I feel like the interface for authentication backends is unnecessarily
complex: Basically, you only need authenticate() and has_perm(), but
currently the interface also includes get_group_permissions(),
get_all_permissions(), and has_module_perms().
The architecture is like this: User inherits fro
Wouldn't one alternative be checking the Origin header? It appears though
that all browsers support it with the sad exception that it is still behind
a feature flag in Firefox. :/
(https://bugzilla.mozilla.org/show_bug.cgi?id=1424076)
On Saturday, November 10, 2018 at 1:03:08 AM UTC+1, Adam Joh
Hi,
settings.SECRET_KEY can be used for sessions, password resets, form wizards and
other cryptographic signatures via the signing APIs. Changing SECRET_KEY means
that all of those will be invalidated and the users will be affected in weird
ways without really knowing what happened. (Why am I logg
I don't see how this would work.
For example the session. You take the user cookie. You try to validate with
your secret key. That doesn't work because the current key is the new one.
With a custom cookie backend, you could check if the old secret could
validate the cookie. But you need to change
Hi Andreas
I like your proposal, moving to a backend is an elegant way of solving both
the immediate problem and opening up the other possibilities you mentioned.
I think it would also be nice to have an "out of the box" way of rotating
the key, without needing to implement a custom backend. Perh
I would think that feature flag rules it out for a long time?
On Sat, 10 Nov 2018 at 09:52, Florian Apolloner
wrote:
> Wouldn't one alternative be checking the Origin header? It appears though
> that all browsers support it with the sad exception that it is still behind
> a feature flag in Firef
Do you have an example? If you're using Django's default testing framework,
it normally creates a fresh database, so from the moment a new data
migration is written it would be tested with the empty database scenario.
Afaiu it is possible to write RunPython operations in a way that no-ops on
empty
> On 10 Nov 2018, at 13:00, ludovic coues wrote:
>
> I don't see how this would work.
>
> For example the session. You take the user cookie. You try to validate with
> your secret key. That doesn't work because the current key is the new one.
>
> With a custom cookie backend, you could chec
On 10 Nov 2018, at 13:29, Adam Johnson wrote:
>
> Hi Andreas
>
> I like your proposal, moving to a backend is an elegant way of solving both
> the immediate problem and opening up the other possibilities you mentioned.
Thanks Adam, I am glad you like the proposal. :)
> I think it would also b
Not neccessarily, one could still use the Origin header in cases where
software strips the Referer and if you set the Referrer-Policy to
same-origin you shouldn't have problems with firefox either.
On Saturday, November 10, 2018 at 1:42:41 PM UTC+1, Adam Johnson wrote:
>
> I would think that fea
Maybe a LoFi way to accomplish this is just to make sure that the
SECRET_KEY is cast to bytes() before use. That way, a non-bytes object
placed there during settings will be asked to convert it to bytes before
use. I use the same trick with an internal module that retrieves database
passwords f
On 08/11/2018 12:00, Carlton Gibson wrote:
> Perhaps you could put docs changes you'd make in a third PR (or
> ticket if you like, to discuss the outline)? (Maybe one PR with three
> commits makes it easier to review as a whole.)
I created a pull request with some changes, mostly related to docume
Week ending November 10, 2018
Triaged
---
https://code.djangoproject.com/ticket/29921 - Default BooleanField.required
different from Django 2.0 when using choices (invalid)
https://code.djangoproject.com/ticket/29928 - TestCase doesn't check for
foreign key constraints when using sqlite
Hi devs,
Any update on this? Would like to know your thoughts
Thanks,
Mani
On Sun, Oct 28, 2018 at 1:28 AM Mani S wrote:
> Django's F objects does not perform JSON lookups. A ticket has been raised
> for the same https://code.djangoproject.com/ticket/29769
>
> I have written a customer expre
Hello,
I think this is a great idea.
As suggested by others, an even better default implementation would be:
class SecretKeysBackend:
def get_signing_key(self):
if isinstance(settings.SECRET_KEY, (list, tuple)):
return settings.SECRET_KEY[0]
else:
ret
15 matches
Mail list logo