Re: PHP-inspired user-friendly in-browser DJango install

Hi all, There are a lot of projects for making django deployment easier (a bit of them are listed here: http://djangopackages.com/grids/g/deployment/ ) but there is no clear winner, everybody have different preferences and requirements. I think this all doesn't relate to development of django

Re: CSRF token not validated?

Am 12.09.2011 22:32, schrieb Carl Meyer: Sanity-checking the length sounds reasonable to me - do you mind opening a ticket for this and attaching your patch? Done ;) Ticked: https://code.djangoproject.com/ticket/16827 Patch: https://github.com/django/django/pull/45 -- Mfg.

Re: #7198 - Better error message when app is missing models.py

On 12.09.2011, at 22:44, Carl Meyer wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hi Gary, > > On 09/12/2011 12:04 AM, Gary Wilson Jr. wrote: >> I'm a fan of not requiring a models.py, as IMHO it shouldn't be any >> different than other common files found in an app e.g. urls.py,

django test-runner annoyances

Why doesn't the django test management command / test builder allow fully-qualified package names instead of just app-relative ones? At work we've been using the method below to monkey-patch the test builder, so that $ django-admin.py test my_module.my_app.tests.some_test_file always works as

Re: PHP-inspired user-friendly in-browser DJango install

> Beyond that, what I am wondering is how much users will be able to understand > how Django work if they can't do the installation. Each year I accept foreign students for internship in my company and most of then either never heard of Django or didn't bother to learn how it works just to try

Re: PHP-inspired user-friendly in-browser DJango install

Agreed On Wed, Sep 14, 2011 at 1:00 AM, h3 wrote: >> Beyond that, what I am wondering is how much users will be able understand >> how Django work if they can't do the installation. > > Each year I accept foreign students for internship in my company and > most of then

Re: PHP-inspired user-friendly in-browser DJango install

On Tue, Sep 13, 2011 at 10:00 AM, h3 wrote: > Most of them were competent developers, but they didn't see the point > of learning a how to get started with Django because it seemed too > complicated to setup and use for starters. So they preferred to stay > in their comfort

please reopen ticket 15567

Hello, When a user tries to login on the admin, with correct username & password, but is_staff is set to False, the error message is misleadingly wrong: "Please enter a correct username and password. Note that both fields are case-sensitive." Ticket 15567 deals with this and is currently marked

Re: please reopen ticket 15567

+1 On 9/13/11, Wim Feijen wrote: > Hello, > > When a user tries to login on the admin, with correct username & > password, but is_staff is set to False, the error message is > misleadingly wrong: > > "Please enter a correct username and password. Note that both fields > are

Re: please reopen ticket 15567

-1, This would leak information about the users (But I am sure that's discussed at length in the other threads) -- You received this message because you are subscribed to the Google Groups "Django developers" group. To view this discussion on the web visit

Re: please reopen ticket 15567

+1, if the user/pass is entered, that user is entitled so know what its own permissions are. The error should give "You have insufficient access to this page" or something like that. Cal On Tue, Sep 13, 2011 at 6:12 PM, Florian Apolloner wrote: > -1, This would leak

Re: please reopen ticket 15567

I can imagine several situation where you would like the user not to know that, until they talk to an administrator. -1 for me too, both giving away user info and giving info to the user that would be better given by a talk to an administrator. 2011/9/13 Cal Leeming [Simplicity Media Ltd] <

Re: please reopen ticket 15567

+1 on making the error say more than incorrect username/password. That is confusing. In regards to leaking information about the user. The error message in general could be changed to something like this, of course with better wording: "Username and password incorrect or access to this page

Re: please reopen ticket 15567

Hi, thanks for your quick responses! Flavio, Jan and Florian, it only "gives away information" when an attacker guesses both the username and the password right. But if he can guess those right, he could already access the users information using the normal login! So giving this message does not

Re: please reopen ticket 15567

+1 again. If a correct username and password combination are given, the person submitting the credentials should know that he doesn't have access just like cal pointed out. Its unfair and frustrating to say that the combination is wrong On 9/13/11, Cal Leeming [Simplicity Media Ltd]

Re: please reopen ticket 15567

On Tue, Sep 13, 2011 at 2:16 PM, Cal Leeming [Simplicity Media Ltd] wrote: > +1, if the user/pass is entered, that user is entitled so know what its own > permissions are. > The error should give "You have insufficient access to this page" or > something like

Re: please reopen ticket 15567

On Sep 13, 8:24 pm, Adam Jenkins wrote: > +1 on making the error say more than incorrect username/password. That > is confusing. In regards to leaking information about the user. The > error message in general could be changed to something like this, of > course with

Re: class based views: object instead of dictionary as context?

