Hi all,
There are a lot of projects for making django deployment easier (a bit of
them are listed here: http://djangopackages.com/grids/g/deployment/ ) but
there is no clear winner, everybody have different preferences and
requirements. I think this all doesn't relate to development of django
Am 12.09.2011 22:32, schrieb Carl Meyer:
Sanity-checking the length sounds reasonable to me - do you mind opening
a ticket for this and attaching your patch?
Done ;)
Ticked:
https://code.djangoproject.com/ticket/16827
Patch:
https://github.com/django/django/pull/45
--
Mfg.
On 12.09.2011, at 22:44, Carl Meyer wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Hi Gary,
>
> On 09/12/2011 12:04 AM, Gary Wilson Jr. wrote:
>> I'm a fan of not requiring a models.py, as IMHO it shouldn't be any
>> different than other common files found in an app e.g. urls.py,
Why doesn't the django test management command / test builder allow
fully-qualified package names instead of just app-relative ones?
At work we've been using the method below to monkey-patch the test
builder, so that
$ django-admin.py test my_module.my_app.tests.some_test_file
always works as
> Beyond that, what I am wondering is how much users will be able to understand
> how Django work if they can't do the installation.
Each year I accept foreign students for internship in my company and
most of then either never heard of Django or didn't bother to learn
how it works just to try
Agreed
On Wed, Sep 14, 2011 at 1:00 AM, h3 wrote:
>> Beyond that, what I am wondering is how much users will be able understand
>> how Django work if they can't do the installation.
>
> Each year I accept foreign students for internship in my company and
> most of then
On Tue, Sep 13, 2011 at 10:00 AM, h3 wrote:
> Most of them were competent developers, but they didn't see the point
> of learning a how to get started with Django because it seemed too
> complicated to setup and use for starters. So they preferred to stay
> in their comfort
Hello,
When a user tries to login on the admin, with correct username &
password, but is_staff is set to False, the error message is
misleadingly wrong:
"Please enter a correct username and password. Note that both fields
are case-sensitive."
Ticket 15567 deals with this and is currently marked
+1
On 9/13/11, Wim Feijen wrote:
> Hello,
>
> When a user tries to login on the admin, with correct username &
> password, but is_staff is set to False, the error message is
> misleadingly wrong:
>
> "Please enter a correct username and password. Note that both fields
> are
-1, This would leak information about the users (But I am sure that's
discussed at length in the other threads)
--
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To view this discussion on the web visit
+1, if the user/pass is entered, that user is entitled so know what its own
permissions are.
The error should give "You have insufficient access to this page" or
something like that.
Cal
On Tue, Sep 13, 2011 at 6:12 PM, Florian Apolloner wrote:
> -1, This would leak
I can imagine several situation where you would like the user not to know
that, until they talk to an administrator.
-1 for me too, both giving away user info and giving info to the user that
would be better given by a talk to an administrator.
2011/9/13 Cal Leeming [Simplicity Media Ltd] <
+1 on making the error say more than incorrect username/password. That
is confusing. In regards to leaking information about the user. The
error message in general could be changed to something like this, of
course with better wording:
"Username and password incorrect or access to this page
Hi, thanks for your quick responses!
Flavio, Jan and Florian, it only "gives away information" when an
attacker guesses both the username and the password right.
But if he can guess those right, he could already access the users
information using the normal login! So giving this message does not
+1 again.
If a correct username and password combination are given, the person
submitting the credentials should know that he doesn't have access
just like cal pointed out. Its unfair and frustrating to say that the
combination is wrong
On 9/13/11, Cal Leeming [Simplicity Media Ltd]
On Tue, Sep 13, 2011 at 2:16 PM, Cal Leeming [Simplicity Media Ltd]
wrote:
> +1, if the user/pass is entered, that user is entitled so know what its own
> permissions are.
