Gordon
As others have said, you need to keep such stuff out of your repo.
For that I wrote a little file parser called getcreds.py (see below) to
read plain text files and retrieve the necessary info for settings.
eg., from my settings.py ...
# keep all credentials in separate fname files in credsdir
from .getcreds import getcreds
email_creds = getcreds('smtp.host', PROJECT)
EMAIL_HOST = email_creds[0]
EMAIL_PORT = email_creds[1]
EMAIL_HOST_USER = email_creds[2]
EMAIL_HOST_PASSWORD = email_creds[3]
SECRET_KEY = getcreds('django.secret', PROJECT)[0]
dbhost = getcreds('db.host', PROJECT)
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.postgresql_psycopg2',
'NAME': PROJECT,
'USER': dbhost[0],
'PASSWORD': dbhost[1],
'HOST': dbhost[2],
'PORT': dbhost[3],
}
}
This is off-list because it isn't widely used. I don't wish to pollute
the wider nob community with such heresy. It works nicely for me but
best-practice (I'm told) is to store such things in environment vars and
get them from there when required. I'd drop my approach and do that if I
had time.
Cheers
Mike
<below>
# -*- coding: utf-8 -*-
from __future__ import unicode_literals
# this is the only django import permitted in settings files
from django.core.exceptions import ImproperlyConfigured
def getcreds(fname, project, credsroot='/var/www/creds'):
""" return a list of userid and password and perhaps other data """
credsdir = '%s/%s' % (credsroot, project)
creds = []
fname = '%s/%s' % (credsdir, fname)
with open(fname, 'r') as f:
for line in f:
creds.append(line.strip())
if not creds:
raise ImproperlyConfigured('Missing setting: %s' % fname)
return creds
On 25/09/2015 4:03 PM, Gordon Reeder wrote:
I'm learning Django and still very new at it. And like a newbie, I may
have made a newbie goof.
I have leaked my CSRF token.
I am building up a web site with Django which I have under revision
control with Git. I have pushed two commits of the project out to
Github. The commits included the settings.py file, which list the CSRF
token. I have read (after the fact) that maybe that wasn't the smartest
thing to do.
So now what?
Can I remove the settings.py file from Github?
Or can I generate a new CSRF token?
Any suggestions?
--
You received this message because you are subscribed to the Google
Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected]
<mailto:[email protected]>.
To post to this group, send email to [email protected]
<mailto:[email protected]>.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/9faaf7ad-29af-473d-8e63-e1c51b4b90d0%40googlegroups.com
<https://groups.google.com/d/msgid/django-users/9faaf7ad-29af-473d-8e63-e1c51b4b90d0%40googlegroups.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Django
users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/560541E6.2090603%40dewhirst.com.au.
For more options, visit https://groups.google.com/d/optout.