On Mon, Sep 12, 2011 at 2:10 PM, Reinout van Rees wrote: > On 12-09-11 18:25, Florian Apolloner wrote: > >> On Monday, September 12, 2011 5:39:03 PM UTC+2, Reinout van Rees wrote: >> >>Addition: disallow attributes/methods starting with an underscore? >> >>That's a

Re: please reopen ticket 15567

Hi, On Tuesday, September 13, 2011 7:42:24 PM UTC+2, Wim Feijen wrote: > > Flavio, Jan and Florian, it only "gives away information" when an > attacker guesses both the username and the password right. > No! Assume the admin view is the only login view in your project (since it only consists

Re: please reopen ticket 15567

On Tue, Sep 13, 2011 at 12:27 PM, Anssi Kääriäinen wrote: > On Sep 13, 8:24 pm, Adam Jenkins wrote: > > +1 on making the error say more than incorrect username/password. That > > is confusing. In regards to leaking information about the user. The

Re: please reopen ticket 15567

Hmm, actually my text was supposed to go below the quotes, but apperently the new google interface is a bit buggy -- nevertheless I hope you still understand the point I am trying to make even without correct quoting order… -- You received this message because you are subscribed to the Google

Re: please reopen ticket 15567

On Tue, Sep 13, 2011 at 12:42 PM, Wim Feijen wrote: > Hi, thanks for your quick responses! > > Flavio, Jan and Florian, it only "gives away information" when an > attacker guesses both the username and the password right. I think this is the correct approach. Give them the

Re: class based views: object instead of dictionary as context?

On 13-09-11 20:33, Tobias McNulty wrote: I love it when problems solve themselves :-) That's a good point. Are there *any* methods in the CBVs that don't take arguments, that also modify data? The only one that I found in the list I'd initially proposed that can be called without

Re: please reopen ticket 15567

The correct approach is to give a "one size fits all" error message. While security is important, so also is user experience. On 9/13/11, Adam Jenkins wrote: > On Tue, Sep 13, 2011 at 12:42 PM, Wim Feijen wrote: >> Hi, thanks for your quick

Re: please reopen ticket 15567

-1 If a person brute forces your site and finds the correct username / password they could try this on other sites (gmail, banking, etc..) While it would make it a little more clear I think the implications are too big. On Sep 13, 3:14 pm, Adam Jenkins wrote: > On Tue,

Re: please reopen ticket 15567

On Tue, Sep 13, 2011 at 11:24 AM, Adam Jenkins wrote: > +1 on making the error say more than incorrect username/password. That > is confusing. In regards to leaking information about the user. The > error message in general could be changed to something like this, of >

Re: please reopen ticket 15567

Hi folks -- I agree 100% with what Russ had to say on the ticket: leaking information about admin accounts isn't OK, and we won't change that. If someone would like to submit a patch with different wording that covers all cases -- "this is an invalid user/password for admin access" or somesuch

Re: please reopen ticket 15567

Ladies and gentlemen, Thanks for all the feedback, a patch is in ticket 16837: https://code.djangoproject.com/ticket/16837 Feel free to try and review the patch. Best regards and for now, good night. Wim On 13 sep, 23:42, Jacob Kaplan-Moss wrote: > Hi folks -- > > I agree

Should user passwords be more strict?

Having just finished a discussion on security, I'd like to raise a concern of mine. By default, users can have a one-character password. When their accounts get hacked, we suffer the consequences as well. Should we be more strict in that? Wim -- You received this message because you are

Re: #7198 - Better error message when app is missing models.py

On Tue, Sep 13, 2011 at 4:41 PM, Jannis Leidel wrote: > On 12.09.2011, at 22:44, Carl Meyer wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> Hi Gary, >> >> On 09/12/2011 12:04 AM, Gary Wilson Jr. wrote: >>> I'm a fan of not requiring a models.py, as IMHO it

Re: Should user passwords be more strict?

I'm happy you're concerned about this, but suggest you search the archives for similar material so that new threads can contribute new content. This search is probably a fantastic starting point for your reading pleasure: