Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Session CSRF and some other minor refactors.

  • Loading branch information...
commit cfc59c12af4326db6a9670437bbf70090d5ef436 1 parent fead104
@zgohr authored
View
1  .gitignore
@@ -2,3 +2,4 @@
*.pyc
mycms.db
local.py
+app/static/
View
3  .gitmodules
@@ -0,0 +1,3 @@
+[submodule "bootstrap"]
+ path = bootstrap
+ url = git://github.com/twitter/bootstrap.git
View
0  app/base/__init__.py
No changes.
View
25 app/base/static/crossdomain.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0"?>
+<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
+<cross-domain-policy>
+
+
+<!-- Read this: www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html -->
+
+<!-- Most restrictive policy: -->
+ <site-control permitted-cross-domain-policies="none"/>
+
+
+
+<!-- Least restrictive policy: -->
+<!--
+ <site-control permitted-cross-domain-policies="all"/>
+ <allow-access-from domain="*" to-ports="*" secure="false"/>
+ <allow-http-request-headers-from domain="*" headers="*" secure="false"/>
+-->
+<!--
+ If you host a crossdomain.xml file with allow-access-from domain="*"
+ and don’t understand all of the points described here, you probably
+ have a nasty security vulnerability. ~ simon willison
+-->
+
+</cross-domain-policy>
View
43 app/base/static/humans.txt
@@ -0,0 +1,43 @@
+/* the humans responsible & colophon */
+/* humanstxt.org */
+
+
+/* TEAM */
+ <your title>: <your name>
+ Site:
+ Twitter:
+ Location:
+
+/* THANKS */
+ Names (& URL):
+
+/* SITE */
+ Standards: HTML5, CSS3
+ Components: Modernizr, jQuery
+ Software:
+
+
+
+ -o/-
+ +oo//-
+ :ooo+//:
+ -ooooo///-
+ /oooooo//:
+ :ooooooo+//-
+ -+oooooooo///-
+ -://////////////+oooooooooo++////////////::
+ :+ooooooooooooooooooooooooooooooooooooo+:::-
+ -/+ooooooooooooooooooooooooooooooo+/::////:-
+ -:+oooooooooooooooooooooooooooo/::///////:-
+ --/+ooooooooooooooooooooo+::://////:-
+ -:+ooooooooooooooooo+:://////:--
+ /ooooooooooooooooo+//////:-
+ -ooooooooooooooooooo////-
+ /ooooooooo+oooooooooo//:
+ :ooooooo+/::/+oooooooo+//-
+ -oooooo/::///////+oooooo///-
+ /ooo+::://////:---:/+oooo//:
+ -o+/::///////:- -:/+o+//-
+ :-:///////:- -:/://
+ -////:- --//:
+ -- -:
View
4 app/base/static/robots.txt
@@ -0,0 +1,4 @@
+# www.robotstxt.org/
+# http://code.google.com/web/controlcrawlindex/
+
+User-agent: *
View
33 app/settings/base.py
@@ -47,6 +47,13 @@
# calendars according to the current locale
USE_L10N = True
+USE_TZ = True
+
+STATICFILES_FINDERS = (
+ 'django.contrib.staticfiles.finders.FileSystemFinder',
+ 'django.contrib.staticfiles.finders.AppDirectoriesFinder',
+)
+
# Absolute filesystem path to the directory that will hold user-uploaded files.
# Example: "/home/media/media.lawrence.com/"
MEDIA_ROOT = os.path.join(PROJECT_DIR, 'media')
@@ -77,8 +84,8 @@
MIDDLEWARE_CLASSES = (
'django.middleware.common.CommonMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
- 'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
+ 'session_csrf.CsrfMiddleware', # Must be after auth middleware
'django.contrib.messages.middleware.MessageMiddleware',
'cms.middleware.page.CurrentPageMiddleware',
'cms.middleware.user.CurrentUserMiddleware',
@@ -91,6 +98,7 @@
'django.core.context_processors.request',
'django.core.context_processors.media',
'django.core.context_processors.static',
+ 'session_csrf.context_processor',
'cms.context_processors.media',
'sekizai.context_processors.sekizai',
)
@@ -112,7 +120,11 @@
'django.contrib.sites',
'django.contrib.messages',
'django.contrib.admin',
+ 'django.contrib.admindocs',
+ 'django.contrib.markup',
+ 'django.contrib.humanize',
'django.contrib.staticfiles',
+ 'session_csrf',
'cms',
'menus',
'mptt',
@@ -124,6 +136,25 @@
'cms.plugins.snippet',
'cms.plugins.googlemap',
'sekizai',
+ 'app.base',
+)
+
+PASSWORD_HASHERS = (
+ 'django.contrib.auth.hashers.BCryptPasswordHasher',
+ 'django.contrib.auth.hashers.PBKDF2PasswordHasher',
+ 'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
+ 'django.contrib.auth.hashers.SHA1PasswordHasher',
+ 'django.contrib.auth.hashers.MD5PasswordHasher',
+ 'django.contrib.auth.hashers.CryptPasswordHasher',
)
+SESSION_COOKIE_HTTPONLY = True
+
+SESSION_COOKIE_SECURE = False
+
+JINGO_EXCLUDE_APPS = [
+ 'admin',
+ 'admindocs',
+]
+
WSGI_APPLICATION = 'app.wsgi.application'
View
10 app/urls.py
@@ -1,13 +1,13 @@
from django.conf import settings
from django.conf.urls.defaults import include, patterns
-#from session_csrf import anonymous_csrf
+from session_csrf import anonymous_csrf
from django.contrib import admin
admin.autodiscover()
# django-session-csrf monkeypatcher
-#import session_csrf
-#session_csrf.monkeypatch()
+import session_csrf
+session_csrf.monkeypatch()
def bad(request):
@@ -15,10 +15,10 @@ def bad(request):
1 / 0
urlpatterns = patterns('',
- (r'', include('cms.urls')),
(r'^admin/doc/', include('django.contrib.admindocs.urls')),
- #(r'^admin/$', anonymous_csrf(admin.site.admin_view(admin.site.index))),
+ (r'^admin/$', anonymous_csrf(admin.site.admin_view(admin.site.index))),
(r'^admin/', include(admin.site.urls)),
+ (r'', include('cms.urls')),
#url(r'^', include('debug_toolbar_user_panel.urls')),
(r'^bad/$', bad),
)
1  bootstrap
@@ -0,0 +1 @@
+Subproject commit 6506ede6323ee60d4d7f8171937d92141a64e09e
View
3  requirements/dev.txt
@@ -0,0 +1,3 @@
+-r prod.txt
+
+# Add things necessary for testing here
View
4 requirements.txt → requirements/prod.txt
@@ -14,3 +14,7 @@ django-sekizai==0.5
docutils==0.8.1
html5lib==0.95
wsgiref==0.1.2
+
+# Security
+django-session-csrf
+py-bcrypt
Please sign in to comment.
Something went wrong with that request. Please try again.