From 9478bf59589075cc49d0fedd1b09be5e77c7befe Mon Sep 17 00:00:00 2001 From: medmunds Date: Thu, 1 Mar 2018 14:11:15 -0800 Subject: [PATCH] [Breaking] Webhooks: disallow deprecated WEBHOOK_AUTHORIZATION setting Drop support for the WEBHOOK_AUTHORIZATION setting deprecated in v1.4. Only the WEBHOOK_SECRET replacement is allowed now. Most Django management commands will now issue a system check error if the old name is still used in settings.py --- anymail/checks.py | 16 +++++++++------- anymail/webhooks/base.py | 3 --- docs/installation.rst | 5 +++-- tests/test_checks.py | 12 ++++++------ tests/webhook_cases.py | 6 ------ 5 files changed, 18 insertions(+), 24 deletions(-) diff --git a/anymail/checks.py b/anymail/checks.py index 3c54e3b..da14efa 100644 --- a/anymail/checks.py +++ b/anymail/checks.py @@ -7,18 +7,20 @@ def check_deprecated_settings(app_configs, **kwargs): anymail_settings = getattr(settings, "ANYMAIL", {}) - # anymail.W001: rename WEBHOOK_AUTHORIZATION to WEBHOOK_SECRET + # anymail.W001: reserved [was deprecation warning that became anymail.E001] + + # anymail.E001: rename WEBHOOK_AUTHORIZATION to WEBHOOK_SECRET if "WEBHOOK_AUTHORIZATION" in anymail_settings: - errors.append(checks.Warning( + errors.append(checks.Error( "The ANYMAIL setting 'WEBHOOK_AUTHORIZATION' has been renamed 'WEBHOOK_SECRET' to improve security.", - hint="You must update your settings.py. The old name will stop working in a near-future release.", - id="anymail.W001", + hint="You must update your settings.py.", + id="anymail.E001", )) if hasattr(settings, "ANYMAIL_WEBHOOK_AUTHORIZATION"): - errors.append(checks.Warning( + errors.append(checks.Error( "The ANYMAIL_WEBHOOK_AUTHORIZATION setting has been renamed ANYMAIL_WEBHOOK_SECRET to improve security.", - hint="You must update your settings.py. The old name will stop working in a near-future release.", - id="anymail.W001", + hint="You must update your settings.py.", + id="anymail.E001", )) return errors diff --git a/anymail/webhooks/base.py b/anymail/webhooks/base.py index 30207e7..966c41c 100644 --- a/anymail/webhooks/base.py +++ b/anymail/webhooks/base.py @@ -26,9 +26,6 @@ class AnymailBasicAuthMixin(object): def __init__(self, **kwargs): self.basic_auth = get_anymail_setting('webhook_secret', default=[], kwargs=kwargs) # no esp_name -- auth is shared between ESPs - if not self.basic_auth: - # Temporarily allow deprecated WEBHOOK_AUTHORIZATION setting - self.basic_auth = get_anymail_setting('webhook_authorization', default=[], kwargs=kwargs) # Allow a single string: if isinstance(self.basic_auth, six.string_types): diff --git a/docs/installation.rst b/docs/installation.rst index 803d3ff..5519e89 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -283,8 +283,9 @@ username or password for this shared secret. .. versionchanged:: 1.4 The earlier WEBHOOK_AUTHORIZATION setting was renamed WEBHOOK_SECRET, so that - Django error reporting sanitizes it. The old name is still allowed in v1.4, - but will be removed in a near-future release. You should update your settings. + Django error reporting sanitizes it. Support for the old name was dropped in + Anymail 2.0, and if you have not yet updated your settings.py, all webhook calls + will fail with a "missing or invalid basic auth" error. .. setting:: ANYMAIL_REQUESTS_TIMEOUT diff --git a/tests/test_checks.py b/tests/test_checks.py index 8d31534..c6af934 100644 --- a/tests/test_checks.py +++ b/tests/test_checks.py @@ -11,17 +11,17 @@ class DeprecatedSettingsTests(SimpleTestCase, AnymailTestMixin): @override_settings(ANYMAIL={"WEBHOOK_AUTHORIZATION": "abcde:12345"}) def test_webhook_authorization(self): errors = check_deprecated_settings(None) - self.assertEqual(errors, [checks.Warning( + self.assertEqual(errors, [checks.Error( "The ANYMAIL setting 'WEBHOOK_AUTHORIZATION' has been renamed 'WEBHOOK_SECRET' to improve security.", - hint="You must update your settings.py. The old name will stop working in a near-future release.", - id="anymail.W001", + hint="You must update your settings.py.", + id="anymail.E001", )]) @override_settings(ANYMAIL_WEBHOOK_AUTHORIZATION="abcde:12345", ANYMAIL={}) def test_anymail_webhook_authorization(self): errors = check_deprecated_settings(None) - self.assertEqual(errors, [checks.Warning( + self.assertEqual(errors, [checks.Error( "The ANYMAIL_WEBHOOK_AUTHORIZATION setting has been renamed ANYMAIL_WEBHOOK_SECRET to improve security.", - hint="You must update your settings.py. The old name will stop working in a near-future release.", - id="anymail.W001", + hint="You must update your settings.py.", + id="anymail.E001", )]) diff --git a/tests/webhook_cases.py b/tests/webhook_cases.py index 0b8d0fb..e8f145c 100644 --- a/tests/webhook_cases.py +++ b/tests/webhook_cases.py @@ -125,9 +125,3 @@ class WebhookBasicAuthTestsMixin(object): self.set_basic_auth('baduser', 'wrongpassword') response = self.call_webhook() self.assertEqual(response.status_code, 400) - - @override_settings(ANYMAIL={'WEBHOOK_AUTHORIZATION': "username:password"}) - def test_deprecated_setting(self): - """The older WEBHOOK_AUTHORIZATION setting is still supported (for now)""" - response = self.call_webhook() - self.assertEqual(response.status_code, 200)