Complete rewrite with a focus on security

The old design was based on a lot of untested behavior that has since been included in Django itself, including proper testing and security oversight. This refactoring uses those new tools and aims to greatly simplify the overall design. This simplification should keep potential exposior to a minimum. As a result almost all settings have been dropped, infavor of a simple permission callback and a notification template. Both can be overriden in a users application to customize behavior as need. The documenation is completly rewritten too. It may server as a good starting point to understand this change. Changes in a nutshell: * Add Material style snackback notification * Use permission callbacks instead of settings * Provide permission callback for convenience * Render and inject notification via middleware * Use Django class based views and mixins for permission handling * Update the documentation to reflect new design * Compile gettext messages during release * Switch to SCSS and compile during release * Add msgcheck linter for translations * Add styleling as a SCSS linter * Update translations Co-Authored-By: Pavel Torbeev <p.torbeev@gmail.com>
django-hijack · Mar 7, 2021 · 4e5649b · 4e5649b
1 parent 449ee71
commit 4e5649b
Show file tree

Hide file tree

Showing 91 changed files with 6,113 additions and 1,954 deletions.
diff --git a/.editorconfig b/.editorconfig
@@ -14,5 +14,15 @@ max_line_length = 88
 [*.{js,json,yml,yaml}]
 indent_size = 2
 
+[*.{scss,sass,css}]
+indent_size = 2
+
+[*.{html,xhtml,htm}]
+indent_size = 2
+
 [LICENSE]
 insert_final_newline = false
+
+[Makefile]
+indent_style = tab
+indent_size = 4
diff --git a/.gitattributes b/.gitattributes
@@ -0,0 +1 @@
+package-lock.json binary
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,7 +1,14 @@
 version: 2
 updates:
-  - package-ecosystem: "pip"
-    directory: "/"
-    schedule:	
-      interval: "daily"
-    open-pull-requests-limit: 100
+- package-ecosystem: pip
+  directory: "/"
+  schedule:
+    interval: daily
+- package-ecosystem: npm
+  directory: "/"
+  schedule:
+    interval: monthly
+- package-ecosystem: github-actions
+  directory: "/"
+  schedule:
+    interval: daily
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -8,11 +8,26 @@ on:
 
 jobs:
 
+  msgcheck:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v2
+      - run: sudo apt install -y gettext aspell libenchant-dev
+      - uses: actions/cache@v2
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-
+      - run: python -m pip install -r requirements.txt
+      - run: make msgcheck
+
   lint:
     strategy:
       fail-fast: false
       matrix:
-        lint-command: 
+        lint-command:
           - "bandit -r hijack -x hijack/tests"
           - "black --check --diff ."
           - "flake8 ."
@@ -40,11 +55,21 @@ jobs:
       - run: python setup.py sdist bdist_wheel
       - run: python -m twine check dist/*
 
+  stylelint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/setup-node@v2.1.5
+      - uses: actions/checkout@v2
+      - run: npm ci
+      - run: npm run lint:scss
+
   pytest:
     runs-on: ubuntu-latest
     needs:
       - dist
       - lint
+      - stylelint
+      - msgcheck
     strategy:
       matrix:
         python-version:
@@ -66,6 +91,8 @@ jobs:
       run: python -m pip install --upgrade pip setuptools wheel codecov
     - name: Install Django ${{ matrix.django-version }}
       run: python -m pip install django~=${{ matrix.django-version }}
+    - uses: actions/setup-node@v2
+    - run: make static
     - name: Run tests
       run: python setup.py test
     - run: codecov
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -8,12 +8,11 @@ jobs:
   PyPI:
     runs-on: ubuntu-latest
     steps:
+      - run: sudo apt install -y gettext
       - uses: actions/setup-python@v2
+      - uses: actions/setup-node@v2
       - uses: actions/checkout@v2
-      - name: Install Python dependencies
-        run: python -m pip install --upgrade pip setuptools wheel twine
-      - name: Build dist packages
-        run: python setup.py sdist bdist_wheel
+      - run: make dist
       - name: Upload packages
         run: python -m twine upload dist/*
         env:

diff --git a/.gitignore b/.gitignore
@@ -64,4 +64,13 @@ docs/_build/
 target/
 
 # IDE
-.idea/
+.idea/
+
+# Node
+node_modules/
+
+# GNU gettext binaries
+*.mo
+
+# minified static files
+*.min.*
diff --git a/.stylelintrc.json b/.stylelintrc.json
@@ -0,0 +1,6 @@
+{
+  "extends": "stylelint-config-standard",
+  "plugins": [
+    "stylelint-scss"
+  ]
+}
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
diff --git a/LICENSE b/LICENSE
@@ -1,5 +1,5 @@
 The MIT License (MIT)
-Copyright (c) 2013 arteria GmbH
+Copyright (c) 2021 arteria GmbH and individual contributors.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of
 this software and associated documentation files (the "Software"), to deal in

diff --git a/MANIFEST.in b/MANIFEST.in
@@ -1,3 +1,5 @@
 prune .github
 exclude .gitignore
 exclude requirements.txt
+include hijack/locale/*/LC_MESSAGES/django.mo hijack/static/hijack/hijack.min.css
+
diff --git a/Makefile b/Makefile
@@ -0,0 +1,29 @@
+MSGLANGS = $(wildcard hijack/locale/*/LC_MESSAGES/*.po)
+MSGOBJS = $(MSGLANGS:.po=.mo)
+
+.PHONY: gettext gettext-clean msgcheck translations static dist clean
+
+translations:
+	(cd hijack && django-admin makemessages --all --no-obsolete)
+
+gettext: $(MSGOBJS)
+
+gettext-clean:
+	-rm $(MSGOBJS)
+
+%.mo: %.po
+	msgfmt --check-format --check-domain --statistics -o $@ $*.po
+
+msgcheck:
+	msgcheck -n $(MSGLANGS)
+
+static:
+	npm ci
+	npm run build
+
+dist: static gettext
+	python -m pip install --upgrade pip setuptools wheel twine
+	python setup.py sdist bdist_wheel
+
+clean: gettext-clean
+	-rm -rf dist build .eggs
diff --git a/README.md b/README.md
@@ -4,7 +4,7 @@
 [![codecov](https://codecov.io/gh/django-hijack/django-hijack/branch/master/graph/badge.svg?token=zX0nCDRJDj)](https://codecov.io/gh/django-hijack/django-hijack)
 [![PyPI](https://img.shields.io/pypi/v/django-hijack)](https://pypi.org/project/django-hijack/)
 
-![Screenshot of the notification seen while hijacking another user.](https://github.com/django-hijack/django-hijack/raw/master/docs/hijacker-screenshot.png)
+![Screenshot of the notification seen while hijacking another user.](https://github.com/django-hijack/django-hijack/raw/master/docs/django-hijack.jpg)
 
 With Django Hijack, admins can log in and work on behalf of other users without having to know their credentials.
 

diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1 @@
+docs/security.md
diff --git a/docs/about.md b/docs/about.md