Re: [Django] #30004: Set default FILE_UPLOAD_PERMISSION to 0o644.

2019-02-08 Thread Django 
#30004: Set default FILE_UPLOAD_PERMISSION to 0o644.
-+-
 Reporter:  Evgeny Arshinov  |Owner:  Himanshu
 Type:   |  Lakhara
  Cleanup/optimization   |   Status:  closed
Component:  File |  Version:  master
  uploads/storage|
 Severity:  Normal   |   Resolution:  fixed
 Keywords:   | Triage Stage:  Ready for
 |  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Tim Graham ):

 * status:  assigned => closed
 * resolution:   => fixed


Comment:

 In [changeset:"22aab8662f0368b63f91f2526bdd0532524bc0fe" 22aab866]:
 {{{
 #!CommitTicketReference repository=""
 revision="22aab8662f0368b63f91f2526bdd0532524bc0fe"
 Fixed #30004 -- Changed default FILE_UPLOAD_PERMISSION to 0o644.
 }}}

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.73c3d3a0940475082a18edd05251fbde%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #30004: Set default FILE_UPLOAD_PERMISSION to 0o644.

2019-02-07 Thread Django 
#30004: Set default FILE_UPLOAD_PERMISSION to 0o644.
-+-
 Reporter:  Evgeny Arshinov  |Owner:  Himanshu
 Type:   |  Lakhara
  Cleanup/optimization   |   Status:  assigned
Component:  File |  Version:  master
  uploads/storage|
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Ready for
 |  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Himanshu Lakhara):

 Replying to [comment:16 Tim Graham]:
 > The bit about "When :setting:`FILE_UPLOAD_PERMISSIONS` is set to
 ``None``, ..." seems out of place in the checklist, however, there may
 still be some value in describing cases in which the new default doesn't
 make sense (if any).

 Yes, It is out of place. I could think of one case when a developer might
 want to change the new default.

 Consider the following scenario. We have a Django application which allows
 a user to upload pictures. Let's say this app runs in a process-A running
 as some system user-1. Now we have another process-B which modifies this
 image in place(maybe removing colors that the human eye cannot recognize
 or shrinking the image etc.). This image manipulation process is run as
 some other system user-2.

 Now in order for process B to modify these images, we would require to set
 FILE_UPLOAD_PERMISSIONS to '0o646'(assuming process-B is other than
 group).

 I understand this is not a great way to do such manipulation. We probably
 want to do this in a different way by making a copy original image before
 process-B modifies it. This is just an example.

 So there might be situations when the new default doesn't make sense. Even
 in these cases, I'm not sure whether putting in the deployment checklist
 is necessary. The reason is setting page now explains what is the new
 behavior and default deployment option is better now. I'm not sure what
 additional information we could add to the checklist.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.4f997793781348555d13e0f0acdb40ca%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #30004: Set default FILE_UPLOAD_PERMISSION to 0o644.

2019-02-07 Thread Django 
#30004: Set default FILE_UPLOAD_PERMISSION to 0o644.
-+-
 Reporter:  Evgeny Arshinov  |Owner:  Himanshu
 Type:   |  Lakhara
  Cleanup/optimization   |   Status:  assigned
Component:  File |  Version:  master
  uploads/storage|
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Ready for
 |  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Carlton Gibson):

 Grrr. Commit hashes. I meant ef70af77ec53160d5ffa060c1bdf5ed93322d84f
 (where we added the note to the deployment checklist).

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.b17180c4865bcd8b4b294010b55721d7%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #30004: Set default FILE_UPLOAD_PERMISSION to 0o644.

2019-02-06 Thread Django 
#30004: Set default FILE_UPLOAD_PERMISSION to 0o644.
-+-
 Reporter:  Evgeny Arshinov  |Owner:  Himanshu
 Type:   |  Lakhara
  Cleanup/optimization   |   Status:  assigned
Component:  File |  Version:  master
  uploads/storage|
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Ready for
 |  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Tim Graham):

 * has_patch:  0 => 1


Comment:

 The bit about "When :setting:`FILE_UPLOAD_PERMISSIONS` is set to ``None``,
 ..." seems out of place in the checklist, however, there may still be some
 value in describing cases in which the new default doesn't make sense (if
 any).

 Regarding Carlton's comment 12 -- that change you cited is in the 1.11
 release notes. I'm not sure if you meant to cite something different.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.ecbc2865dc802d55851c429191286b11%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #30004: Set default FILE_UPLOAD_PERMISSION to 0o644.

