Per object permissions for Django

Last update: Jan 01, 2023

Related tags

Authentication django-guardian

Overview

django-guardian

django-guardian is an implementation of per object permissions [1] on top of Django's authorization backend

Documentation

Online documentation is available at https://django-guardian.readthedocs.io/.

Requirements

Python 3.5+
A supported version of Django (currently 2.2+)

Travis CI tests on Django version 2.2, 3.0, 3.1, and master.

Installation

To install django-guardian simply run:

pip install django-guardian

Configuration

We need to hook django-guardian into our project.

Put guardian into your INSTALLED_APPS at settings module:

INSTALLED_APPS = (
 ...
 'guardian',
)

Add extra authorization backend to your settings.py:

AUTHENTICATION_BACKENDS = (
    'django.contrib.auth.backends.ModelBackend', # default
    'guardian.backends.ObjectPermissionBackend',
)

Create guardian database tables by running:
```
python manage.py migrate
```

Usage

After installation and project hooks we can finally use object permissions with Django.

Lets start really quickly:

>>> from django.contrib.auth.models import User, Group
>>> jack = User.objects.create_user('jack', '[email protected]', 'topsecretagentjack')
>>> admins = Group.objects.create(name='admins')
>>> jack.has_perm('change_group', admins)
False
>>> from guardian.models import UserObjectPermission
>>> UserObjectPermission.objects.assign_perm('change_group', jack, obj=admins)
<UserObjectPermission: admins | jack | change_group>
>>> jack.has_perm('change_group', admins)
True

Of course our agent jack here would not be able to change_group globally:

>>> jack.has_perm('change_group')
False

Admin integration

Replace admin.ModelAdmin with GuardedModelAdmin for those models which should have object permissions support within admin panel.

For example:

from django.contrib import admin
from myapp.models import Author
from guardian.admin import GuardedModelAdmin

# Old way:
#class AuthorAdmin(admin.ModelAdmin):
#    pass

# With object permissions support
class AuthorAdmin(GuardedModelAdmin):
    pass

admin.site.register(Author, AuthorAdmin)

[1]	Great paper about this feature is available at djangoadvent articles.

Per object permissions for Django

Related tags

Overview

django-guardian

Documentation

Requirements

Installation

Configuration

Usage

Admin integration

Owner

Django Admin Two-Factor Authentication, allows you to login django admin with google authenticator.

An extension of django rest framework, providing a configurable password reset strategy

Toolkit for Pyramid, a Pylons Project, to add Authentication and Authorization using Velruse (OAuth) and/or a local database, CSRF, ReCaptcha, Sessions, Flash messages and I18N

Authentication with fastapi and jwt cd realistic

Simple extension that provides Basic, Digest and Token HTTP authentication for Flask routes

Flask JWT Router is a Python library that adds authorised routes to a Flask app.

Ready to use and customizable Authentications and Authorisation management for FastAPI ⚡

Auth for use with FastAPI

This is a Token tool that gives you many options to harm the account.

User-related REST API based on the awesome Django REST Framework

Python One-Time Password Library

Mock authentication API that acceccpts email and password and returns authentication result.

Strong, Simple, and Precise security for Flask APIs (using jwt)

Authware API wrapper for Python 3.5+

An enhanced permission system which support object permission in Django

JWT Key Confusion PoC (CVE-2015-9235) Written for the Hack the Box challenge - Under Construction

Flask Implementation of a login page and some basic functionality.

Abusing Microsoft 365 OAuth Authorization Flow for Phishing Attack

This program automatically logs you into a Zoom session at your alloted time

Minimal authorization through OO design and pure Ruby classes