expo/expoweb
1
0
Fork 0
mirror of https://expo.survex.com/repositories/expoweb/.git/ synced 2025-12-08 23:04:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

more 'python manage.py check' docum

Browse Source
This commit is contained in:
Philip Sargent
2021-10-31 10:05:26 +02:00
parent 6d8c2f375d
commit a73c666415
1 changed files with 30 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
handbook/troggle/troglaptop.html
View File

@@ -242,6 +242,14 @@ and in addition to the [django] command list, you will now gets command lists fo
[contenttypes], [core], and [sessions]. These are the modules (plugins) loaaded into django.
[core] is the core of troggle (but not all of it: the input file parsers are not in [core]).
<p>Now:
<pre><code>python -Wall manage.py check </code></pre>
This loads the settings files and checks that all the Django packages and python libraries
imports all work. It gives warnings of deprecated Django which should be fixed.
You should not get any warnings on a fresh install on a new machine but you will
see warning and error messages when you are
trying to upgrade troggle to use later versions of Django.
<pre><code>python manage.py check -v 3 --traceback</code></pre>
Ideally this will list settings imports and then say<br>
@@ -255,14 +263,32 @@ Ensure that the path to the troggle/ directory is in the list.
It should be at the top, which is where the current working directory is.
<p>
Now:
<pre><code>python manage.py check -v 3 --deploy</code></pre>
which will give security warnings for deployment. Various middleware settings and
which will give security warnings for deployment. You will get various middleware settings
because we have not got https:// properly configured everywhere (we have unresolved issues with
the Django admin control panel and https:// in October 2021) and
a warning not to use DEBUG=true in deployment. We always have DEBUG=True set for troggle
as otherwise the users get useless error messages.
as otherwise the users get useless error messages. This is completely contrary to Django
official security advice.
<details>
<summary><em>Click triangle to see security warnings in detail</em></summary>
<font color="brown"><pre>
?: (security.W001) You do not have 'django.middleware.security.SecurityMiddleware'
in your MIDDLEWARE so the SECURE_HSTS_SECONDS, SECURE_CONTENT_TYPE_NOSNIFF,
SECURE_BROWSER_XSS_FILTER, and SECURE_SSL_REDIRECT settings will have no effect.
<pre><code>python -Wall manage.py check </code></pre>
Gives warnings of deprecated Django which should be fixed. You should not get any on a fresh install but youwill see this message when you are trying to upgrade troggle to use later versions of Django.
?: (security.W012) SESSION_COOKIE_SECURE is not set to True. Using a secure-only
session cookie makes it more difficult for network traffic sniffers to hijack user sessions.
?: (security.W016) You have 'django.middleware.csrf.CsrfViewMiddleware' in your
MIDDLEWARE, but you have not set CSRF_COOKIE_SECURE to True. Using a secure-only
CSRF cookie makes it more difficult for network traffic sniffers to steal the CSRF token.
?: (security.W018) You should not have DEBUG set to True in deployment. </pre></font>
</details>
<p>
If you got an error traceback with
<pre><code>python manage.py</code></pre>
then the settings registration of troggle with django is incomplete.