Re: [mezzanine-users] x_frame_options deny causes wysiwyg editor "insert/edit image" upload to fail

2016-01-15 Thread Matthew Summers 
On Wed, Jan 13, 2016 at 10:50 AM, Joseph Mohan  wrote:

> Makes 100% sense, Doh!


Of course, I look at the actual thing that I deployed and it's SAMEORIGIN
not SAME-ORIGIN or SAME_ORIGIN. Sorry for the noise.

-- 
You received this message because you are subscribed to the Google Groups 
"Mezzanine Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to mezzanine-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [mezzanine-users] mezzanine.forms - using email field as mail from

2014-05-13 Thread Matthew Summers 
You should mention to your client that it's very likely these emails will
be dropped into a spam folder as forgeries. This is totally against best
practices, and a terrible idea.

-- 
You received this message because you are subscribed to the Google Groups 
Mezzanine Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to mezzanine-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [mezzanine-users] Re: help needed depoloying Mezzanine on Digital Ocean

2014-04-28 Thread Matthew Summers 
It's probably a bad idea to put your virtualenv in /root, this is the
root user's home dir. I usually create a specific user that will be
running my mezzanine projects. This way you are not running gunicorn
as root, but as a normal user. Really, it's a best practice to reduce
the number of services running as root to as few as possible. I am
fairly certain that the fabfile assumes you are running as a normal
user which may account for the permission issue(s).

Cheers,
Matt


On Sun, Apr 27, 2014 at 11:41 PM, Jared Nielsen nielsen.ja...@gmail.com wrote:
 So I deleted my Droplet and started fresh, following Josh's tutorial to the
 T.

 Devian 7 x64
 Created a fresh local mezzanine project.
 But I didn't have a live_settings.py file in /deploy.
 So I copied one from an older project.

 Why wasn't a live_settings.py generated? Would one be generated later?
 There is a local_settings.py.templates that contains the same information.

 I proceeded, ran fab all and got hung up on the virtualenv. Here's my error:

 [oulipy.com] out: /bin/bash: line 0: cd: /root/venv: Permission denied
 [oulipy.com] out:

 Fatal error: run() received nonzero return code 1 while executing!

 Requested: virtualenv oulipy --distribute
 Executed: /bin/bash -l -c cd /root/venv  virtualenv oulipy
 --distribute

 Aborting.
 Disconnecting from oulipy.com... done.


 At first I was getting an error that the directory didn't exist, so I
 created it. Then I tried changing permissions on the directory. But I'm
 stuck here.
 Any help is greatly appreciated.



 On Sunday, April 27, 2014 8:58:26 PM UTC-6, Jared Nielsen wrote:

 Everything about Mezzanine is awesome. Except deployment.
 I'm new to Mezzanine and Django and struggling to get my site deployed.
 I chose Digital Ocean because for their price, their documentation and
 Josh's fab post:
 http://bitofpixels.com/blog/deploying-mezzanine-to-digital-ocean-using-the-included-fabfile/

 I'm attempting two approaches.
 1. The first is following the Digital Ocean guidelines, beginning with
 this tutorial:

 https://www.digitalocean.com/community/articles/how-to-install-and-get-started-with-django-based-mezzanine-cms-on-ubuntu

 I create a droplet, login, create a virtualenv, pip install mezzanine and
 pillow, mezzanine-project, createdb, runserver like this: python manage.py
 runserver 0.0.0.0:8000
 No problem. Fresh Mezzanine project in my browser.

 So I create a new virtualenv and directory, git clone my mezzanine
 project, install requirements, runserver:

 django.core.exceptions.ImproperlyConfigured: The SECRET_KEY setting must
 not be empty.


 So I create a local_settings.py file and add a SECRET_KEY.

 Then runserver, and I get this error at http://my_droplet:8000

 Bad Request (400)


 Am I wrong to think that I can run my Mezzanine project with a development
 server?


 Moving on...

 2. Following Josh's tutorial:
 http://bitofpixels.com/blog/deploying-mezzanine-to-digital-ocean-using-the-included-fabfile/

 I fill in all my settings and when I run fab all, I get:

 [jarednielsen.com] Executing task 'all'

 ---
 all
 ---


 ---
 install
 ---


 $ cat /etc/default/locale -

 [jarednielsen.com] Login password for 'jarednielsen':


 I enter my password and it times out for a moment, then asks for my
 password again and again.

 What am I missing here?

 Many thanks in advance.




 --
 You received this message because you are subscribed to the Google Groups
 Mezzanine Users group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to mezzanine-users+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.



