On May 29, 5:22 am, Julien Phalip <jpha...@gmail.com> wrote: > I'm bringing this up to the dev-list as I'm keen to hear if someone is > interested in this problem and has suggestions towards a robust > solution. It is a pretty serious issue that I hope can be resolved by > the 1.4 release.
For reference, I raised a related issue quite some time ago in https://code.djangoproject.com/ticket/7472, which was closed as wontfix. I'm glad this is now being looked at again and I like the idea of being able to mark individual views/requests as handling sensitive information. This means one could write a simple middleware that sets the is_sensitive flag if the request was made over HTTPS to achieve what I was wanting to do originally. In terms of the latest patch: 1. I think the "sensitive" decorator should perhaps not be defined within django.views.debug, but somewhere within django.views.decorators to be more consistent with the other built-in decorators. 2. I have a minor concern that having the "sensitive" decorator being included in a module called "debug" may lead to developers mistakenly thinking that it is relevant for development debugging rather for protecting production environments. 3. Someone may wish to write their own AdminEmailHandler that produces an encrypted email containing all the sensitive details. At present, it looks like the patch won't actually allow you to get a non- redacted version of the traceback if you really wanted to. As a side thought, if this functionality does get implemented, would it be feasible/desirable to have Django emit a warning to encourage the developer to mark a view as sensitive if it detected a forms.PasswordField (or any other FormField known to handle sensitive data) being used by it? I'm not actually sure it's possible as a Form/ FormField doesn't directly know about the request, but I thought I'd throw the idea out there anyway. Cheers, Fraser -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