2019-02-06 Thread Django 
#30004: Set default FILE_UPLOAD_PERMISSION to 0o644.
-+-
 Reporter:  Evgeny Arshinov  |Owner:  Himanshu
 Type:   |  Lakhara
  Cleanup/optimization   |   Status:  assigned
Component:  File |  Version:  master
  uploads/storage|
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Ready for
 |  checkin
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Himanshu Lakhara):

 Replying to [comment:14 Carlton Gibson]:

 I agree with you on removing the section from the checklist. As you have
 suggested, It would be best to wait for others' opinion before making any
 change.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.42e4d57c82e561f783bbbd32f174a8ab%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #30004: Set default FILE_UPLOAD_PERMISSION to 0o644.

2019-02-06 Thread Django 
#30004: Set default FILE_UPLOAD_PERMISSION to 0o644.
-+-
 Reporter:  Evgeny Arshinov  |Owner:  Himanshu
 Type:   |  Lakhara
  Cleanup/optimization   |   Status:  assigned
Component:  File |  Version:  master
  uploads/storage|
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Ready for
 |  checkin
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Carlton Gibson):

 Yes, that's what I meant. But I'd prefer to wait for another pair of eyes
 before just deciding that.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.bc541908c43994704f35613fb31d985d%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #30004: Set default FILE_UPLOAD_PERMISSION to 0o644.

2019-02-06 Thread Django 
#30004: Set default FILE_UPLOAD_PERMISSION to 0o644.
-+-
 Reporter:  Evgeny Arshinov  |Owner:  Himanshu
 Type:   |  Lakhara
  Cleanup/optimization   |   Status:  assigned
Component:  File |  Version:  master
  uploads/storage|
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Ready for
 |  checkin
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Himanshu Lakhara):

 Did you mean we should remove section `FILE_UPLOAD_PERMISSIONS` from
 `docs/howto/deployment/checklist.txt`?

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.d15327f06b6e4333c323c5a67124%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #30004: Set default FILE_UPLOAD_PERMISSION to 0o644.

2019-02-06 Thread Django 
#30004: Set default FILE_UPLOAD_PERMISSION to 0o644.
-+-
 Reporter:  Evgeny Arshinov  |Owner:  Himanshu
 Type:   |  Lakhara
  Cleanup/optimization   |   Status:  assigned
Component:  File |  Version:  master
  uploads/storage|
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Ready for
 |  checkin
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Carlton Gibson):

 * version:  2.1 => master
 * component:  Documentation => File uploads/storage
 * stage:  Accepted => Ready for checkin


Comment:

 OK, this is ready to go.

 Note to committer:
 I have one query as to whether this fix means that the paragraph added to
 the Deployment Checklist in 89d4d412404d31ef34ae3170c0c056eff55b2a17 is
 now essentially misleading?
 If so, should we drop it entirely rather than just adjusting it...?

 {{{
 Fixed #30004, Refs #28540 -- Set default FILE_UPLOAD_PERMISSION to 0o644.

 This reverts commit 89d4d412404d31ef34ae3170c0c056eff55b2a17 as no longer
 relevant.
 }}}

 I think I'd be +1 on that.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.e84631801bdb3e9444982c5b78f26a69%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #30004: Set default FILE_UPLOAD_PERMISSION to 0o644.

2019-01-30 Thread Django 
#30004: Set default FILE_UPLOAD_PERMISSION to 0o644.
-+-
 Reporter:  Evgeny Arshinov  |Owner:  Himanshu
 Type:   |  Lakhara
  Cleanup/optimization   |   Status:  assigned
Component:  Documentation|  Version:  2.1
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Himanshu Lakhara):

 * owner:  nobody => Himanshu Lakhara
 * status:  new => assigned


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.246edcb49db622cc878c18287edf7713%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #30004: Set default FILE_UPLOAD_PERMISSION to 0o644.

2019-01-30 Thread Django 
#30004: Set default FILE_UPLOAD_PERMISSION to 0o644.
--+
 Reporter:  Evgeny Arshinov   |Owner:  nobody
 Type:  Cleanup/optimization  |   Status:  new
Component:  Documentation |  Version:  2.1
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  0 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+

Comment (by Carlton Gibson):

 > Shall we move it to 3.0 release?

 Yes please.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.b1129c6af1be7c22b30e31ef3bff4c94%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #30004: Set default FILE_UPLOAD_PERMISSION to 0o644.

2019-01-30 Thread Django 
#30004: Set default FILE_UPLOAD_PERMISSION to 0o644.
--+
 Reporter:  Evgeny Arshinov   |Owner:  nobody
 Type:  Cleanup/optimization  |   Status:  new
Component:  Documentation |  Version:  2.1
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  0 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+

Comment (by Himanshu Lakhara):

 Replying to [comment:8 Carlton Gibson]:

 I see and understand the issue better now. Thanks for the clarification.

