Hi Nick,

On 02/19/2013 03:32 PM, Nick Phillips wrote:
> I don't recall looking at the ALLOWED_HOSTS setting before. Now that I
> do, it seems rather problematic. In particular, that host verification
> is apparently turned off while DEBUG is True or while testing.
> 
> Surely this makes it impossible to test, and makes it likely that
> misconfigurations will not be picked up until deployed to a production
> environment.
>
> Given that most setups require some customisation of settings for
> dev/staging/production/whatever environments anyway, why not leave the
> verification on at all times and allow us to ensure we get the right
> hosts in the right environments?

There was extensive back-and-forth discussion of this in writing the
patch. The issue is that in almost all cases the correct value of the
setting in local development and under test are different from the
correct value in production. So how much value is there in knowing the
tests pass, and/or it works locally? That doesn't really increase the
chances that you have it configured correctly in production. In the end,
our estimation was that requiring it to be configured in local dev and
testing would introduce quite a lot of hassle (and potentially a major
roadblock for new users), with very little gain to offset that.

Note that it isn't impossible to test, if you want to; the check is
"disabled" under test by means of setting ALLOWED_HOSTS to ['*'] for the
duration of the test run, so if you want tests to exercise validation
you can just use the override_settings decorator to temporarily change
it for a test method or test case.

Carl

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at http://groups.google.com/group/django-developers?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.


Reply via email to