How to configure database permissions for a Django app?

Question

I'm looking for links, or an answer here, on to how to properly configure the database permissions to secure a Django app? To be clear, I'm looking specifically for material dealing with grants on the database, not permissions within the Django framework itself.

Answer 1

From the django docs:

https://docs.djangoproject.com/en/dev/topics/install/

If you plan to use Django’s manage.py syncdb command to automatically create database tables for your models (after first installing Django and creating a project), you’ll need to ensure that Django has permission to create and alter tables in the database you’re using; if you plan to manually create the tables, you can simply grant Django SELECT, INSERT, UPDATE and DELETE permissions. On some databases, Django will need ALTER TABLE privileges during syncdb but won’t issue ALTER TABLE statements on a table once syncdb has created it. After creating a database user with these permissions, you’ll specify the details in your project’s settings file, see DATABASES for details.

Answer 2

I've just tested initial setup with MySQL. For python manage.py migrate at least you need following grants for simple operation (if yo use db-preparation):

1. CREATE, ALTER, INDEX
2. SELECT, UPDATE, INSERT, DELETE

And, by the way - security matters. You can reduce attack impact by limiting your system exposure. In this case - you can restrict 'DROP' - which is fairly huge plus. If you leave some tricky hole with ability to SQL-inject - you probably reduce the damage. I will research in the future if it will not do any harm to remove DELETE keyword - that would limit potential threats as well. Just because we all leave bugs from time to time :)