[Breaking] Webhooks: disallow deprecated WEBHOOK_AUTHORIZATION setting

Drop support for the WEBHOOK_AUTHORIZATION setting deprecated in v1.4. Only the WEBHOOK_SECRET replacement is allowed now. Most Django management commands will now issue a system check error if the old name is still used in settings.py
2025-12-20 11:51:05 -05:00 · 2018-03-01 14:11:15 -08:00
parent deea8c5d5b
commit 9478bf5958
5 changed files with 18 additions and 24 deletions
--- a/anymail/checks.py
+++ b/anymail/checks.py
@@ -7,18 +7,20 @@ def check_deprecated_settings(app_configs, **kwargs):

    anymail_settings = getattr(settings, "ANYMAIL", {})

-    # anymail.W001: rename WEBHOOK_AUTHORIZATION to WEBHOOK_SECRET
+    # anymail.W001: reserved [was deprecation warning that became anymail.E001]
+
+    # anymail.E001: rename WEBHOOK_AUTHORIZATION to WEBHOOK_SECRET
    if "WEBHOOK_AUTHORIZATION" in anymail_settings:
-        errors.append(checks.Warning(
+        errors.append(checks.Error(
            "The ANYMAIL setting 'WEBHOOK_AUTHORIZATION' has been renamed 'WEBHOOK_SECRET' to improve security.",
-            hint="You must update your settings.py. The old name will stop working in a near-future release.",
-            id="anymail.W001",
+            hint="You must update your settings.py.",
+            id="anymail.E001",
        ))
    if hasattr(settings, "ANYMAIL_WEBHOOK_AUTHORIZATION"):
-        errors.append(checks.Warning(
+        errors.append(checks.Error(
            "The ANYMAIL_WEBHOOK_AUTHORIZATION setting has been renamed ANYMAIL_WEBHOOK_SECRET to improve security.",
-            hint="You must update your settings.py. The old name will stop working in a near-future release.",
-            id="anymail.W001",
+            hint="You must update your settings.py.",
+            id="anymail.E001",
        ))

    return errors
--- a/anymail/webhooks/base.py
+++ b/anymail/webhooks/base.py
@@ -26,9 +26,6 @@ class AnymailBasicAuthMixin(object):
    def __init__(self, **kwargs):
        self.basic_auth = get_anymail_setting('webhook_secret', default=[],
                                              kwargs=kwargs)  # no esp_name -- auth is shared between ESPs
-        if not self.basic_auth:
-            # Temporarily allow deprecated WEBHOOK_AUTHORIZATION setting
-            self.basic_auth = get_anymail_setting('webhook_authorization', default=[], kwargs=kwargs)

        # Allow a single string:
        if isinstance(self.basic_auth, six.string_types):
--- a/docs/installation.rst
+++ b/docs/installation.rst
@@ -283,8 +283,9 @@ username or password for this shared secret.
 .. versionchanged:: 1.4

    The earlier WEBHOOK_AUTHORIZATION setting was renamed WEBHOOK_SECRET, so that
-    Django error reporting sanitizes it. The old name is still allowed in v1.4,
-    but will be removed in a near-future release. You should update your settings.
+    Django error reporting sanitizes it. Support for the old name was dropped in
+    Anymail 2.0, and if you have not yet updated your settings.py, all webhook calls
+    will fail with a "missing or invalid basic auth" error.


 .. setting:: ANYMAIL_REQUESTS_TIMEOUT
--- a/tests/test_checks.py
+++ b/tests/test_checks.py
@@ -11,17 +11,17 @@ class DeprecatedSettingsTests(SimpleTestCase, AnymailTestMixin):
    @override_settings(ANYMAIL={"WEBHOOK_AUTHORIZATION": "abcde:12345"})
    def test_webhook_authorization(self):
        errors = check_deprecated_settings(None)
-        self.assertEqual(errors, [checks.Warning(
+        self.assertEqual(errors, [checks.Error(
            "The ANYMAIL setting 'WEBHOOK_AUTHORIZATION' has been renamed 'WEBHOOK_SECRET' to improve security.",
-            hint="You must update your settings.py. The old name will stop working in a near-future release.",
-            id="anymail.W001",
+            hint="You must update your settings.py.",
+            id="anymail.E001",
        )])

    @override_settings(ANYMAIL_WEBHOOK_AUTHORIZATION="abcde:12345", ANYMAIL={})
    def test_anymail_webhook_authorization(self):
        errors = check_deprecated_settings(None)
-        self.assertEqual(errors, [checks.Warning(
+        self.assertEqual(errors, [checks.Error(
            "The ANYMAIL_WEBHOOK_AUTHORIZATION setting has been renamed ANYMAIL_WEBHOOK_SECRET to improve security.",
-            hint="You must update your settings.py. The old name will stop working in a near-future release.",
-            id="anymail.W001",
+            hint="You must update your settings.py.",
+            id="anymail.E001",
        )])
--- a/tests/webhook_cases.py
+++ b/tests/webhook_cases.py
@@ -125,9 +125,3 @@ class WebhookBasicAuthTestsMixin(object):
        self.set_basic_auth('baduser', 'wrongpassword')
        response = self.call_webhook()
        self.assertEqual(response.status_code, 400)
-
-    @override_settings(ANYMAIL={'WEBHOOK_AUTHORIZATION': "username:password"})
-    def test_deprecated_setting(self):
-        """The older WEBHOOK_AUTHORIZATION setting is still supported (for now)"""
-        response = self.call_webhook()
-        self.assertEqual(response.status_code, 200)