Adding security features to Django projects

Security is most valuable feature of any software, and each developer should keep in mind security issues during programming. In this article I show how to restrict user's access to view, but not modify objects in Django project. It could be an equivalent of 'Readers' field in Lotus Notes/Domino application.

First of all, let's set up Django.

Check out Django’s main development branch (the ‘trunk’) like so:

svn co http://code.djangoproject.com/svn/django/trunk/ django-trunk

Install it:

cd django-trunk
sudo python setup.py install

Create project, which be called 'secure_site':

django-admin.py startproject secure_site

Test the installation - start our project:

cd secure_site/
chmod +x manage.py
./manage.py runserver 9000

Open browser by URL: http://localhost:9000/ and if 'It worked!' page is shown, then go further.

Create two applications - sample (for testing) and secure (for handling security information):

./manage.py startapp sample
./manage.py startapp secure

Now change settings.py file to use SQLite database:

DATABASE_ENGINE = 'sqlite3'
DATABASE_NAME = 'secure_site.db'

Also activate admin interface via adding 'django.contrib.admin' to the end of INSTALLED_APPS in settings.py and uncomment lines in urls.py:

from django.conf.urls.defaults import *

# Uncomment the next two lines to enable the admin:                             
from django.contrib import admin
admin.autodiscover()

urlpatterns = patterns('',
    # Example:                                                                  
    # (r'^secure_site/', include('secure_site.foo.urls')),                      

    # Uncomment the next line to enable admin documentation:                    
    (r'^admin/doc/', include('django.contrib.admindocs.urls')),

    # Uncomment the next line for to enable the admin:                          
    (r'^admin/(.*)', admin.site.root),
)

Now it is time to create database and superuser account:

./manage.py syncdb

Open browser by URL: http://localhost:9000/admin/ and if 'Login' page is shown, try to login with login/password created during syncdb and if everything is fine then go further.

Now it is time to create sample models. Open sample/models.py with your favourite editor and add two models:

""" Sample models. """
from django.db import models

class Model1(models.Model):
    """ Sample model 1. """
    name = models.CharField(max_length = '100')

    def __unicode__(self):
        """ String representation of this model. """
        return self.name

class Model2(models.Model):
    """ Sample model 2. """
    name = models.CharField(max_length = '100')

    def __unicode__(self):
        """ String representation of this model. """
        return self.name

Also it is required to register these model with admin site. Just create sample/admin.py file and add these lines:

from django.contrib import admin
from secure_site.sample.models import Model1, Model2

admin.site.register(Model1)
admin.site.register(Model2)

After that register models in settings.py (add 'secure_site.sample' to INSTALLED_APPS) and synchronize database.

Run server and open browser by URL: http://localhost:9000/admin/ and if you see links to models 1 and 2 after logging in then go further. Now we have to create model for securing our application. This model will contains application and model names and users' names who do not have access to modify objects. Open secure/models.py and edit it with favourite editor:

""" Models for securing Django project. """
from django.db import models
from django.conf import settings
from django.contrib.auth.models import User
import re

def get_apps_list():
    """ Get list of available applications. """
    app_regex = re.compile('secure_site\.(\w+)')
    apps = [re.search(app_regex, app).group(1)
            for app in settings.INSTALLED_APPS
            if app.startswith('secure_site.')]
    result = []
    for app in apps:
        try:
            __import__('%s.models' % app, fromlist = [app])
            result.append((app, app))
        except ImportError:
            pass
    return result

class SecuredModule(models.Model):
    """ Model for module. """
    app = models.CharField(max_length = '100', choices = get_apps_list())
    model = models.CharField(max_length = '100', choices = [('', '')])
    readers = models.ManyToManyField(User, blank = True)

    def __unicode__(self):
        return '%s.%s' % (self.app.lower(), self.model.lower())

Register model with admin site (secure/admin.py):

from django.contrib import admin
from secure_site.secure.models import SecuredModule

admin.site.register(SecuredModule)

After that register models in settings.py (add 'secure_site.secure' to INSTALLED_APPS) and synchronize database.

