Per object permissions for Django

Last update: Jan 01, 2023

Related tags

Authentication django-guardian

Overview

django-guardian

django-guardian is an implementation of per object permissions [1] on top of Django's authorization backend

Documentation

Online documentation is available at https://django-guardian.readthedocs.io/.

Requirements

Python 3.5+
A supported version of Django (currently 2.2+)

Travis CI tests on Django version 2.2, 3.0, 3.1, and master.

Installation

To install django-guardian simply run:

pip install django-guardian

Configuration

We need to hook django-guardian into our project.

Put guardian into your INSTALLED_APPS at settings module:

INSTALLED_APPS = (
 ...
 'guardian',
)

Add extra authorization backend to your settings.py:

AUTHENTICATION_BACKENDS = (
    'django.contrib.auth.backends.ModelBackend', # default
    'guardian.backends.ObjectPermissionBackend',
)

Create guardian database tables by running:
```
python manage.py migrate
```

Usage

After installation and project hooks we can finally use object permissions with Django.

Lets start really quickly:

>>> from django.contrib.auth.models import User, Group
>>> jack = User.objects.create_user('jack', '[email protected]', 'topsecretagentjack')
>>> admins = Group.objects.create(name='admins')
>>> jack.has_perm('change_group', admins)
False
>>> from guardian.models import UserObjectPermission
>>> UserObjectPermission.objects.assign_perm('change_group', jack, obj=admins)
<UserObjectPermission: admins | jack | change_group>
>>> jack.has_perm('change_group', admins)
True

Of course our agent jack here would not be able to change_group globally:

>>> jack.has_perm('change_group')
False

Admin integration

Replace admin.ModelAdmin with GuardedModelAdmin for those models which should have object permissions support within admin panel.

For example:

from django.contrib import admin
from myapp.models import Author
from guardian.admin import GuardedModelAdmin

# Old way:
#class AuthorAdmin(admin.ModelAdmin):
#    pass

# With object permissions support
class AuthorAdmin(GuardedModelAdmin):
    pass

admin.site.register(Author, AuthorAdmin)

[1]	Great paper about this feature is available at djangoadvent articles.

Per object permissions for Django

Related tags

Overview

django-guardian

Documentation

Requirements

Installation

Configuration

Usage

Admin integration

Owner

A Python inplementation for OAuth2

Ready to use and customizable Authentications and Authorisation management for FastAPI ⚡

Use this to create (admin) personal access token in gitlab database. Mainly used for automation.

Abusing Microsoft 365 OAuth Authorization Flow for Phishing Attack

Flask App With Login

RSA Cryptography Authentication Proof-of-Concept

A JSON Web Token authentication plugin for the Django REST Framework.

Login qr line & qr image

Authentication for Django Rest Framework

Simple two factor authemtication system, made by me.

Extending the Django authentication system with a phone verification step.

OAuth2 goodies for the Djangonauts!

Integrated set of Django applications addressing authentication, registration, account management as well as 3rd party (social) account authentication.

Storefront - A store App developed using Django, RESTFul API, JWT

Plotly Dash plugin to allow authentication through 3rd party OAuth providers.

This script will pull and analyze syscalls in given application(s) allowing for easier security research purposes

An enhanced permission system which support object permission in Django

Python One-Time Password Library

Simplifying third-party authentication for web applications.

Basic auth for Django.