New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable user app routes when DEBUG is True only #1761
Conversation
You forgot about https://github.com/pydanny/cookiecutter-django/blob/master/%7B%7Bcookiecutter.project_slug%7D%7D/config/urls.py#L18 : gotta decide how it should be taken care of. |
- Redirect after login now goes to home instead of user app
@webyneter Indeed I have. Also the |
I agree I think it would be best just to check if the from django.http import Http404
from django.utils.translation import gettext as _
class OnlyMePermission:
def get_object(self, queryset=None):
obj = super().get_object(queryset=queryset)
if not obj == self.request.user:
if queryset is None:
queryset = self.get_queryset()
raise Http404(_("No %(verbose_name)s found matching the query") %
{'verbose_name': queryset.model._meta.verbose_name})
return obj
class UserDetailView(LoginRequiredMixin, OnlyMePermission, DetailView):
model = User
slug_field = "username"
slug_url_kwarg = "username"
def get_object(self):
return User.objects.get(username=self.request.user.username) will always return the correct user. |
@luzfcb Thank you for your input. What you propose does indeed resolve the exposure issue. What we can achieve with that, is to make the user app operational, in its current state, to only the authorized user. However, since this app's purpose is to demonstrate the functionality, and a developer is expected to modify it to his/her own needs, I believe that just keeping it operational in the local environment only is enough. Functionality like the user list, only makes sense in the local environment anyway. |
On this, maybe we could restrict the list view to staff using django-brances' StaffuserRequiredMixin? |
LGTM |
{{cookiecutter.project_slug}}/{{cookiecutter.project_slug}}/users/urls.py
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The build fails currently, looks like it's not run in debug mode?
@@ -1,3 +1,4 @@ | |||
from django.conf import settings |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is unused, please remove.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Indeed. Will do.
@browniebroke Yes, tests fail because However, I am wondering if this is the preferred way to do this. If I am not mistaken, I noticed that the effects of |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's most likely because we use pytest and that decorator is for unittests. Could you try using pytest-django fixture for editing settings instead?
https://pytest-django.readthedocs.io/en/latest/helpers.html#settings
@browniebroke I see. I have spent some time to fix this, but I am having some trouble since I never used pytest before. What does |
Ah, yes, that can be confusing if you never used pytest. It's a pytest fixture, and the user one is defined here: When a test function argument matches a fixture name, pytest injects it into your test as argument. The By convention, custom fixtures are defined in a file called |
@browniebroke Thank you for the detailed explanation. The only issue I see here is that the So I believe that would overwrite the |
Have you tried to change it to:
|
@browniebroke Actually I have, but I named it |
Stupid question: is there anything preventing us from setting |
@browniebroke Well, the default settings for testing define |
I genuinely don't know why or if As a side note, the build status is green although the tests failed in Travis, I don't think it's related to this PR, but it's something we'll need to look at... |
I hoped to get some time to finally fix this in mainline, but... My guess is, you're stumbling upon the wrong configuration of [pytest]
; https://pytest-django.readthedocs.io/en/latest/configuring_django.html#order-of-choosing-settings
addopts = --ds=config.settings.test |
@browniebroke Indeed, I also noticed that Travis reports OK! A small update regarding this issue. I tried the following:
In all cases the tests, failed. I went ahead and printed out the import pytest
from django.conf import settings
pytestmark = pytest.mark.django_db
def test_user_get_absolute_url(user: settings.AUTH_USER_MODEL):
print(settings.DEBUG)
print(str(settings))
assert False
assert user.get_absolute_url() == f"/users/{user.username}/" In all cases, the return value I got was |
4e93806
to
e35c1fd
Compare
# Conflicts: # {{cookiecutter.project_slug}}/config/settings/base.py # {{cookiecutter.project_slug}}/config/urls.py
e35c1fd
to
f59554c
Compare
It looks like pytest is using the right setting file, though:
|
@browniebroke Thanks for helping out. Does your commit resolve the testing issue? I will try and get back on this PR as soon as possible. It shouldn't need much more effort. |
No, it doesn't (confirms one of your previous comment). |
Turns out |
After this last finding, I think it might be better to create a new setting, something along the lines of How about it being We should probably revert my last commit to set |
@browniebroke Agreed. Regarding the commit revert, I am not sure which is the best way to do it. |
a46992d
to
133aab2
Compare
I did a |
Even though we resolved the testing issue, I have to say that having that extra option seems like a workaround. Why would anyone want the User app as is in production? They shouldn't unless they modify it. If they do modify it, why would they need to enable it through the production.py settings? |
Would it be better to address the privacy issues specifically and directly instead of turning the whole app off? In particular I mean something along the lines of |
I agree, looking at how this pull request now, it doesn't feel like the right fix. I agree that the We can fix one easily, but the other requires further discussion. |
@browniebroke I think we should close this due to #2062 |
Agreed. Thanks for putting through the work in this anyway! |
Description
The user app exposes all users' details to any registered user. This was of course intentional, since the purpose of the user app is to demonstrate the functionality and not to be deployed in production as-is. However, a developer who is not familiar with the cookiecutter-django's structure, may overlook this and expose user information.
Therefore, the user app should only be enabled when
DEBUG == True
in the settings.Closes #1739, Closes #1752.
Rationale
Since
DEBUG = False
in production settings, even if the user app is left as-is, it will not be enabled and users' information will not be exposed.