New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add feature change "?edit" variable (and "?edit_off", "?build") to custom #3069
Add feature change "?edit" variable (and "?edit_off", "?build") to custom #3069
Conversation
…stom variable (eq. "?admin_on") in project started with Django-CMS.
Please wait - I found bug. |
…variables "?CMS_ADMIN_TOOLBAR__EDIT_ON", "?CMS_ADMIN_TOOLBAR__EDIT_OFF", "?CMS_ADMIN_TOOLBAR__BUILD".
I fix bug: in toolbar live/draft mode is not changing. And take many replacements static urls "?edit", "?edit_off" and "?build" to changeable variables. |
Now I need small time - I want small refactoring for good code. I write when finished it. |
I finished refactoring. |
I'm not really sure to understand completely the need for this. It sounds like an edge case to me. Could you explain a little bit more how it could be used in various use cases ? |
I always "hide" Django standart admin in |
If your goal is only to change the /admin/ path, it can easily be done in your project's main Am I missing something else ? |
My goal not is change slug for Django standart admin - I know how it's do ( |
In my local copy based on |
Sorry but it still seems to me that it is an edge case and I don't see how changing the name of a get variable would strengthen security. Also, nobody should be putting the As on the "local copy" topic, travis tests are failing, and since they are failing, it is broken. Can someone else comment on this ? Am I alone thinking this is an edge case ? |
@itcrab, I'm glad you're working on this. In the days before django CMS 3.0, we could use django-admin-honeypot to address the issues you're attempting to deal with here. I would recommend that we retain, however, the existing log-in form at ?edit, but that this form does nothing, or better yet, just log failed attempts (even if the credentials are correct), in a fashion similar to what django-admin-honeypot does. Otherwise, the hacker will quickly realise that she needs to look for another get-parameter to use. |
@@ -208,13 +208,13 @@ def test_get_page_for_apphook_on_preview_or_edit(self): | |||
with self.login_user_context(superuser): | |||
with force_language("en"): | |||
path = reverse('sample-settings') | |||
request = self.get_request(path + '?edit') | |||
request = self.get_request(path + '?%s' % get_cms_setting('CMS_TOOLBAR_URL__EDIT_ON')) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Check if get_cms_setting
has been imported in apphooks.py
There should probably also be some checks that these new settings aren't going to clash with other, legitimate GET params, like 'page'. There may be others that the CMS uses internally for cache-busting, etc. |
I will try to summarize what we just said on irc. First of all, it seems I was wrong and this is not really that of an edge case, so my apologies on pushing this in the wrong direction. Second, if we need/want to strengthen the login form's security by adding some login spoofing / honey pot'ing whatever the name we give it, it should probably be a "all-in-one" feature that should be easily enabled and fully documented. The description made by @mkoistinen should be enough to get the feature implemented. |
ok tests failing and we would need better docs documenting the new settings |
@mkoistinen I think that's a good idea to log all failed login attempts. But I also think that this will need constant monitoring logs periodicity or all time. My customers (and not only my) may not have time needed for this task. My pull request partially solves this problem. |
@mkoistinen Certainly use the company name for give access to toolbar I gave as an example and for hackers I prepared a surprise (give another name or company name plus salt). |
My global idea - hidden all administrating zones on site for give more secure. |
@mkoistinen How I may fast get all reserved words for this functionality? |
I added notice to docs. |
I finished works for this PR. My global goal is achieved (positive customer url for admin and hidden administration interface for hackers). Logging event for login form in toolbar somebody can make in another PR. |
LGTM |
To address an earlier point made:
In an ideal world, django-CMS would ship with underscore ( |
@kezabelle All good points! I vote that once we get this "magic strings" PR committed, we set the defaults to 'cms-edit', 'cms-edit-off' and 'cms-build'. |
@mkoistinen I may set the defaults for: Need? |
@mkoistinen And developer may redefine this in him |
could you add a note to the changelog? Besides this everything looks good for me. Changing the defaults: not at this moment... maybe for 3.1 |
@digi604 Yes, wait a moment. |
@digi604 I rebase my fork branch
In my changelog have only I wanted merge P.S. Sorry - it's my first work when forked repo is out of date in my fork. |
@digi604 I see in my repo master branch - in in only |
…stom variable (eq. "?admin_on") in project started with Django-CMS.
…variables "?CMS_ADMIN_TOOLBAR__EDIT_ON", "?CMS_ADMIN_TOOLBAR__EDIT_OFF", "?CMS_ADMIN_TOOLBAR__BUILD".
…ttings.py" to "get_cms_setting()".
@digi604 Waiting I found howto do this. |
…-login-to-admin' into feature/change-edit-variable-for-login-to-admin
@digi604 I finished works. |
@digi604 All tests passed! |
…-login-to-admin Add feature change "?edit" variable (and "?edit_off", "?build") to custom
I add little changes for may changing "?edit" variable (and "?edit_off", "?build") to custom variable (eq. "?admin_on") in project started with Django-CMS. I need it's for hidden login form on sites for "hackers" and make happy our customer (change variable to company name).