Hi all,
First, I want to say that complex things fail in complex ways, so there
it's probably a fallacy to look for a single root cause. I agree with
various other points about mistakes that were made, but not others.
Particularly:
On 22/11/16 12:41, Florian Apolloner wrote:
Hi,
On Monday,
+1 to Baptiste, Ben and Josh. Especially as Ben said, I think this does not
justify removing the auth CBVs. The bug happened because of a *misuse* of
the abstractions involved. ``.get_context_data()`` is not the correct place
for a security check (as nobody overriding it would expect that, nor from
+1 to everything Baptiste and Ben have said. A bug in a CBV isn't a good
argument for throwing away CBVs entirely. We should probably review patches
that touch security systems quite a bit more thoroughly in the future -
meaning more eyes rather than a single set of eyes spending more time.
On
Hi Mads,
Thanks for picking this up. I've been wondering if Window expressions would
be possible, and what limitations we might have to make based on our ORM.
> 1. Since this is specific to postgres, I'm looking for a better place to
put the actual Window-expression class, as well as axillary h
As a big fan of GCBVs, this got me out of the chair :) I am -1 for removing
GCBVs for authentication.
My reasons:
1) Security improvements also happen over time, finding a security hole in
a component is not a reason to point the finger at the architecture. If you
entirely remove something, yo
You may use a PDF editor to sign the contributor license agreement rather
than printing and scanning.
The contributing documentation describes the ticket triage process. If you
have specific questions, please ask.
On Monday, November 21, 2016 at 12:34:53 PM UTC-5, ranvir singh wrote:
>
>
>
> On
Hi,
I got somewhat stuck on progress with this ticket, and as I'd like to
get it merged eventually (and avoid an abundant amount of fixes), I have
a few things I like a bit of input about.
1. Since this is specific to postgres, I'm looking for a better place to
put the actual Window-expression cl
Hello,
Thank you for raising this, Markus.
I am +1 to everything Baptiste said.
In particular, if our conclusion of this bug would be that CBV are entirely
unsuitable for security sensitive features, I don’t think removing CBV for auth
is enough. Because by that logic, our users will be making
Hi,
On Monday, November 21, 2016 at 11:56:56 PM UTC+1, Tim Graham wrote:
>
> … that the existing tests would catch this type of obviously incorrect
> issue.
>
I think that is the main issue here. I was also really surprised to
discover that the tests were missing cases like this -- then again,
Hi Markus,
Thanks for your clear description and for bringing this up for discussion.
I don't agree with your conclusions though.
1) Keeping around two implementations of auth views seems
counter-productive to me in terms of security because it effectively
doubles the potential for bugs or s
Le lundi 21 novembre 2016 23:56:56 UTC+1, Tim Graham a écrit :
>
> When reviewing the patch for the auth class-based view additions, I made
> the mistake of assuming that the existing tests would catch this type of
> obviously incorrect issue. Perhaps with the function-based views, the code
> wa
11 matches
Mail list logo
