Recently, I deployed a Django web app. However, when I'm accessing the admin page, I'm not getting the expected interface to add or remove a user from a certain group:
At the of inspecting the page, I'm receiving the following messages:
any idea about how to handle these errros?
Thanks!
Content Security Policies are usually controlled via middleware like django-csp. All the admin control JavaScript files are included as static files, no external libraries should be loaded, they should be on the same domain.
In order for CSP to allow to load these files, you need to add script-src 'self' (it's an alias for same-origin). Look inside settings.py for CSP_SCRIPT_SRC keyword and append 'self' (single quotation marks are required).
Note: if CSP headers are added not by Django, but by reverse proxy, like nginx, then you should look and fix configuration settings there.
Related
I have a site with static elements like images. I wanted to protect them (so that you cannot access them directly using a hotlink). For this purpose I used the part "Authentication with mod_wsgi" from the Django documentation:
Authentication with mod_wsgi
I don't like that fact that the user has to log in twice (one time Django auth and then Apache auth when there is an image on the page) but it's not the main issue (if you know how to handle this it would also be nice)
My main problem is that after I log out I still can access the protected image. I know that this is because the fact that Apache uses only Djangos check_password method but maybe there is a way to synchronise it?
You should take a look at Apache 'X-SENDFILE' header: https://tn123.org/mod_xsendfile/
It allow Django to check if your user can access it and if he the access is granted the static file is then served by Apache.
With this solution your user don't have to log twice and you can have any kind of control your want !
I wrote a blog post about it here with nginx, but it work the same way :)
I have defined multiple sites as the documentation of the Site Framework suggested.
I understand that if I would run mulitple instances of my application with each of them having a different settings file (different SITE_ID), Django would always know which Site to use.
What I was trying to do is to run a single instance, where multiple sites are available, and the right Site should be chosen depending on the current url of the site.
The Sites documentation states:
The SITE_ID setting specifies the database ID of the Site object
associated with that particular settings file. If the setting is
omitted, the get_current_site() function will try to get the current site by comparing the domain with the host name from the
request.get_host() method.
So I tried to remove the SITE_ID from my settings.py and was hoping that Django would check the domain to find the current Site as stated above, howewer this fails with the following exception:
You're using the Django "sites framework" without having set the SITE_ID setting. Create a site in your database and set the SITE_ID setting or pass a request to Site.objects.get_current() to fix this error.
So it seems like although the documentation suggests otherwise, this setting is not ommitable
I understand that using the Sites Framework like this would lead to problems when there is no Request object available to find the current Site, but this should not be a problem in the context of my application.
Is it possible to use the Sites Framework without hard-coding the SITE_ID in the settings file by just checking the current domain of the application?
I am using Django Version 1.9.9 with Python 3.4.3
The best solution is to simply add the Sites framework middleware:
'django.contrib.sites.middleware.CurrentSiteMiddleware'
This automatically passes a request object to Site.objects.get_current() on every request.
To "check the current domain" you need to have a request - as clearly mentionned in the error message :
or pass a request to Site.objects.get_current()
Else how would the code know the "current domain" ?
My site serves pages that are almost static and there are no users with logins etc.
I want to completely disable sessions for performance reasons (so django won't access the DB to get the session on every request).
I removed django.contrib.sessions from INSTALLED_APPS, is there anything else I need to do?
You should locate articles how to set up sessions in django and remove everything from settings.py according to such article. Here is it:
Although this should already be setup and working correctly, it’s
nevertheless good practice to learn which Django modules provide which
functionality. In the case of sessions, Django provides middleware
that implements session functionality.
To check that everything is in order, open your Django project’s
settings.py file. Within the file, locate the MIDDLEWARE_CLASSES
tuple. You should find the
django.contrib.sessions.middleware.SessionMiddleware module listed as
a string in the tuple - if you don’t, add it to the tuple now. It is
the SessionMiddleware middleware which enables the creation of unique
sessionid cookies.
The SessionMiddleware is designed to work flexibly with different ways
to store session information. There are many approaches that can be
taken - you could store everything in a file, in a database, or even
in a cache. The most straightforward approach is to use the
django.contrib.sessions application to store session information in a
Django model/database (specifically, the model
django.contrib.sessions.models.Session). To use this approach, you’ll
also need to make sure that django.contrib.sessions is in the
INSTALLED_APPS tuple of your Django project’s settings.py file. If you
add the application now, you’ll need to synchronise your database
using the python manage.py syncdb command to add the new tables to
your database.
So it seems that you should remove middleware too. Maybe it's not necessary, but if you're using static application, then you it's not that bad to remove everything according to the sessions.
I am having a django python website in domain.com. I am having a blog in a folder called as fmblog inside my public html. I want to access blog by entering domain.com/blog.
My blog is situated in /home/user/public_html/fmblog
So, I have an alias in my virtualhost configuration like the following.
Alias /blog /home/user/public_html/fmblog/
My issue is that, I am getting the blog when I try to access www.domain.com/blog. I am getting a 404 error when I try to access http://domain.com/blog.
Why is this happening? I know this will be fixed if I redirect every non-www requests to www using a rewrite rule. But I dont want to use that as it have some bad effects in my django website. How can I make my blog live even on non-www queries?
You can make a redirect for the blog only, adding the rule to the .htaccess in the fmblog, above the #BEGIN WordPress line
I've got a site built in django that I need to make oauth2.0 requests to an external site to get the currently logged in user. Right now I'm just using a test token, however I have to actually register callbacks on my site now. How do I do this?
you must add oauth2 to the INSTALED_APPS list and add some settings constant to the settings.py of the project and append some urls on the main urls.py file of the project and ...
read the django-oauth2 doumentations.