-- 
M. Summers

...there are no rules here -- we're trying to accomplish something.
  - Thomas A. Edison

-- 
You received this message because you are subscribed to the Google Groups 
Mezzanine Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to mezzanine-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[mezzanine-users] Uploadify swf versus fileuploader.js

2014-04-16 Thread Matthew Summers 
Hello,

I'm just curious if anyone has tried replacing the flash-based
filebrowser-safe uploader with the JS-based uploader from filebrowser?
It appears that the successor to fileuploader.js is called
fine-uploader, but you gotta build it yourself if you want to use it
for free. Looks easy enough.

Any interest in nuking the swf? I'll probably give it a shot today.
From what I can see, it doesn't look to be too bad, and it might just
be a drop-in deal.

Thoughts?

Cheers,
Matt

-- 
M. Summers

...there are no rules here -- we're trying to accomplish something.
  - Thomas A. Edison

-- 
You received this message because you are subscribed to the Google Groups 
Mezzanine Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to mezzanine-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [mezzanine-users] Re: TinyMCE dialogs not rendering over SSL

2014-04-09 Thread Matthew Summers 
Hi there,

First, tinymce uses an iframe for its pop-ups, so make sure you use:
add_header X-Frame-Options SAMEORIGIN;
and not:
add_header X-Frame-Options DENY;

I have a feeling that the issue is with the iframe coming from http in
an https page.

Second, you definitely do not want to over-ride SSL_FORCE_URL_PREFIXES
to exclude /admin since that would yield plain text auth (==BAD).

If you are interested in SSL-only site, which I highly recommend, you
may want to look at HSTS. I use it like the following in both the http
(providing redirect) and https server blocks.
 add_header Strict-Transport-Security max-age=15768000;
The max-age is in seconds, feel free to set this to a longer time
period. I think the max allowed is around 2 years or 63072000.

You might want to add these headers too, for completion:
add_header X-XSS-Protection 1; mode=block;
add_header X-Content-Type-Options nosniff;

Third, to make mezzanine SSL-only, I set Enable SSL to True in teh
admin, and set  SSL_FORCE_URL_PREFIXES=/ in my settings.py.

Also a couple of things jump out at me.

1) Don't use rewrite for your redirect to https, use 'return 301',
(it's more efficient). Use the following in your server block:
return 301 https://www.example.com$request_uri;

2) Don't use alias in your location blocks, use root like this:
location /static/ {
root/path/to/project;
## The following are optional, and will not help with 404s.
access_log  off;
log_not_found   off;
}

Reference for that is here:
http://nginx.org/en/docs/http/ngx_http_core_module.html#alias

Cheers,
Matt
-- 
M. Summers

...there are no rules here -- we're trying to accomplish something.
  - Thomas A. Edison

-- 
You received this message because you are subscribed to the Google Groups 
Mezzanine Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to mezzanine-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[mezzanine-users] Serving static files in development without runserver (with gunicorn)

2014-04-04 Thread Matthew Summers 
Hello,

I've seen a few threads about this in the past so I thought I would
share. It's common to desire parity between dev and production
environments, i.e. no change between envs. At least I generally find
this to save time and energy, so towards that I generally develop
Mezzanine, or any django project, using gunicorn instead of runserver.
Why? Well I hate the single request nature of runserver, so that is
the main reason for me. It is also the case that some core django devs
would love to see runserver removed in favor of something like
gunicorn. The issue has been code reloading on change, which gunicorn
would not do. Well, until recently. Its not in a release yet, but
gunicorn [0] now supports change detection and reloading, yay!!WIN1!!

So, how do you make this transition? I've found the package dj-static
[1] by Kenneth Reitz (Heroku) to be the simple, quick, elegant
solution to this problem. dj-static leverages a wsgi app aptly called
static [2,4] to do the actual serving. It's pretty fast  efficient.
Oh, its also really easy to setup too. Just collectstatic  check the
dj-static readme on github [3]. It handles uploaded content too. Here
is a hint, use HEAD on github, DO NOT USE pypi version, its stale,
although it should still work ok with python2. If you want to use
python3, use HEAD (looks like it will be 0.0.6 when it's released), it
uses static3 [4].

Anyway, check it out. Let me know what you think!

Cheers,
Matt

[0] 
https://github.com/benoitc/gunicorn/blob/master/docs/source/settings.rst#reload
[1] https://pypi.python.org/pypi/dj-static
[2] https://pypi.python.org/pypi/static
[3] https://github.com/kennethreitz/dj-static
[4] https://pypi.python.org/pypi/static3

 --
M. Summers

...there are no rules here -- we're trying to accomplish something.
  - Thomas A. Edison

-- 
You received this message because you are subscribed to the Google Groups 
Mezzanine Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to mezzanine-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [mezzanine-users] Fab Script ImportError: No module named future.builtins

2014-04-03 Thread Matthew Summers 
Does that file exist?

