2016-04-06 10:58:22 +08:00
|
|
|
from itertools import chain
|
2016-09-06 18:24:12 +08:00
|
|
|
from types import MethodType
|
2016-04-06 10:58:22 +08:00
|
|
|
|
2014-01-20 10:45:21 +08:00
|
|
|
from django.apps import apps
|
2014-01-26 19:57:08 +08:00
|
|
|
from django.conf import settings
|
2014-01-20 10:45:21 +08:00
|
|
|
from django.core import checks
|
|
|
|
|
2016-04-06 10:58:22 +08:00
|
|
|
from .management import _get_builtin_permissions
|
|
|
|
|
2014-01-20 10:45:21 +08:00
|
|
|
|
2015-11-17 13:39:28 +08:00
|
|
|
def check_user_model(app_configs=None, **kwargs):
|
|
|
|
if app_configs is None:
|
|
|
|
cls = apps.get_model(settings.AUTH_USER_MODEL)
|
|
|
|
else:
|
|
|
|
app_label, model_name = settings.AUTH_USER_MODEL.split('.')
|
|
|
|
for app_config in app_configs:
|
|
|
|
if app_config.label == app_label:
|
|
|
|
cls = app_config.get_model(model_name)
|
|
|
|
break
|
|
|
|
else:
|
|
|
|
# Checks might be run against a set of app configs that don't
|
|
|
|
# include the specified user model. In this case we simply don't
|
|
|
|
# perform the checks defined below.
|
|
|
|
return []
|
2014-01-20 10:45:21 +08:00
|
|
|
|
2015-11-17 13:39:28 +08:00
|
|
|
errors = []
|
2014-01-20 10:45:21 +08:00
|
|
|
|
|
|
|
# Check that REQUIRED_FIELDS is a list
|
|
|
|
if not isinstance(cls.REQUIRED_FIELDS, (list, tuple)):
|
|
|
|
errors.append(
|
|
|
|
checks.Error(
|
2014-03-03 13:39:58 +08:00
|
|
|
"'REQUIRED_FIELDS' must be a list or tuple.",
|
2014-01-20 10:45:21 +08:00
|
|
|
obj=cls,
|
|
|
|
id='auth.E001',
|
|
|
|
)
|
|
|
|
)
|
|
|
|
|
|
|
|
# Check that the USERNAME FIELD isn't included in REQUIRED_FIELDS.
|
|
|
|
if cls.USERNAME_FIELD in cls.REQUIRED_FIELDS:
|
|
|
|
errors.append(
|
|
|
|
checks.Error(
|
2016-02-13 00:36:46 +08:00
|
|
|
"The field named as the 'USERNAME_FIELD' "
|
|
|
|
"for a custom user model must not be included in 'REQUIRED_FIELDS'.",
|
2020-02-21 02:16:59 +08:00
|
|
|
hint=(
|
|
|
|
"The 'USERNAME_FIELD' is currently set to '%s', you "
|
|
|
|
"should remove '%s' from the 'REQUIRED_FIELDS'."
