84 lines
2.6 KiB
Plaintext
84 lines
2.6 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
----
|
|
# limiting access via "has_perm" and adding permission with "user_permissions.add"
|
|
|
|
from django.contrib.auth.models import Permission, User, Group
|
|
from django.contrib.contenttypes.models import ContentType
|
|
from django.shortcuts import get_object_or_404
|
|
from django.core.exceptions import PermissionDenied
|
|
|
|
|
|
def test_permissions(request, user_id): # Sensitive. This method checks permissions/authentication or changes permissions
|
|
user = get_object_or_404(User, pk=user_id)
|
|
# Or
|
|
user = request.user
|
|
|
|
user.has_perm('thisis.a_perm') # Check permission
|
|
user.has_perms(['thisis.a_perm']) # Check permission
|
|
|
|
request.user.is_authenticated # Check permission
|
|
|
|
content_type = ContentType.objects.get_for_model(User)
|
|
|
|
permission = Permission.objects.get(
|
|
codename='change_something',
|
|
content_type=content_type,
|
|
)
|
|
user.user_permissions.add(permission) # Changes permissions
|
|
user.user_permissions.set([permission]) # Changes permissions
|
|
user.user_permissions.remove(permission) # Changes permissions
|
|
user.user_permissions.clear() # Changes permissions
|
|
|
|
group, created = Group.objects.get_or_create(name='mygroup')
|
|
group = Group.objects.get(name='mygroup') # Or
|
|
|
|
group.permissions.add(permission) # Changes permissions
|
|
group.permissions.set([permission]) # Changes permissions
|
|
group.permissions.remove(permission) # Changes permissions
|
|
group.permissions.clear() # Changes permissions
|
|
|
|
user.groups.set([group]) # Changes permissions
|
|
user.groups.add(group) # Changes permissions
|
|
user.groups.remove(group) # Changes permissions
|
|
user.groups.clear() # Changes permissions
|
|
|
|
raise PermissionDenied # Denies permission
|
|
|
|
|
|
# limiting access to the models with Model->Meta->permissions
|
|
|
|
from django.db import models
|
|
|
|
class Person(models.Model):
|
|
class Meta:
|
|
permissions = (('can_sleep_in_bed', 'Can sleep in bed'),) # Sensitive.
|
|
|
|
|
|
# Limiting access with the decorators
|
|
|
|
from django.contrib.auth.decorators import permission_required, login_required
|
|
|
|
@login_required # Checks authentication
|
|
@permission_required('app.can_sleep') # Checks permission
|
|
def index(request): # Sensitive.
|
|
pass
|
|
|
|
|
|
# Limiting access with "PermissionRequiredMixin"
|
|
|
|
from django.contrib.auth.mixins import PermissionRequiredMixin
|
|
from django.views.generic import View
|
|
|
|
class MyView(PermissionRequiredMixin, View):
|
|
permission_required = ('app.can_sleep', 'app.can_drive') # Sensitive.
|
|
----
|
|
|
|
include::../see.adoc[]
|