the view.
Step 2
Use django_roles_access.decorators.access_by_role decorator or
django_roles_access.mixin.RolesMixin mixin in the view to be secured.
For example:
In case the view is a function: .. code-block:: python
from django_roles_access.decorators import access_by_role
@access_by_role()
myview(request):
...
In case of classes based views use mixin: .. code-block:: python
from django_roles_access.mixin import RolesMixin
class MyView(RolesMixin, View):
...
.. note::
When user has no access to a view, by default django_roles_access
response with django.http.HttpResponseForbidden.
.. note::
Pre existent security behavior can be modified if a django_role_access
configuration for the same view results in forbidden access.
======================== Test Django roles access
-
Create a virtual environment.
-
Get into and activate virtual environment.
-
Clone Django roles access: .. code-block:: python
-
Install tox: .. code-block:: python
pip install tox
-
Run the tests: .. code-block:: python
tox
============= Related sites
-
Documentation: https://django-roles-access.github.io
-
Package at pypi.org: https://pypi.org/project/django-roles-access/
-
Travis CI integration: https://travis-ci.org/django-roles-access/master
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Hashes for django_roles_access-0.8.4.tar.gz
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 665364c28f5760ea4dac08c80ef3cc2218b4ec1189ba9f745f7769a55eaf61ea |
|
| MD5 | e0aff927eb1537cd63473ed23d68425e |
|
| BLAKE2b-256 | 905ac3b8aed354b54d28d381aaaccc25868ba26c3aa4fb0470e032efc68b36db |
