search

AACEngineering / django-permissions-auditor

Tool to audit access control on your django app.
https://django-permissions-auditor.readthedocs.io/en/latest/
MIT License
20 stars 4 forks source link

django.views.generic.base and RedirectView #8

Closed jayvdb closed 3 years ago

jayvdb commented 3 years ago

I have a set of views grouped under "django.views.generic.base" that are all RedirectView.

They are from a wide variety of installable apps, so grouping them under "django.views.generic.base" is a bit confusing.

Many are paths ending in / like /admin/socialaccount/socialapp/<path:object_id>/. These are a special case, redirecting to the same path without the trailing /. Many of them are under /admin/.. but they have "login required"= false.

It would be nice to hide these by default, behind a setting like "IGNORE_ADMIN_SLASH_REDIRECTS".

In addition I have the following, again all "login required"= false, yet all except /oscar/ need auth, possibly only needing auth on the redirect target rather than the path being redirected.

RedirectView | /oscar/
RedirectView | /oscar/accounts/notifications/
RedirectView | /admin/rosetta/
RedirectView | /admin/rosetta/files/
RedirectView | /admin/data-browser/.*/<path>
kluchrj commented 3 years ago

In my projects, I blacklist these like so:

PERMISSIONS_AUDITOR_BLACKLIST = {
    'namespaces': [
        ...
    ],
    'view_names': [
        'django.views.generic.base.RedirectView',
    ],
    'modules': [
        ...
    ]
]

I'll consider adding this setting to the defaults. Thanks for the report.

jayvdb commented 3 years ago

Adding that to defaults sounds like a good solution.