Ghostwriter
Ghostwriter copied to clipboard
GhostManager
Idea: implement fine-tuned access control
The idea would be to create access-controls per project and only give specific operators access to specific projects and its findings, reports, etc.
Not sure how easy this is to implement, but happy to help there where needed.
As an update on this, the upcoming release has some features that lay groundwork for RBAC. Access control options will grow in the near future.
@chrismaddalena any plans to work on this? I'm happy to help. If you don't have this in the pipeline, I'll start working on something on my side and probably make a PR 😄
Please do make a PR @fastlorenzo (and thanks for your contributions)! There are definitely plans to work on RBAC and granular access control, but we are not actively working on it yet and don't have an exact timeline for when that'll start.
@chrismaddalena howdy howdy, i would gladly implement a wrapper around functions where only operators can access a specific project (kinda like RBAC). Is there some guide or document on architectural choices in case of PR (like the use of wrappers and other stuff...) ?
@ionut2497 Thanks for offering! This is actually underway right now!
You can see the progress in the ui-rbac feature branch: https://github.com/GhostManager/Ghostwriter/tree/feature/ui-rbac
My goal is to complete the transition by the end of the month, but that may be a little ambitious with everything else I have going on. It's the top priority so Ghostwriter can better meet compliance needs and offer the access controls available in the GraphQL API in the web UI.
This is the authorization model: https://www.ghostwriter.wiki/features/graphql-api/authorization
So far, I have added some helper functions to test access to various things and filter querysets. Django's built-in UserPassesTestMixin offers what we need for both views. We can implement the test_func and handle_no_permission methods to check the user's role and respond. It looks like this:
class SomeProjectView(LoginRequiredMixin, SingleObjectMixin, UserPassesTestMixin, View):
model = ProjectObjective
def test_func(self):
return verify_project_access(self.request.user, self.get_object())
def handle_no_permission(self):
raise PermissionDenied
def post(self, *args, **kwargs):
# Do Stuff
The ghostwriter.api.utils module contains these helper functions.
That view tests if the user is authenticated and then checks if they pass the test (if test_func returns true). If they fail the test, it calls handle_no_permission and returns a 403 by raising Django's PermissionDenied exception.
It's mostly a lot of copying, pasting, and updating unit tests which all take more time than it engineering, but some views will require extra care. For example, I need to figure out how best to acknowledge a domain has usage history when someone viewing that domain's history does not have access to the related client or projects.
FYSA, the ui-rbac branch is likely feature complete and will become a v4.0.0-beta release soon. It may stay a pre-release until September because I have a web assessment scheduled for this release near the end of August.
We merged the above-mentioned branch and the feature is released in v4.x, so I'm closing this.