Skip to content

Hardening: Use django-stronghold

Bengfort requested to merge hardening-stronghold into master

django-stronghold inverses django's login required behavior: Login is required by default and you have to take extra steps to create a public view. In other words: Security by default.

In most cases we do not only require login but also additional permissions. So while stronghold makes everything more secure by default, it does not replace other measures. I would even go so far as to keep the few instances of LoginRequiredMixin we have and use stronghold only as a safety net for programming errors.

There is currently a discussion on the django-development mailnglist about including this kind of functionality in django itself. That's where I learned about django-stronghold. There seems to be a rough consensus, so maybe this will turn into core functionality.

Merge request reports