On Tue, 2013-02-19 at 15:46 -0700, Carl Meyer wrote: > Hi Nick, > > On 02/19/2013 03:32 PM, Nick Phillips wrote: > > I don't recall looking at the ALLOWED_HOSTS setting before. Now that I > > do, it seems rather problematic. In particular, that host verification > > is apparently turned off while DEBUG is True or while testing. > > > > Surely this makes it impossible to test, and makes it likely that > > misconfigurations will not be picked up until deployed to a production > > environment. > > > > Given that most setups require some customisation of settings for > > dev/staging/production/whatever environments anyway, why not leave the > > verification on at all times and allow us to ensure we get the right > > hosts in the right environments? > > There was extensive back-and-forth discussion of this in writing the > patch. The issue is that in almost all cases the correct value of the > setting in local development and under test are different from the > correct value in production. So how much value is there in knowing the > tests pass, and/or it works locally? That doesn't really increase the > chances that you have it configured correctly in production.
It would at least ensure that you were aware of it and had attempted to set it... > In the end, > our estimation was that requiring it to be configured in local dev and > testing would introduce quite a lot of hassle (and potentially a major > roadblock for new users), with very little gain to offset that. What would the implications of having "localhost" in there be? > Note that it isn't impossible to test, if you want to; the check is > "disabled" under test by means of setting ALLOWED_HOSTS to ['*'] for the > duration of the test run, so if you want tests to exercise validation > you can just use the override_settings decorator to temporarily change > it for a test method or test case. Ah, thanks - I was at least missing that. Cheers, Nick -- Nick Phillips / +64 3 479 4195 / nick.phill...@otago.ac.nz Faculty of Medicine, University of Otago -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