 I'll make the changes as you have suggested in your [comment:5 previous
 comment].

 Only question remaining is about introducing this change in 3.0 version.
 Shall we move it to 3.0 release?

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.9e8d0d25fade5fff596d23bb20920a69%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #30004: Set default FILE_UPLOAD_PERMISSION to 0o644.

2019-01-30 Thread Django 
#30004: Set default FILE_UPLOAD_PERMISSION to 0o644.
--+
 Reporter:  Evgeny Arshinov   |Owner:  nobody
 Type:  Cleanup/optimization  |   Status:  new
Component:  Documentation |  Version:  2.1
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  0 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+

Comment (by Carlton Gibson):

 That note is referring to that non-leaf directories are created using the
 process `umask`.  (See
 [https://docs.python.org/3.7/library/os.html#os.makedirs `makedirs()`
 docs].) This is similar to `FILE_UPLOAD_PERMISSIONS`, when not using the
 temporary file upload handler.

 The underlying issue here is the **inconsistency** in file permissions,
 depending on the file size, when using **the default settings** that
 Django provides. There is no such inconsistency with directory
 permissions. As such changes should not be needed to
 `FILE_UPLOAD_DIRECTORY_PERMISSIONS`. (Any issues there would need to be
 addressed under a separate ticket.)

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.5542328eb47b142799ad36b182e83abc%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #30004: Set default FILE_UPLOAD_PERMISSION to 0o644.

2019-01-29 Thread Django 
#30004: Set default FILE_UPLOAD_PERMISSION to 0o644.
--+
 Reporter:  Evgeny Arshinov   |Owner:  nobody
 Type:  Cleanup/optimization  |   Status:  new
Component:  Documentation |  Version:  2.1
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  0 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+

Comment (by Himanshu Lakhara):

 Hello everyone,

 I would like to work on this. But before that there are few important
 questions:

 1. There is a related setting called `FILE_UPLOAD_DIRECTORY_PERMISSIONS`.
 Its document says that
 This value mirrors the functionality and caveats of the
 `FILE_UPLOAD_PERMISSIONS` setting.
 Shall we also change its default from `None` to `0o644`(Please suggest if
 something different should be provided for directories) and update its
 document as well?

 2. Since 2.2 pre-release branch is now in feature freeze state, Shall we
 move the change to 3.0 version?

 On a side note, some tests must be refactored for new values for both of
 these settings. I think that's alright.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.6e1db1013c095ee95a0c2f34e1d7f8b6%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #30004: Set default FILE_UPLOAD_PERMISSION to 0o644.

2018-12-12 Thread Django 
#30004: Set default FILE_UPLOAD_PERMISSION to 0o644.
--+
 Reporter:  Evgeny Arshinov   |Owner:  nobody
 Type:  Cleanup/optimization  |   Status:  new
Component:  Documentation |  Version:  2.1
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  0 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+

Comment (by Evgeny Arshinov):

 Replying to [comment:5 Carlton Gibson]:
 > Thus far, no great objections on the mailing list to adjusting the
 FILE_UPLOAD_PERMISSION default. Thus I'm going to rename this and
 ''Accept'' on that basis.

 Thank you! Hopefully, this change will prevent confusion and unpleasant
 surprises for Django users in the future.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.fee8144dfeb936dc1297e44186d739ec%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #30004: Set default FILE_UPLOAD_PERMISSION to 0o644. (was: Document TemporaryUploadedFile potential permission issues)

2018-12-12 Thread Django 
#30004: Set default FILE_UPLOAD_PERMISSION to 0o644.
--+
 Reporter:  Evgeny Arshinov   |Owner:  nobody
 Type:  Cleanup/optimization  |   Status:  new
Component:  Documentation |  Version:  2.1
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  0 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+
Changes (by Carlton Gibson):

 * stage:  Unreviewed => Accepted


Comment:

 Thus far, no great objections on the mailing list to adjusting the
 FILE_UPLOAD_PERMISSION default. Thus I'm going to rename this and
 ''Accept'' on that basis.

 A PR would need to:

 * Adjust the default.
 * Add a Breaking Change note to `releases/2.2.txt` (on the assumption we
 can get it in for then.) — This should include a ''set to `None` to
 restore previous behaviour' type comment.
 * Adjust the references in the settings docs and deployment checklist.
 * Make sure any other references are adjusted.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.f2c87f25fb8611384b6342f878ba035a%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.