Now you can see new application on the admin page - Secure. If you will try to add new module you will see all available application (in our case - secure and sample) and all registered users. But there is an issue here - the list of choices for models is empty. Now we will fix it using AJAX with jQuery. First of all, you have to download jQuery from official site and put it to you application. For this we will create media dir and register it in the project:

mkdir -p media.site/js
cd media.site/js
wget http://jqueryjs.googlecode.com/files/jquery-1.2.6.min.js
ln -s jquery-1.2.6.min.js jquery.js
cd -

Now it is required to set up MEDIA_ROOT (settings.py)

import os
CURRENT_PATH = os.path.dirname(__file__)
MEDIA_ROOT = os.path.join(CURRENT_PATH,  'media.site')

And fix urls.py to view media files (add this line to urlpatterns):

    (r'^media.site/(?P.*)$', 'django.views.static.serve',
        {'document_root': settings.MEDIA_ROOT}),

Now it is time to modify admin's change_form template for SecuredModule model and include jQuery script. For this we create templates dir, register it and modify required template.

mkdir templates

Modify settins.py (CURRENT_PATH was declared earlier during setting up MEDIA_ROOT):

TEMPLATE_DIRS = (
    os.path.join(CURRENT_PATH, 'templates'),
)

Prepare template for change_form:

mkdir -p templates/admin/secure/securedmodule
touch templates/admin/secure/securedmodule/change_form.html

Now let's modify change_form.html:

{% extends "admin/change_form.html" %}
{% block extrahead %}
{{ block.super }}
<script type="text/javascript" src="/media.site/jquery.js"></script>
<script type="text/javascript">
  $(document).ready(function() {
      var app = $('select#id_app');
          var reload_func = function() {
                  $.getJSON('/get_models/', {app : app.val()}, function(j) {
                  var options = '';
                  var model = '';
                      $.each(j, function(i, item) {
                           if (item.model) {
                               model = item.model;
                           }
                           if (item.value) {
                               options += '';
                           }
                      });
                      $('select#id_model').html(options);
                  });
          };
          reload_func();
          app.change(reload_func);
      });
</script>
{% endblock %}

In code above we call '/get_models/' request handler via AJAX-request and modify id_model options. Let's add get_models view (change secure/views.py):

""" Views for working with secure application. """

import re
from secure_site.secure.models import SecuredModule
from django.http import HttpResponse, Http404
from django.utils import simplejson
import logging
from django.db import models

class JsonResponse(HttpResponse):
    """ Class representing JSON response. """
    def __init__(self, data):
        HttpResponse.__init__(self, content = simplejson.dumps(data),
                              mimetype = 'application/json')

MODULE_ID_REGEX = re.compile('/admin/secure/securedmodule/(\d+)/?$')

def get_app_module(app):
    """ Get application module.
    'app' - application name."""
    try:
        return __import__('%s.models' % app, fromlist = [app])
    except ImportError, error:
        logging.debug(error)
        raise Http404

def get_module_classes(app):
    """ Get module classes.
    'app' - application name."""
    module_values = get_app_module(app).__dict__.values()
    return [val for val in module_values
 if isinstance(val, type) and issubclass(val, models.Model)]

def get_models(request):
    """ Get all available models.
    'request' - request instance."""
    app = request.GET.get('app', '')
    reply = []
    matches = MODULE_ID_REGEX.search(request.META['HTTP_REFERER'])
    if matches: # module is existed
        id = matches.group(1)
        module = SecuredModule.objects.get(id = id)
        reply.append({'model' : module.model})
    if app:
        classes = get_module_classes(app)
        reply.extend([{ 'value': class_obj.__name__}
                      for class_obj in classes]);
        SecuredModule._meta.get_field('model')._choices.extend(
            [(class_obj.__name__, class_obj.__name__)
             for class_obj in classes])
    return JsonResponse(reply)

We defined JsonResponse class for working with AJAX and added get_models view. Register it in urls.py:

from django.conf.urls.defaults import *
from django.contrib import admin
from django.conf import settings
from secure_site.secure.views import get_models

admin.autodiscover()
urlpatterns = patterns('',
    (r'^get_models/?$', get_models),
    (r'^media.site/(?P.*)$', 'django.views.static.serve',
        {'document_root': settings.MEDIA_ROOT}),
    (r'^admin/doc/', include('django.contrib.admindocs.urls')),
    (r'^admin/(.*)', admin.site.root),
)

Now everything is ready to dynamically refresh model's field in form. After starting project with runserver do this:

  • - add new user 'test' with Staff and Superuser status;
  • - add new module for model1 and test user as reader;
  • - add few model1 objects.

