pacnpal/django-anymail
1
0
Fork 0
mirror of https://github.com/pacnpal/django-anymail.git synced 2025-12-20 11:51:05 -05:00
Code Issues Packages Projects Releases Wiki Activity

[Breaking] Webhooks: disallow deprecated WEBHOOK_AUTHORIZATION setting

Browse Source 
Drop support for the WEBHOOK_AUTHORIZATION setting deprecated in v1.4.
Only the WEBHOOK_SECRET replacement is allowed now.

Most Django management commands will now issue a system check error
if the old name is still used in settings.py
This commit is contained in:
medmunds
2018-03-01 14:11:15 -08:00
parent deea8c5d5b
commit 9478bf5958
5 changed files with 18 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
anymail/checks.py
View File

@@ -7,18 +7,20 @@ def check_deprecated_settings(app_configs, **kwargs):
anymail_settings = getattr(settings, "ANYMAIL", {}) anymail_settings = getattr(settings, "ANYMAIL", {})
# anymail.W001: rename WEBHOOK_AUTHORIZATION to WEBHOOK_SECRET # anymail.W001: reserved [was deprecation warning that became anymail.E001]
# anymail.E001: rename WEBHOOK_AUTHORIZATION to WEBHOOK_SECRET
if "WEBHOOK_AUTHORIZATION" in anymail_settings: if "WEBHOOK_AUTHORIZATION" in anymail_settings:
errors.append(checks.Warning( errors.append(checks.Error(
"The ANYMAIL setting 'WEBHOOK_AUTHORIZATION' has been renamed 'WEBHOOK_SECRET' to improve security.", "The ANYMAIL setting 'WEBHOOK_AUTHORIZATION' has been renamed 'WEBHOOK_SECRET' to improve security.",
hint="You must update your settings.py. The old name will stop working in a near-future release.", hint="You must update your settings.py.",
id="anymail.W001", id="anymail.E001",
)) ))
if hasattr(settings, "ANYMAIL_WEBHOOK_AUTHORIZATION"): if hasattr(settings, "ANYMAIL_WEBHOOK_AUTHORIZATION"):
errors.append(checks.Warning( errors.append(checks.Error(
"The ANYMAIL_WEBHOOK_AUTHORIZATION setting has been renamed ANYMAIL_WEBHOOK_SECRET to improve security.", "The ANYMAIL_WEBHOOK_AUTHORIZATION setting has been renamed ANYMAIL_WEBHOOK_SECRET to improve security.",
hint="You must update your settings.py. The old name will stop working in a near-future release.", hint="You must update your settings.py.",
id="anymail.W001", id="anymail.E001",
)) ))
return errors return errors

3
anymail/webhooks/base.py
View File

@@ -26,9 +26,6 @@ class AnymailBasicAuthMixin(object):
def __init__(self, **kwargs): def __init__(self, **kwargs):
self.basic_auth = get_anymail_setting('webhook_secret', default=[], self.basic_auth = get_anymail_setting('webhook_secret', default=[],
kwargs=kwargs) # no esp_name -- auth is shared between ESPs kwargs=kwargs) # no esp_name -- auth is shared between ESPs
if not self.basic_auth:
# Temporarily allow deprecated WEBHOOK_AUTHORIZATION setting
self.basic_auth = get_anymail_setting('webhook_authorization', default=[], kwargs=kwargs)
# Allow a single string: # Allow a single string:
if isinstance(self.basic_auth, six.string_types): if isinstance(self.basic_auth, six.string_types):

5
docs/installation.rst
View File

@@ -283,8 +283,9 @@ username or password for this shared secret.
.. versionchanged:: 1.4 .. versionchanged:: 1.4
The earlier WEBHOOK_AUTHORIZATION setting was renamed WEBHOOK_SECRET, so that The earlier WEBHOOK_AUTHORIZATION setting was renamed WEBHOOK_SECRET, so that
Django error reporting sanitizes it. The old name is still allowed in v1.4, Django error reporting sanitizes it. Support for the old name was dropped in
but will be removed in a near-future release. You should update your settings. Anymail 2.0, and if you have not yet updated your settings.py, all webhook calls
will fail with a "missing or invalid basic auth" error.
.. setting:: ANYMAIL_REQUESTS_TIMEOUT .. setting:: ANYMAIL_REQUESTS_TIMEOUT

12
tests/test_checks.py
View File

@@ -11,17 +11,17 @@ class DeprecatedSettingsTests(SimpleTestCase, AnymailTestMixin):
@override_settings(ANYMAIL={"WEBHOOK_AUTHORIZATION": "abcde:12345"}) @override_settings(ANYMAIL={"WEBHOOK_AUTHORIZATION": "abcde:12345"})
def test_webhook_authorization(self): def test_webhook_authorization(self):
errors = check_deprecated_settings(None) errors = check_deprecated_settings(None)
self.assertEqual(errors, [checks.Warning( self.assertEqual(errors, [checks.Error(
"The ANYMAIL setting 'WEBHOOK_AUTHORIZATION' has been renamed 'WEBHOOK_SECRET' to improve security.", "The ANYMAIL setting 'WEBHOOK_AUTHORIZATION' has been renamed 'WEBHOOK_SECRET' to improve security.",
hint="You must update your settings.py. The old name will stop working in a near-future release.", hint="You must update your settings.py.",
id="anymail.W001", id="anymail.E001",
)]) )])
@override_settings(ANYMAIL_WEBHOOK_AUTHORIZATION="abcde:12345", ANYMAIL={}) @override_settings(ANYMAIL_WEBHOOK_AUTHORIZATION="abcde:12345", ANYMAIL={})
def test_anymail_webhook_authorization(self): def test_anymail_webhook_authorization(self):
errors = check_deprecated_settings(None) errors = check_deprecated_settings(None)
self.assertEqual(errors, [checks.Warning( self.assertEqual(errors, [checks.Error(
"The ANYMAIL_WEBHOOK_AUTHORIZATION setting has been renamed ANYMAIL_WEBHOOK_SECRET to improve security.", "The ANYMAIL_WEBHOOK_AUTHORIZATION setting has been renamed ANYMAIL_WEBHOOK_SECRET to improve security.",
hint="You must update your settings.py. The old name will stop working in a near-future release.", hint="You must update your settings.py.",
id="anymail.W001", id="anymail.E001",
)]) )])

6
tests/webhook_cases.py
View File

@@ -125,9 +125,3 @@ class WebhookBasicAuthTestsMixin(object):
self.set_basic_auth('baduser', 'wrongpassword') self.set_basic_auth('baduser', 'wrongpassword')
response = self.call_webhook() response = self.call_webhook()
self.assertEqual(response.status_code, 400) self.assertEqual(response.status_code, 400)
@override_settings(ANYMAIL={'WEBHOOK_AUTHORIZATION': "username:password"})
def test_deprecated_setting(self):
"""The older WEBHOOK_AUTHORIZATION setting is still supported (for now)"""
response = self.call_webhook()
self.assertEqual(response.status_code, 200)