How does this skill detect IDOR vulnerabilities?

It traces the flow of a resource ID from the entry point (URL, query params, or request body) through the ORM query to verify if ownership is validated or if the query is correctly scoped to the current user.

Does it support Django REST Framework (DRF)?

Yes, it specifically investigates DRF patterns such as permission_classes, has_object_permission, and viewset get_queryset overrides to find authorization gaps.

Can it identify multi-tenant isolation issues?

Absolutely. The skill is designed to analyze how organization and tenant IDs are handled to ensure users cannot access data belonging to other organizations by simply changing an ID.

Does this skill provide automated scanning?

No, it uses an 'Investigation Over Pattern Matching' philosophy, performing deep code analysis and logical tracing that traditional automated scanners often miss.

Django Access Control & IDOR Review

Name: Django Access Control & IDOR Review
Author: getsentry

bygetsentry

•

331

•

Security & Testing

Investigates and secures Django applications against Broken Object Level Authorization (BOLA/IDOR) and access control vulnerabilities through deep code tracing.

The django-access-review skill is a specialized security framework designed to audit Django and Django REST Framework (DRF) applications for authorization flaws. Rather than relying on simple pattern matching, this skill guides Claude through a rigorous five-phase investigation to understand a codebase's unique authorization model, map its attack surface, and trace data flows. It helps developers identify where User A might be able to access User B's data by analyzing middleware, decorators, DRF permission classes, and ORM query scoping, ultimately providing actionable code-based fixes to prevent unauthorized data access.

Key Features

01Deep tracing of resource IDs from request input to database query to identify IDOR gaps

02Systematic mapping of attack surfaces for multi-tenant and hierarchical data models

03Analysis of ORM query scoping within get_queryset() and custom model managers

04Generation of enforceable code fixes for confirmed authorization vulnerabilities

05Comprehensive audit of Django authorization models including Middleware, Decorators, and DRF Permissions

06331 GitHub stars

Use Cases

01Refactoring legacy Python code to ensure consistent authorization enforcement across all views

02Performing pre-deployment security audits on Django REST Framework APIs

03Validating tenant isolation and ownership checks in multi-tenant SaaS applications

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add getsentry/skills django-access-review

For use in Claude.ai and ChatGPT

Download Skill