From ccd386ff4e2ed974c61b2f5503bce837fa0c2523 Mon Sep 17 00:00:00 2001 From: Philip Sargent Date: Tue, 12 Apr 2022 22:42:36 +0300 Subject: [PATCH] Better error message with permissions problems --- _deploy/wsl/localsettingsWSL.py | 2 +- pre-push.sh | 10 +++++++++- security-warnings.txt | 3 ++- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/_deploy/wsl/localsettingsWSL.py b/_deploy/wsl/localsettingsWSL.py index 0a8dfc2..2673b99 100644 --- a/_deploy/wsl/localsettingsWSL.py +++ b/_deploy/wsl/localsettingsWSL.py @@ -30,7 +30,7 @@ print(" * importing troggle/localsettings.py") SECRET_KEY = "real-SECRET_KEY--imported-from-localsettings.py" EXPOUSERPASS = "nnn:gggggg - real-expo-password---imported-from-localsettings.py" -EXPOADMINUSERPASS = "gggggg:nnn" #- real-expo-password---imported-from-localsettings.py" +EXPOADMINUSERPASS = "gggggg:nnn - real-expo-password---imported-from-localsettings.py" EMAIL_HOST_PASSWORD = "real-email-password---imported-from-localsettings.py" EXPOFILESREMOTE = True # if True, then re-routes urls in expofiles to remote sever. Tests are then less accurate. diff --git a/pre-push.sh b/pre-push.sh index b3c2638..e350e6a 100644 --- a/pre-push.sh +++ b/pre-push.sh @@ -1,10 +1,17 @@ #! /bin/sh # create and sanitise files for pushing to repo # catatrophically forgot to sanitize localsettingsWSL.py - oops. -# Philip Sargent 2021/10/23 + +#Make sure you have the WSL permissions system working, or you will push unsanitized files as this will fail +# Philip Sargent 2022/04/12 echo deprecations. python -Wall manage.py check -v 3 2>deprecations.txt >/dev/null echo diffsettings. +rm diffsettings.txt +if test -f "diffsettings.txt"; then + echo "diffsettings.txt not deleted. You have a serious permissions problem. Aborting.." + exit +fi python manage.py diffsettings | grep "###" > diffsettings.txt echo pip freeze. pip freeze > requirements.txt @@ -30,6 +37,7 @@ sed -i '/SECRET_KEY/ s/^.*$/SECRET_KEY = "real-SECRET_KEY--imported-from-localse sed -i '/SECRET_KEY/ s/^.*$/SECRET_KEY = "real-SECRET_KEY--imported-from-localsettings.py"/' localsettingsWSL.py echo " reset: SECRET_KEY = \"real-SECRET_KEY--imported-from-localsettings.py\"" +mv _deploy/wsl/localsettingsWSL.py _deploy/wsl/localsettingsWSL.py.bak mv localsettingsWSL.py _deploy/wsl # # Do these before final testing, *not* just before pushing: diff --git a/security-warnings.txt b/security-warnings.txt index 11f4f2c..c9c248e 100644 --- a/security-warnings.txt +++ b/security-warnings.txt @@ -2,8 +2,9 @@ System check identified some issues: WARNINGS: ?: (security.W001) You do not have 'django.middleware.security.SecurityMiddleware' in your MIDDLEWARE so the SECURE_HSTS_SECONDS, SECURE_CONTENT_TYPE_NOSNIFF, SECURE_BROWSER_XSS_FILTER, SECURE_REFERRER_POLICY, and SECURE_SSL_REDIRECT settings will have no effect. +?: (security.W009) Your SECRET_KEY has less than 50 characters, less than 5 unique characters, or it's prefixed with 'django-insecure-' indicating that it was generated automatically by Django. Please generate a long and random SECRET_KEY, otherwise many of Django's security-critical features will be vulnerable to attack. ?: (security.W012) SESSION_COOKIE_SECURE is not set to True. Using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions. ?: (security.W016) You have 'django.middleware.csrf.CsrfViewMiddleware' in your MIDDLEWARE, but you have not set CSRF_COOKIE_SECURE to True. Using a secure-only CSRF cookie makes it more difficult for network traffic sniffers to steal the CSRF token. ?: (security.W018) You should not have DEBUG set to True in deployment. -System check identified 4 issues (0 silenced). +System check identified 5 issues (0 silenced).