> The error should give "You have insufficient access to this page" or
> something like
On Sep 13, 8:24 pm, Adam Jenkins wrote:
> +1 on making the error say more than incorrect username/password. That
> is confusing. In regards to leaking information about the user. The
> error message in general could be changed to something like this, of
> course with
On Mon, Sep 12, 2011 at 2:10 PM, Reinout van Rees wrote:
> On 12-09-11 18:25, Florian Apolloner wrote:
>
>> On Monday, September 12, 2011 5:39:03 PM UTC+2, Reinout van Rees wrote:
>>
>>Addition: disallow attributes/methods starting with an underscore?
>>
>>That's a
Hi,
On Tuesday, September 13, 2011 7:42:24 PM UTC+2, Wim Feijen wrote:
>
> Flavio, Jan and Florian, it only "gives away information" when an
> attacker guesses both the username and the password right.
>
No! Assume the admin view is the only login view in your project (since it
only consists
On Tue, Sep 13, 2011 at 12:27 PM, Anssi Kääriäinen
wrote:
> On Sep 13, 8:24 pm, Adam Jenkins wrote:
> > +1 on making the error say more than incorrect username/password. That
> > is confusing. In regards to leaking information about the user. The
Hmm, actually my text was supposed to go below the quotes, but apperently
the new google interface is a bit buggy -- nevertheless I hope you still
understand the point I am trying to make even without correct quoting order…
--
You received this message because you are subscribed to the Google
On Tue, Sep 13, 2011 at 12:42 PM, Wim Feijen wrote:
> Hi, thanks for your quick responses!
>
> Flavio, Jan and Florian, it only "gives away information" when an
> attacker guesses both the username and the password right.
I think this is the correct approach. Give them the
On 13-09-11 20:33, Tobias McNulty wrote:
I love it when problems solve themselves :-)
That's a good point. Are there *any* methods in the CBVs that don't
take arguments, that also modify data? The only one that I found in the
list I'd initially proposed that can be called without
The correct approach is to give a "one size fits all" error message.
While security is important, so also is user experience.
On 9/13/11, Adam Jenkins wrote:
> On Tue, Sep 13, 2011 at 12:42 PM, Wim Feijen wrote:
>> Hi, thanks for your quick
-1
If a person brute forces your site and finds the correct username /
password they could try this on other sites (gmail, banking, etc..)
While it would make it a little more clear I think the implications
are too big.
On Sep 13, 3:14 pm, Adam Jenkins wrote:
> On Tue,
On Tue, Sep 13, 2011 at 11:24 AM, Adam Jenkins wrote:
> +1 on making the error say more than incorrect username/password. That
> is confusing. In regards to leaking information about the user. The
> error message in general could be changed to something like this, of
>
Hi folks --
I agree 100% with what Russ had to say on the ticket: leaking
information about admin accounts isn't OK, and we won't change that.
If someone would like to submit a patch with different wording that
covers all cases -- "this is an invalid user/password for admin
access" or somesuch
Ladies and gentlemen,
Thanks for all the feedback, a patch is in ticket 16837:
https://code.djangoproject.com/ticket/16837
Feel free to try and review the patch.
Best regards and for now, good night.
Wim
On 13 sep, 23:42, Jacob Kaplan-Moss wrote:
> Hi folks --
>
> I agree
Having just finished a discussion on security, I'd like to raise a
concern of mine.
By default, users can have a one-character password.
When their accounts get hacked, we suffer the consequences as well.
Should we be more strict in that?
Wim
--
You received this message because you are
On Tue, Sep 13, 2011 at 4:41 PM, Jannis Leidel wrote:
> On 12.09.2011, at 22:44, Carl Meyer wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Hi Gary,
>>
>> On 09/12/2011 12:04 AM, Gary Wilson Jr. wrote:
>>> I'm a fan of not requiring a models.py, as IMHO it
I'm happy you're concerned about this, but suggest you search the
archives for similar material so that new threads can contribute new
content.
This search is probably a fantastic starting point for your reading pleasure:
31 matches
Mail list logo