Authentication & Authorization¶
This page documents the authentication and authorization systems in Arctyk ITSM.
Authentication¶
Arctyk ITSM uses Django's built-in authentication system for user management.
User Model¶
Django's default User model with these fields: - username - Unique username - email - Email address - first_name - First name - last_name - Last name - is_active - Account active status - is_staff - Admin access - is_superuser - Full permissions
Login Flow¶
- User navigates to
/auth/login/ - Submits username and password
- Django validates credentials
- Session created with session cookie
- User redirected to dashboard
Session Management¶
# settings.py
SESSION_ENGINE = 'django.contrib.sessions.backends.cache'
SESSION_CACHE_ALIAS = 'default' # Redis
SESSION_COOKIE_AGE = 1209600 # 2 weeks
SESSION_COOKIE_HTTPONLY = True
SESSION_COOKIE_SECURE = True # Production only
SESSION_COOKIE_SAMESITE = 'Lax'
Password Security¶
- Hashing - PBKDF2 with SHA256
- Validation - Minimum length, complexity requirements
- Reset - Email-based password reset flow
Authorization¶
Permissions System¶
Django's permissions system controls access to resources.
Model Permissions¶
Automatically created for each model: - add_ticket - Can create tickets - change_ticket - Can edit tickets - delete_ticket - Can delete tickets - view_ticket - Can view tickets
Custom Permissions¶
class Ticket(models.Model):
class Meta:
permissions = [
("close_ticket", "Can close tickets"),
("assign_ticket", "Can assign tickets"),
]
Permission Checks¶
In Views¶
from django.contrib.auth.decorators import permission_required
@permission_required('tickets.change_ticket')
def edit_ticket(request, ticket_id):
# Only users with change_ticket permission can access
pass
In Templates¶
{% if perms.tickets.add_ticket %}
<a href="{% url 'ticket_create' %}" class="btn btn-primary">
Create Ticket
</a>
{% endif %}
Object-Level Permissions¶
For more granular control:
def can_edit_ticket(user, ticket):
"""Check if user can edit specific ticket."""
if user.is_superuser:
return True
if user == ticket.assignee:
return True
if user == ticket.reporter:
return True
return False
Role-Based Access Control (RBAC)¶
Groups¶
Django groups organize users with common permissions:
- Administrators - Full access
- Agents - Can create and edit tickets
- Managers - Can assign and close tickets
- Viewers - Read-only access
Assigning Permissions to Groups¶
from django.contrib.auth.models import Group, Permission
# Create group
agents = Group.objects.create(name='Agents')
# Add permissions
perms = Permission.objects.filter(
codename__in=['add_ticket', 'change_ticket', 'view_ticket']
)
agents.permissions.set(perms)
# Add user to group
user.groups.add(agents)
API Authentication¶
Token Authentication¶
For API access:
# settings.py
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': [
'rest_framework.authentication.TokenAuthentication',
],
}
Obtaining Token¶
# POST /api/auth/token/
{
"username": "user",
"password": "password"
}
# Response
{
"token": "abc123..."
}
Using Token¶
Security Best Practices¶
CSRF Protection¶
All POST forms include CSRF token:
XSS Prevention¶
Template auto-escaping prevents XSS:
SQL Injection Prevention¶
Django ORM uses parameterized queries:
# Safe
Ticket.objects.filter(status=user_input)
# Unsafe (never do this)
# Ticket.objects.raw(f"SELECT * FROM ticket WHERE status='{user_input}'")
Password Requirements¶
AUTH_PASSWORD_VALIDATORS = [
{
'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
'OPTIONS': {'min_length': 8}
},
{
'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
},
]