|
|
|
|
% (cls.USERNAME_FIELD, cls.USERNAME_FIELD)
|
|
|
|
),
|
2014-01-20 10:45:21 +08:00
|
|
|
obj=cls,
|
|
|
|
id='auth.E002',
|
|
|
|
)
|
|
|
|
)
|
|
|
|
|
|
|
|
# Check that the username field is unique
|
|
|
|
if not cls._meta.get_field(cls.USERNAME_FIELD).unique:
|
|
|
|
if (settings.AUTHENTICATION_BACKENDS ==
|
2015-01-22 00:55:57 +08:00
|
|
|
['django.contrib.auth.backends.ModelBackend']):
|
2014-01-20 10:45:21 +08:00
|
|
|
errors.append(
|
|
|
|
checks.Error(
|
2014-03-03 13:39:58 +08:00
|
|
|
"'%s.%s' must be unique because it is named as the 'USERNAME_FIELD'." % (
|
2014-01-20 10:45:21 +08:00
|
|
|
cls._meta.object_name, cls.USERNAME_FIELD
|
|
|
|
),
|
|
|
|
obj=cls,
|
|
|
|
id='auth.E003',
|
|
|
|
)
|
|
|
|
)
|
|
|
|
else:
|
|
|
|
errors.append(
|
|
|
|
checks.Warning(
|
2014-03-03 13:39:58 +08:00
|
|
|
"'%s.%s' is named as the 'USERNAME_FIELD', but it is not unique." % (
|
2014-01-20 10:45:21 +08:00
|
|
|
cls._meta.object_name, cls.USERNAME_FIELD
|
|
|
|
),
|
2016-02-13 00:36:46 +08:00
|
|
|
hint='Ensure that your authentication backend(s) can handle non-unique usernames.',
|
2014-01-20 10:45:21 +08:00
|
|
|
obj=cls,
|
|
|
|
id='auth.W004',
|
|
|
|
)
|
|
|
|
)
|
|
|
|
|
2016-09-06 18:24:12 +08:00
|
|
|
if isinstance(cls().is_anonymous, MethodType):
|
2016-05-06 00:42:19 +08:00
|
|
|
errors.append(
|
|
|
|
checks.Critical(
|
|
|
|
'%s.is_anonymous must be an attribute or property rather than '
|
|
|
|
'a method. Ignoring this is a security issue as anonymous '
|
|
|
|
'users will be treated as authenticated!' % cls,
|
|
|
|
obj=cls,
|
|
|
|
id='auth.C009',
|
|
|
|
)
|
|
|
|
)
|
2016-09-06 18:24:12 +08:00
|
|
|
if isinstance(cls().is_authenticated, MethodType):
|
2016-05-06 00:42:19 +08:00
|
|
|
errors.append(
|
|
|
|
checks.Critical(
|
|
|
|
'%s.is_authenticated must be an attribute or property rather '
|
|
|
|
'than a method. Ignoring this is a security issue as anonymous '
|
|
|
|
'users will be treated as authenticated!' % cls,
|
|
|
|
obj=cls,
|
|
|
|
id='auth.C010',
|
|
|
|
)
|
|
|
|
)
|
2014-01-20 10:45:21 +08:00
|
|
|
return errors
|
2016-04-06 10:58:22 +08:00
|
|
|
|
|
|
|
|
|
|
|
def check_models_permissions(app_configs=None, **kwargs):
|
|
|
|
if app_configs is None:
|
|
|
|
models = apps.get_models()
|
|
|
|
else:
|
|
|
|
models = chain.from_iterable(app_config.get_models() for app_config in app_configs)
|
|
|
|
|
|
|
|
Permission = apps.get_model('auth', 'Permission')
|
|
|
|
permission_name_max_length = Permission._meta.get_field('name').max_length
|
2020-01-23 10:14:24 +08:00
|
|
|
permission_codename_max_length = Permission._meta.get_field('codename').max_length
|
2016-04-06 10:58:22 +08:00
|
|
|
errors = []
|
|
|
|
|
|
|
|
for model in models:
|
|
|
|
opts = model._meta
|
|
|
|
builtin_permissions = dict(_get_builtin_permissions(opts))
|
|
|
|
# Check builtin permission name length.
|
2016-08-03 03:19:01 +08:00
|
|
|
max_builtin_permission_name_length = (
|
|
|
|
max(len(name) for name in builtin_permissions.values())
|
|
|
|
if builtin_permissions else 0
|
|
|
|
)
|
2016-04-06 10:58:22 +08:00
|
|
|
if max_builtin_permission_name_length > permission_name_max_length:
|
|
|
|
verbose_name_max_length = (
|
|
|
|
permission_name_max_length - (max_builtin_permission_name_length - len(opts.verbose_name_raw))
|
|
|
|
)
|
|
|
|
errors.append(
|
|
|
|
checks.Error(
|
2020-01-29 19:09:20 +08:00
|
|
|
"The verbose_name of model '%s' must be at most %d "
|
|
|
|
"characters for its builtin permission names to be at "
|
|
|
|
"most %d characters." % (
|
|
|
|
opts.label, verbose_name_max_length, permission_name_max_length
|
2016-04-06 10:58:22 +08:00
|
|
|
),
|
|
|
|
obj=model,
|
|
|
|
id='auth.E007',
|
|
|
|
)
|
|
|
|
)
