diff options
| author | Paul Sokolovsky <pfalcon@users.sourceforge.net> | 2013-06-10 21:37:09 +0300 |
|---|---|---|
| committer | Paul Sokolovsky <pfalcon@users.sourceforge.net> | 2013-06-12 14:19:13 +0300 |
| commit | 9ac5e0e974aed69f6038ae0516574fc94cadd49a (patch) | |
| tree | e4a611c3dca8a85792499926bd85d125eeaa1efd | |
| parent | 2f5805da925c62239c78ec79b84baa1434a4ad04 (diff) | |
Don't use dangerous defaults for security parameters.
Any hidden defaults for security-related parameters are dangerous. For
example, user many have AUTH_CROWD_STAFF_GROUP not specified and think
it means that feature is not used. Whereas if Crowd is randomly having
random group whose name matches "default", the app will have security
hole.
Also, having defaults for parameters which are expected to be site-local
is false courtesy to the user: if not set, then instead of getting clear
exceptions of non-set config settings, user will get much more confusing
errors from network stack/crowd.
| -rw-r--r-- | crowdrest/backend.py | 7 |
1 files changed, 2 insertions, 5 deletions
diff --git a/crowdrest/backend.py b/crowdrest/backend.py index e754865..8d8381a 100644 --- a/crowdrest/backend.py +++ b/crowdrest/backend.py @@ -129,11 +129,8 @@ class CrowdSettings(object): """ defaults = { 'AUTH_CROWD_ALWAYS_UPDATE_USER': True, - 'AUTH_CROWD_STAFF_GROUP': 'staff', - 'AUTH_CROWD_SUPERUSER_GROUP': 'superuser', - 'AUTH_CROWD_APPLICATION_USER': 'django', - 'AUTH_CROWD_APPLICATION_PASSWORD': 'django', - 'AUTH_CROWD_SERVER_REST_URI': 'http://127.0.0.1:8095/crowd/rest/usermanagement/latest', + 'AUTH_CROWD_STAFF_GROUP': None, + 'AUTH_CROWD_SUPERUSER_GROUP': None, 'AUTH_CROWD_SERVER_TRUSTED_ROOT_CERTS_FILE': None, } |