Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to configure database permissions for a Django app?

Tags:

I'm looking for links, or an answer here, on to how to properly configure the database permissions to secure a Django app? To be clear, I'm looking specifically for material dealing with grants on the database, not permissions within the Django framework itself.

like image 236
emru Avatar asked Feb 24 '10 00:02

emru


People also ask

Can we use 2 databases in Django?

Django's admin doesn't have any explicit support for multiple databases. If you want to provide an admin interface for a model on a database other than that specified by your router chain, you'll need to write custom ModelAdmin classes that will direct the admin to use a specific database for content.


2 Answers

From the django docs:

https://docs.djangoproject.com/en/dev/topics/install/

If you plan to use Django’s manage.py syncdb command to automatically create database tables for your models (after first installing Django and creating a project), you’ll need to ensure that Django has permission to create and alter tables in the database you’re using; if you plan to manually create the tables, you can simply grant Django SELECT, INSERT, UPDATE and DELETE permissions. On some databases, Django will need ALTER TABLE privileges during syncdb but won’t issue ALTER TABLE statements on a table once syncdb has created it. After creating a database user with these permissions, you’ll specify the details in your project’s settings file, see DATABASES for details.

like image 81
Rob Avatar answered Sep 23 '22 16:09

Rob


I've just tested initial setup with MySQL. For python manage.py migrate at least you need following grants for simple operation (if yo use db-preparation):

  1. CREATE, ALTER, INDEX
  2. SELECT, UPDATE, INSERT, DELETE

And, by the way - security matters. You can reduce attack impact by limiting your system exposure. In this case - you can restrict 'DROP' - which is fairly huge plus. If you leave some tricky hole with ability to SQL-inject - you probably reduce the damage. I will research in the future if it will not do any harm to remove DELETE keyword - that would limit potential threats as well. Just because we all leave bugs from time to time :)

like image 33
Dagaz Avatar answered Sep 19 '22 16:09

Dagaz