Re: Update permissions on custom permissions migration

2018-03-30 Thread Yo-Yo Ma 
FWIF, I wrote a custom data migration to update the Permission model.

My OP is attempting to suggest that migrations should handle this 
automatically.

On Friday, March 30, 2018 at 5:43:39 PM UTC-4, Yo-Yo Ma wrote:
>
> A model with a custom permission:
>
> class *Spam*(Model):
> class *Meta*:
> permissions = (('spam', 'Can eat spam'),)
>
> ...
>
> $ manage.py makemigrations
> $ manage.py migrate
>
> Now we have a custom permission in the User admin:
>
> foods | spam | Can eat spam
>
> Then update the permission's verbose name:
>
> class *Spam*(Model):
> class *Meta*:
> permissions = (('spam', 'Can cook AND eat spam'),)
>
> ...
>
> $ manage.py makemigrations
> $ manage.py migrate
>
> The permission's description change is not reflected in the admin:
>
> foods | spam | Can eat spam
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/cca05f9c-bacf-4ebb-8c19-a9ee2befdfb5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Update permissions on custom permissions migration

2018-03-30 Thread Yo-Yo Ma 
A model with a custom permission:

class *Spam*(Model):
class *Meta*:
permissions = (('spam', 'Can eat spam'),)

...

$ manage.py makemigrations
$ manage.py migrate

Now we have a custom permission in the User admin:

foods | spam | Can eat spam

Then update the permission's verbose name:

class *Spam*(Model):
class *Meta*:
permissions = (('spam', 'Can cook AND eat spam'),)

...

$ manage.py makemigrations
$ manage.py migrate

The permission's description change is not reflected in the admin:

foods | spam | Can eat spam

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/0765fda4-21d2-4511-afcd-2f514d058464%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: A more useful list of common passwords?

2018-03-30 Thread Curtis Maloney 

On 03/30/2018 07:05 PM, Adam Johnson wrote:

This new file sounds good to me.

Whilst you're at it, what is the new file size?


I downloaded the gist, took only column 3 (the actual passwords) and 
gzipped it, it came to 81K over the existing 3.8K. Uncompressed that's 
163K over 7.1K.


Still a tiny drop compared to a running system... but something worth 
keeping an eye on.


A quick look at the code shows, of course, that you can specify your own 
file, so IFF this new file is rejected, it can at least be easily 
offered and used.


It would probably warrant a smarter checking algorithm over the current 
one, where the validator loads the whole file into memory on 
initialization (and doesn't share it between instances).


The current solution is storing the strings in a set, so membership of 
strings in a set _should_ be fairly efficient.


--
Curtis

OOI have you seen https://github.com/ubernostrum/pwned-passwords-django/ 
, which uses Troy Hunt's massive API for all leaked passwords ?


The joy of pluggable validators is... people can choose their level of 
strictness :)


--
C

--
You received this message because you are subscribed to the Google Groups "Django 
developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/aa76a554-41be-191f-3c8f-914aadf16af4%40tinbrain.net.
For more options, visit https://groups.google.com/d/optout.

Re: A more useful list of common passwords?

2018-03-30 Thread Adam Johnson 
This new file sounds good to me.

Whilst you're at it, what is the new file size?


I downloaded the gist, took only column 3 (the actual passwords) and
gzipped it, it came to 81K over the existing 3.8K. Uncompressed that's 163K
over 7.1K.

It would probably warrant a smarter checking algorithm over the current
one, where the validator loads the whole file into memory on initialization
(and doesn't share it between instances).

OOI have you seen https://github.com/ubernostrum/pwned-passwords-django/ ,
which uses Troy Hunt's massive API for all leaked passwords ?

On 30 March 2018 at 06:31, Curtis Maloney  wrote:

> By which I mean... hi Brenton! Great to see you being active again :)
>
> It's great you've taken the time to do this, and the benefits are very
> clear [improved security], but what are the costs?
>
> Whilst you're at it, what is the new file size?
>
> --
> Curtis
>
>
>
>
> On 03/30/2018 04:26 PM, Curtis Maloney wrote:
>
>> What sort of performance impact is this having over the existing list?
>>
>> What's the additional memory load, if any?
>>
>> --
>> Curtis
>>
>>
>> On 03/30/2018 04:24 PM, Brenton Cleeland wrote:
>>
>>> Three years ago Django introduced the CommonPasswordValidator and
>>> included a list of 1,000 passwords considered to be "common". That list was
>>> based on leaked passwords and came from xato.net[1].
>>>
>>> I'd like to update the list to
>>>
>>> a) be from a more reliable / recent source
>>> b) be larger and more in line with the NIST recommendations
>>>
>>> Security researcher Troy Hunt has published a massive list of leaked
>>> passwords, including frequencies on Have I Been Pwned[2]. The top 20,000 of
>>> which are available in a gist from Royce Williams[3], including the
>>> frequency, md5 hash and plain text password.
>>>
>>> Interestingly there's 27 passwords in the Django list that aren't in the
>>> HIBP list. I'd post them here but they're mostly short and not safe for
>>> work.
>>>
>>> I've created a ticket for the increase in size[4] but wanted to check in
>>> and make sure this is something django-developers thinks is valuable.
>>>
>>> Cheers,
>>> Brenton
>>>
>>> [1]: https://web.archive.org/web/20150315154609/https://xato.net/
>>> passwords/more-top-worst-passwords/#.Wr3H1chxV25
>>> [2]: https://haveibeenpwned.com/Passwords
>>> [3]: https://gist.github.com/roycewilliams/281ce539915a947a23db17
>>> 137d91aeb7
>>> [4]: https://code.djangoproject.com/ticket/29274
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Django developers (Contributions to Django itself)" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to django-developers+unsubscr...@googlegroups.com >> django-developers+unsubscr...@googlegroups.com>.
>>> To post to this group, send email to django-developers@googlegroups.com
>>> .
>>> Visit this group at https://groups.google.com/group/django-developers.
>>> To view this discussion on the web visit https://groups.google.com/d/ms
>>> gid/django-developers/0a215878-9d3f-4446-a018-602694f54904%
>>> 40googlegroups.com >> sgid/django-developers/0a215878-9d3f-4446-a018-602694f54904%
>>> 40googlegroups.com?utm_medium=email_source=footer>.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers  (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To post to this group, send email to django-developers@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-developers.
> To view this discussion on the web visit https://groups.google.com/d/ms
> gid/django-developers/2cb005ec-5f22-a77e-ddeb-791ab85ff03c%40tinbrain.net.
>
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Adam

