Added http basic authentication to results resources#214
Conversation
mwatts15
force-pushed
the
34-add-security-measures-to-posting
branch
from
4e99009 to
4fe2f99
Compare
|
I'm aware of the failure in tests due to the missing override_settings in Django 1.6.11 . I'll attempt to port that portion of the test_utils unless there's a better option. |
|
I have a separate request I wanted to merge that removes DJango 1.6 from the CI build, dropping support basically. Let me merge that branch and you can the rebase. |
|
Al-right, you can rebase on current master |
There was a problem hiding this comment.
This would work, though you are kind of re-implementing proper basic auth, which is usually not a good idea considering Django provides most of what you would need for that out of the box.
Ideally we can do something simpler that uses the Django backend. For example user_passes_test
or a custom backend that inherits from the default one
mwatts15
force-pushed
the
34-add-security-measures-to-posting
branch
from
2eca4c3 to
fa4e9e8
Compare
- Added settings overrides to allow tests to pass
…d is_active check
|
A little Googling turned up implementations of decorators similar to the one in this PR. Other options involve modifying the webserver hosting the app which isn't an option in my case. I modified my PR to allow for other authentication methods to be used by adding the |
- Also, named the logger and added some helpful logging
|
I can do that. I'd like to output a warning at startup though, and I would ask that you plan to break backwards compatibility in a near-future release. There are too many web applications that are insecure by default as it is. |
- Also added warnings for potentially insecure configuration
|
Yeah, it makes sense to require that in a future release. I'd prefer to do that once there is a proper API, that for example allows API tokens. In any case, as-is, great addition, thanks! |
2 participants
This PR is intended to resolve #34 .
HTTP Basic Auth is enabled for the
results/addandresults/add/jsonresources using a decorator. I also included a check forrequest.is_secure, conditioned on a setting so it's easier to test in deployment. Tests get an override to turn the setting off.I added two settings, REQUIRE_SECURE_AUTH as mentioned above, and ALLOW_ANONYMOUS_POST to toggle the auth check.