Django Access Review
Run an investigation-driven Django and DRF authorization review so you can confirm whether one user can reach another user’s objects before you ship.
Overview
django-access-review is an agent skill most often used in Ship (also Build backend, Operate iterate) that investigates Django and DRF code to confirm object-level authorization and IDOR risk through traced data flows.
Install
npx skills add https://github.com/sickn33/antigravity-awesome-skills --skill django-access-reviewWhat is this skill?
- Investigation-first question: can User A access, modify, or delete User B’s data?
- Traces real Django views, DRF viewsets, and ORM query paths to find missing checks
- OWASP Cheat Sheet–aligned reference framing for authorization review
- Explicitly avoids blind vulnerable-pattern scanning in favor of codebase-specific flows
- Trigger-oriented for IDOR, Django permissions, object permissions, and multi-tenant access
- Investigation philosophy: four steps—understand, question, trace, report confirmed findings only
- OWASP Cheat Sheet Series reference material (CC BY-SA 4.0)
Adoption & trust: 1 installs on skills.sh; 40.1k GitHub stars; 2/3 security scanners passed (skills.sh audits); trending (+100% hot-view momentum).
What problem does it solve?
You have Django or DRF endpoints but no confident answer to whether one authenticated user can access or change another user’s records.
Who is it for?
Solo builders shipping multi-tenant SaaS, marketplaces, or user-owned resources on Django/DRF who need a manual IDOR and permissions pass before production.
Skip if: Greenfield apps with no user-specific data yet, or teams that only want dependency CVE scanning without reading view/query code.
When should I use this skill?
Reviewing Django views, DRF viewsets, ORM queries, or Python/Django code for IDOR, access control, authorization, Django permissions, object permissions, or tenant isolation.
What do I get? / Deliverables
You get an evidence-backed authorization review mapped to your real views and queries, with confirmed access-control gaps prioritized for fix before merge or release.
- Confirmed authorization findings with traced code paths
- Answers to whether User A can access or mutate User B’s data for scoped flows
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Authorization failures are a launch blocker; this skill is shelved under Ship because it answers “can we release this API safely?” after views exist. Security subphase is where object-level access, IDOR, and tenant isolation are validated—not guessed from generic pattern lists.
Where it fits
After adding a new DRF viewset for user-owned records, trace queryset filtering before merging the PR.
Pre-release pass on checkout and profile APIs to confirm no cross-user object access.
Post-incident review when a report claims one account could read another’s invoices.
How it compares
Use for traced authorization investigation on your Django codebase, not as a substitute for a generic SAST-only security plugin.
Common Questions / FAQ
Who is django-access-review for?
Indie and solo developers building Django or DRF APIs with per-user or per-tenant data who need a structured IDOR and access-control review before ship.
When should I use django-access-review?
During Ship security review on auth-heavy PRs, while building new DRF viewsets in Build backend, and in Operate iterate after an access incident or permission model change—whenever you must verify User A cannot touch User B’s objects.
Is django-access-review safe to install?
Treat it as community-sourced procedural guidance; review the Security Audits panel on this Prism page and skim SKILL.md before letting an agent run it on proprietary code.
SKILL.md
READMESKILL.md - Django Access Review
--- name: django-access-review description: Django access control and IDOR security review. Use when reviewing Django views, DRF viewsets, ORM queries, or any Python/Django code handling user authorization. Trigger keywords: "IDOR", "access control", "authorization", "Django permissions", "object permissions", "tenant... --- LICENSE --- <!-- Reference material based on OWASP Cheat Sheet Series (CC BY-SA 4.0) https://cheatsheetseries.owasp.org/ --> # Django Access Control & IDOR Review Find access control vulnerabilities by investigating how the codebase answers one question: **Can User A access, modify, or delete User B's data?** ## When to Use - You need to review Django or DRF code for access control gaps, IDOR risk, or object-level authorization failures. - The task involves confirming whether one user can access, modify, or delete another user's data. - You want an investigation-driven authorization review instead of generic pattern matching. ## Philosophy: Investigation Over Pattern Matching Do NOT scan for predefined vulnerable patterns. Instead: 1. **Understand** how authorization works in THIS codebase 2. **Ask questions** about specific data flows 3. **Trace code** to find where (or if) access checks happen 4. **Report** only what you've confirmed through investigation Every codebase implements authorization differently. Your job is to understand this specific implementation, then find gaps. --- ## Phase 1: Understand the Authorization Model Before looking for bugs, answer these questions about the codebase: ### How is authorization enforced? Research the codebase to find: ``` □ Where are permission checks implemented? - Decorators? (@login_required, @permission_required, custom?) - Middleware? (TenantMiddleware, AuthorizationMiddleware?) - Base classes? (BaseAPIView, TenantScopedViewSet?) - Permission classes? (DRF permission_classes?) - Custom mixins? (OwnershipMixin, TenantMixin?) □ How are queries scoped? - Custom managers? (TenantManager, UserScopedManager?) - get_queryset() overrides? - Middleware that sets query context? □ What's the ownership model? - Single user ownership? (document.owner_id) - Organization/tenant ownership? (document.organization_id) - Hierarchical? (org -> team -> user -> resource) - Role-based within context? (org admin vs member) ``` ### Investigation commands ```bash # Find how auth is typically done grep -rn "permission_classes\|@login_required\|@permission_required" --include="*.py" | head -20 # Find base classes that views inherit from grep -rn "class Base.*View\|class.*Mixin.*:" --include="*.py" | head -20 # Find custom managers grep -rn "class.*Manager\|def get_queryset" --include="*.py" | head -20 # Find ownership fields on models grep -rn "owner\|user_id\|organization\|tenant" --include="models.py" | head -30 ``` **Do not proceed until you understand the authorization model.** --- ## Phase 2: Map the Attack Surface Identify endpoints that handle user-specific data: ### What resources exist? ``` □ What models contain user data? □ Which have ownership fields (owner_id, user_id, organization_id)? □ Which are accessed via ID in URLs or request bodies? ``` ### What operations are exposed? For each resource, map: - List endpoints - what data is returned? - Detail/retrieve endpoints - how is the object fetched? - Create endpoints - who sets the owner? - Update endpoints - can users modify others' data? - Delete endpoints - can users delete others' data? - Custom actions - what do they access? --- ## Phase 3: Ask Questions and Investigate For each endpoint that handles user data, ask: ### The Core Question **"If I'm User A and I know the ID of User B's resource, can I access it?"** Trace the code to answer this: ``` 1. Where does the resource ID enter the system? - URL path: /api/documents/{id}/ - Query param: ?document_id