And the last part - checking user's access. The one of ways is using middleware. It is not best way (we can't restrict to change model via Django API), but acceptable enough for the demo. Let's create middleware class:

mkdir middleware
touch middleware/secure.py
touch middleware/__init__.py

Add 'secure_site.middleware.secure.CheckAccess' to the end of MIDDLEWARE_CLASSES list in settings.py. And change middleware/secure.py:

import re
from django.core.exceptions import ObjectDoesNotExist
from django.http import HttpResponseForbidden
from secure_site.secure.models import SecuredModule

APP_MODEL_REGEX = re.compile('^/admin/(\w+)/(\w+)/\d+/?$')

def find_module(app, model):
    """ Find module object using application and model names.
    'app' - application name.
    'model' - model name."""
    module_name = '%s.%s' % (app, model)
    for module in SecuredModule.objects.all():
        if module_name in module.__unicode__():
            return module
    return None

class CheckAccess(object):
      """Middleware that gets various objects from the
      request object and saves them in thread local storage."""
      def process_request(self, request):
          matches = APP_MODEL_REGEX.search(request.META['PATH_INFO'])
   if matches:
              app = matches.group(1)
       model = matches.group(2)
              module = find_module(app, model)
              if module:
                  try:
                      module.readers.get(username = unicode(getattr(request, 'user', None)))
                      return HttpResponseForbidden('
Permission denied!
')
                  except ObjectDoesNotExist:
                      pass
That's all! Now let's test it: login with test user and try to open any of model1 objects created earlier. If you got 'Permission denied!' message, then everything is fine - security features are working!

DOWNLOAD - secure_site.tar.gz (20.58KB)

Comments

Post a Comment

Popular posts from this blog

Web application framework comparison by memory consumption

Memory consumption is slightly specific to my area of software development now, but I did some research recently and maybe these results can be useful for others. Of course, I know that precious comparison is very difficult to carry out, but actually I needed only overall picture. And let me admit that results are pretty interesting and even frustrated (at least for me). As a basis I took so-starving project, and measured initial RSS (Resident Set Size) of the each process (local development webservers). Platform: x86_64 Linux (latest Ubuntu with all updates). As a reference, here is the RSS of the interpreters in interactive console mode: Interpreter Version RSS (kB) stackless python 2.6.4 3916 ruby (via irb) 1.8.7 4664 python 2.7.1 5624 php 5.3.5 6924 v8 (via node.js shell) 2.5.9.9 8796 One more reference - the most simplest WSGI app ( example  in the Python documentation). It's RSS: 7336 Kb , so I assume it's almost impossible to consume ...
Read more

Trac Ticket Workflow

Trac is the wiki and issue tracking system that is the most used for my software development projects. Let me share few hints about its ticket workflow, especially about the statuses, the roles of the participants, and let me give an example of the workflow config. But if you are interested in other things like Trac plugins, source browser, customizing, etc, let me know. All the information given below regards the workflow described at the end of the article. The original Trac workflow is missed vital features like the support for ticket verifying, or the required ticket statuses range, so I do not use it in my projects. The description of the main statuses: new - the ticket has been created; in-progress - the developer has began to work with the ticket; fixed - the ticket is fixed (the problem issued in the ticket is solved); verified - the ticket is verified (tester or PM has verified that the ticket is fixed correctly); closed - the ticket is closed (it's not...
Read more

Python vs JS vs PHP for embedded systems

UPDATE (07/18/17): The original article was written in 2011 and pretty much outdated, I've updated the numbers and conclusions. I've got a question about which programming language is preferable for the website development for embedded systems (with limited resources). Here is my small investigation in a table form. Please note that the question was about only these 3 programming languages - there are better candidates for the embedded systems now (for example, Rust). The Memory and Performance overhead numbers are based on the n-body benchmark and calculated as relatives to "C gcc #4" measurements. Python 3 Node.js PHP Memory Overhead x7.62 x29.04 x8.53 Type System Strong Typing Weak Typing Weak Typing Vulnerabilities 220 1411 5626 Performance Overhead x78.31 x2.82 x30.12 Documentation Excellent Excellent Average C Bindings Excellent Average Poor Code Readability With PEP8 it can be almost perfect ESLint enforces very good style PEAR Coding Stan...
Read more