12

I am working on a Django somewhat e-commerce project, where, briefly, I have both a Customer and a Merchant model. The Merchant model is associated with a MerchantStore model which is somehow "complicated", having a plethora of m2m and foreign key relationships to various models.

Following the solution in this post and having not enough "time" to make a custom implementation, I decided to let each Merchant be a "stuff member" and customize his store through the admin interface. Of cource I created a new group with the appropriate permissions.

However, some questions arise:

1) Is this considered harmful? Are there any security threats associated?

2) Isn't this the best way to do it if you have not enough time anyway?

hymloth
  • 6,869
  • 5
  • 36
  • 47

2 Answers2

10

No, I would not consider this harmful.

The "Zen of Admin" as described in Apress's djangobook seemed to imply an assumption of trust as part of the admin's "philosophy", and paired with the often-repeated "admin is not your app" advice, I too was scared at first and think the Django documentation could point out intended, viable use cases.

Please see my almost identical question Django AdminSite/ModelAdmin for end users?

From Jordan's answer (who I gave the bounty):

There is nothing inherently special about admin. It behaves just like any other view. So if it is using permissions to determine access (for example, if you set a user's .is_staff to True but give them access only to specific permissions) then it will be equally secure to any view you might create that uses permissions to determine access.

...

The people who wrote django.contrib.admin did not write it with the assumption that anyone with an is_staff = True could be trusted as much as a superuser, or was stupid enough to never take a look at the source code of a web page. Although writing your own views is encouraged, it is still a robust interface.

Also note Django's relatively recent security update http://www.djangoproject.com/weblog/2010/dec/22/security/ regarding querystring parameters in object lists.

Such an update (quote: "an attacker with access to the admin [...]") is a clear indication that the admin's implementation of the permission system is being constantly scrutinized.

Community
  • 1
  • 1
Danny W. Adair
  • 12,498
  • 4
  • 43
  • 49
6

Yes, this is considered "harmful", mostly due to the design considerations of the Django developers. The admin revolves around a concept of "trusted users". In other words, if someone is a staff member (thereby having access to the admin), they presumably have enough of your trust to not be worried about security breaches. Now in truth, you could block them from portions they're not supposed to mess with (as you've done), but the point is that Django makes no guarantees in this area. You probably won't have any problems, in all actuality, but you could.

Ironically, I think I've spent more time in my life customizing the Django admin than it would have taken me to build it from scratch. Funny how that goes. Regardless, I'd liken it to using scaffolding in Ruby on Rails. It's a quick way to get something live, but the goal is to replace it as soon as possible.

Chris Pratt
  • 232,153
  • 36
  • 385
  • 444
  • So, in other words, could a super and malicious, say, hacker, mess around and do a serious damage to the whole system? Is this possible technically, and how easy to accomplish? Isn't the privileges' system concrete just like linux permissions system? – hymloth May 21 '11 at 02:26
  • Well, as far as "hacking" is concerned, there's really no more risk than the admin normally has under optimal conditions. The real concern is something be exposed, either by accident or neglect, to users that should not be seeing it in the first place. The Django admin is designed to be for staffers, people within your organization that you trust and have granted privileges to. Going beyond that scope inherently means you're taking a risk. The standard line is don't allow "normal" users access to the admin. You can choose to ignore that, but you do so at your own risk. – Chris Pratt May 23 '11 at 14:14