-- 
You received this message because you are subscribed to the Google Groups 
Mezzanine Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to mezzanine-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [mezzanine-users] Default fabfile deploy, Internal Server Error

2014-03-31 Thread Matthew Summers 
Just for reference, --log-file and --error-logfile are the same
http://docs.gunicorn.org/en/latest/settings.html#errorlog

Cheers,
Matt

-- 
You received this message because you are subscribed to the Google Groups 
Mezzanine Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to mezzanine-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [mezzanine-users] Can't figure out why my Static Files won't load

2014-03-27 Thread Matthew Summers 
Remove the trailing slash on your location alias directive.

On Thu, Mar 27, 2014 at 6:32 PM, Kyle Pennell kpenn...@gmail.com wrote:
 Ah!  Will try pulling that out.  Thanks for the help, Stephen.


 On Thu, Mar 27, 2014 at 5:28 PM, Stephen McDonald st...@jupo.org wrote:




 On Fri, Mar 28, 2014 at 8:46 AM, Kyle Pennell kpenn...@gmail.com wrote:

 Triple checked my settings and can't find why my static files aren't
 loading.

 Nginx and Gunicorn are installed and working.
 Symbolic Link between sites-available and sites-enabled is made

 ── sites-available
 │   ├── mezzanine_app
 │   └── myproject
 ├── sites-enabled
 │   ├── ahalearning - ../sites-available/ahalearning
 │   ├── mezzanine_app - ../sites-available/mezzanine_app
 │   └── myproject - ../sites-available/myproject


 Collectstatic has been run and static files are in place:

 ├── deploy
 │   ├── crontab
 │   ├── gunicorn.conf.py
 │   ├── live_settings.py
 │   ├── nginx.conf
 │   └── supervisor.conf
 ├── dev.db
 ├── fabfile.py
 ├── __init__.py
 ├── __init__.pyc
 ├── local_settings.py
 ├── local_settings.pyc
 ├── manage.py
 ├── requirements.txt
 ├── settings.py
 ├── settings.pyc
 ├── static
 │   ├── admin
 │   ├── css
 │   ├── filebrowser
 │   ├── fonts
 │   ├── grappelli
 │   ├── img
 │   ├── js
 │   ├── media
 │   ├── mezzanine
 │   ├── robots.txt
 │   └── test
 ├── urls.py
 ├── urls.pyc
 └── wsgi.py


 STATIC_ROOT in settings.py points to the right folder
 (opt/myenv/mezzanine_app/static/)


 My nginx server settings point to the right files:
 /etc/nginx/sites-available


  server {
 server_name 107.170.215.138;

 access_log off;

 location /static/ {
 alias  /opt/myenv/mezzanine_app/static/;
 }


 I think this will look for the directory
 /opt/myenv/mezzanine_app/static/static/




 location / {
 proxy_pass http://127.0.0.1:8001;
 proxy_set_header X-Forwarded-Host $server_name;
 proxy_set_header X-Real-IP $remote_addr;
 add_header P3P 'CP=ALL DSP COR PSAa PSDa OUR NOR ONL UNI
 COM NAV';
 }
 }

 Nginx and Gunicorn fire up without problems.



 Any idea what I might be missing?

 Why are my static files 404'ing?


 --
 You received this message because you are subscribed to the Google Groups
 Mezzanine Users group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to mezzanine-users+unsubscr...@googlegroups.com.

 For more options, visit https://groups.google.com/d/optout.




 --
 Stephen McDonald
 http://jupo.org

 --
 You received this message because you are subscribed to a topic in the
 Google Groups Mezzanine Users group.
 To unsubscribe from this topic, visit
 https://groups.google.com/d/topic/mezzanine-users/CrUlR8jjUw0/unsubscribe.
 To unsubscribe from this group and all its topics, send an email to
 mezzanine-users+unsubscr...@googlegroups.com.

 For more options, visit https://groups.google.com/d/optout.


 --
 You received this message because you are subscribed to the Google Groups
 Mezzanine Users group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to mezzanine-users+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.



-- 
M. Summers

...there are no rules here -- we're trying to accomplish something.
  - Thomas A. Edison

-- 
You received this message because you are subscribed to the Google Groups 
Mezzanine Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to mezzanine-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.