|
2020-01-23 10:14:24 +08:00
|
|
|
# Check builtin permission codename length.
|
|
|
|
max_builtin_permission_codename_length = (
|
|
|
|
max(len(codename) for codename in builtin_permissions.keys())
|
|
|
|
if builtin_permissions else 0
|
|
|
|
)
|
|
|
|
if max_builtin_permission_codename_length > permission_codename_max_length:
|
|
|
|
model_name_max_length = permission_codename_max_length - (
|
|
|
|
max_builtin_permission_codename_length - len(opts.model_name)
|
|
|
|
)
|
|
|
|
errors.append(
|
|
|
|
checks.Error(
|
2020-01-29 19:09:20 +08:00
|
|
|
"The name of model '%s' must be at most %d characters "
|
2020-01-23 10:14:24 +08:00
|
|
|
"for its builtin permission codenames to be at most %d "
|
|
|
|
"characters." % (
|
2020-01-29 19:09:20 +08:00
|
|
|
opts.label,
|
2020-01-23 10:14:24 +08:00
|
|
|
model_name_max_length,
|
|
|
|
permission_codename_max_length,
|
|
|
|
),
|
|
|
|
obj=model,
|
|
|
|
id='auth.E011',
|
|
|
|
)
|
|
|
|
)
|
2016-04-06 10:58:22 +08:00
|
|
|
codenames = set()
|
|
|
|
for codename, name in opts.permissions:
|
|
|
|
# Check custom permission name length.
|
|
|
|
if len(name) > permission_name_max_length:
|
|
|
|
errors.append(
|
|
|
|
checks.Error(
|
2020-01-29 19:09:20 +08:00
|
|
|
"The permission named '%s' of model '%s' is longer "
|
|
|
|
"than %d characters." % (
|
|
|
|
name, opts.label, permission_name_max_length,
|
2016-04-06 10:58:22 +08:00
|
|
|
),
|
|
|
|
obj=model,
|
|
|
|
id='auth.E008',
|
|
|
|
)
|
2020-01-23 10:14:24 +08:00
|
|
|
)
|
|
|
|
# Check custom permission codename length.
|
|
|
|
if len(codename) > permission_codename_max_length:
|
|
|
|
errors.append(
|
|
|
|
checks.Error(
|
2020-01-29 19:09:20 +08:00
|
|
|
"The permission codenamed '%s' of model '%s' is "
|
2020-01-23 10:14:24 +08:00
|
|
|
"longer than %d characters." % (
|
|
|
|
codename,
|
2020-01-29 19:09:20 +08:00
|
|
|
opts.label,
|
2020-01-23 10:14:24 +08:00
|
|
|
permission_codename_max_length,
|
|
|
|
),
|
|
|
|
obj=model,
|
|
|
|
id='auth.E012',
|
|
|
|
)
|
2016-04-06 10:58:22 +08:00
|
|
|
)
|
|
|
|
# Check custom permissions codename clashing.
|
|
|
|
if codename in builtin_permissions:
|
|
|
|
errors.append(
|
|
|
|
checks.Error(
|
|
|
|
"The permission codenamed '%s' clashes with a builtin permission "
|
2020-01-29 19:09:20 +08:00
|
|
|
"for model '%s'." % (codename, opts.label),
|
2016-04-06 10:58:22 +08:00
|
|
|
obj=model,
|
|
|
|
id='auth.E005',
|
|
|
|
)
|
|
|
|
)
|
|
|
|
elif codename in codenames:
|
|
|
|
errors.append(
|
|
|
|
checks.Error(
|
2020-01-29 19:09:20 +08:00
|
|
|
"The permission codenamed '%s' is duplicated for "
|
|
|
|
"model '%s'." % (codename, opts.label),
|
2016-04-06 10:58:22 +08:00
|
|
|
obj=model,
|
|
|
|
id='auth.E006',
|
|
|
|
)
|
|
|
|
)
|
|
|
|
codenames.add(codename)
|
|
|
|
|
|
|
|
return errors
|