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAMyDDM2m38bOn_4gOdGkHpXK5wEuJf0i%2Bj74JvJLJyJmrQwoFA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: A more useful list of common passwords?

2018-03-30 Thread Brenton Cleeland 
Heya, Curtis!

The gzipped file size of the new file is 82K. That's with all 19,999
passwords from Royce's list.

I threw together a quick test that compares the default list to the new
larger one by checking 10,000 random passwords. Speed difference is
negligible, with both varying between 0.8–1.1 seconds on my machine.

Memory usage on the other hand is definitely higher. With the current
Django list of 1,000 passwords memory usage increases by 0.1MiB. With the
new list it's 0.9-1.0MiB. This would be expected, since the list if 20x the
size. To put it into context, the project that I can that test on (a fresh
project using the standard template) was already using 30MiB to run the
management command.

You can see the full output of the memory test here:
https://gist.github.com/sesh/c431b8cc6b5063e31f08b2a4dc3b46f0

I think the trade-off of a little extra memory is worth it. If you *really*
want to save memory you can (should?) disable the common password validator
or provide your own shorter list anyway.

On 30 March 2018 at 16:31, Curtis Maloney  wrote:

> By which I mean... hi Brenton! Great to see you being active again :)
>
> It's great you've taken the time to do this, and the benefits are very
> clear [improved security], but what are the costs?
>
> Whilst you're at it, what is the new file size?
>
> --
> Curtis
>
>
>
>
> On 03/30/2018 04:26 PM, Curtis Maloney wrote:
>
>> What sort of performance impact is this having over the existing list?
>>
>> What's the additional memory load, if any?
>>
>> --
>> Curtis
>>
>>
>> On 03/30/2018 04:24 PM, Brenton Cleeland wrote:
>>
>>> Three years ago Django introduced the CommonPasswordValidator and
>>> included a list of 1,000 passwords considered to be "common". That list was
>>> based on leaked passwords and came from xato.net[1].
>>>
>>> I'd like to update the list to
>>>
>>> a) be from a more reliable / recent source
>>> b) be larger and more in line with the NIST recommendations
>>>
>>> Security researcher Troy Hunt has published a massive list of leaked
>>> passwords, including frequencies on Have I Been Pwned[2]. The top 20,000 of
>>> which are available in a gist from Royce Williams[3], including the
>>> frequency, md5 hash and plain text password.
>>>
>>> Interestingly there's 27 passwords in the Django list that aren't in the
>>> HIBP list. I'd post them here but they're mostly short and not safe for
>>> work.
>>>
>>> I've created a ticket for the increase in size[4] but wanted to check in
>>> and make sure this is something django-developers thinks is valuable.
>>>
>>> Cheers,
>>> Brenton
>>>
>>> [1]: https://web.archive.org/web/20150315154609/https://xato.net/
>>> passwords/more-top-worst-passwords/#.Wr3H1chxV25
>>> [2]: https://haveibeenpwned.com/Passwords
>>> [3]: https://gist.github.com/roycewilliams/281ce539915a947a23db17
>>> 137d91aeb7
>>> [4]: https://code.djangoproject.com/ticket/29274
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Django developers (Contributions to Django itself)" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to django-developers+unsubscr...@googlegroups.com >> django-developers+unsubscr...@googlegroups.com>.
>>> To post to this group, send email to django-developers@googlegroups.com
>>> .
>>> Visit this group at https://groups.google.com/group/django-developers.
>>> To view this discussion on the web visit https://groups.google.com/d/ms
>>> gid/django-developers/0a215878-9d3f-4446-a018-602694f54904%
>>> 40googlegroups.com >> sgid/django-developers/0a215878-9d3f-4446-a018-602694f54904%
>>> 40googlegroups.com?utm_medium=email_source=footer>.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Django developers  (Contributions to Django itself)" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/to
> pic/django-developers/oMWLVK5kTpI/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> django-developers+unsubscr...@googlegroups.com.
> To post to this group, send email to django-developers@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-developers.
> To view this discussion on the web visit https://groups.google.com/d/ms
> gid/django-developers/2cb005ec-5f22-a77e-ddeb-791ab85ff03c%40tinbrain.net.
>
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Cheers,
Brenton

https://brntn.me // @sesh 

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email