Open jayvdb opened 3 years ago
Permissions auditor does not support the admin site currently (in fact, the admin url namespace is blacklisted by default).
I don't see much reason to audit the admin site, since all of the pages are generated by django and are very predictable in how they work. Custom admin pages are the exception, but finding a universal way to detect these pages is probably more effort than it's worth.
I disable that default admin namespace blacklisting because I am very concerned about custom admin modules which could inadvertently expose internals unprotected by login.
Tests seem like the optimal solution in your case -- while this app is quite good at detecting what permissions are specified in code, it doesn't actually invoke the view to prove that it is bug free and always uses those permissions. (Perhaps 'auditor' in the app name is a bit of a misnomer currently).
An interesting idea would be to leverage the auditor's detection mechanism for use in testing utilities that do just that. I am often annoyed by having to change permissions in two places (once on the view, once in my tests) when modifying code, and having the test auto detect the permission would be quite convenient.
All of the views grouped under "django.contrib.admin.sites" are listed as "requires login" = false.