[PATCH 4 of 4] [pyramid/misc] remove now useless warning about missing pyramid.ini

Denis Laxalde denis.laxalde at logilab.fr
Wed May 15 16:06:08 CEST 2019


Laurent Peuch a écrit :
> # HG changeset patch
> # User Laurent Peuch <cortex at worlddomination.be>
> # Date 1557914820 -7200
> #      Wed May 15 12:07:00 2019 +0200
> # Node ID 76fee9ea4a3e377b814b8a9c6ac41e00cbb94a84
> # Parent  2beda828c1bf3d16ae3066e38a31a2873c5ca7c8
> [pyramid/misc] remove now useless warning about missing pyramid.ini

I think that, not only we should remove the warning, but also require
values for secrets to be set in the configuration file just like we now
do for session settings.

> diff --git a/cubicweb/pyramid/auth.py b/cubicweb/pyramid/auth.py
> --- a/cubicweb/pyramid/auth.py
> +++ b/cubicweb/pyramid/auth.py
> @@ -198,28 +198,6 @@ def includeme(config):
>              session_prefix + 'secret', 'notsosecret')
>          persistent_secret = settings.get(
>              persistent_prefix + 'secret', 'notsosecret')

So above, I'd suggest:

    persistent_secret = settings[persistent_prefix + 'secret']

(and same for other secrets related to "auth" module).

> -        if ('notsosecret' in (session_secret, persistent_secret)
> -                and config.registry['cubicweb.config'].mode != 'test'):
> -            warnings.warn('''
> -
> -                !! SECURITY WARNING !!
> -
> -                The authentication cookies are signed with a static secret key.
> -
> -                Configure the following options in your pyramid.ini file:
> -
> -                - cubicweb.auth.authtkt.session.secret
> -                - cubicweb.auth.authtkt.persistent.secret
> -
> -                YOU SHOULD STOP THIS INSTANCE unless your really know what you
> -                are doing !!
> -
> -                Please refer to to cubicweb-pyramid documentation on how to
> -                write this pyramid.ini file:
> -                https://cubicweb.readthedocs.io/en/latest/book/pyramid/settings/#pyramid-settings-file
> -                Without it authentication WON'T work.
> -
> -            ''')
>  
>          policies.append(
>              CWAuthTktAuthenticationPolicy(



More information about the cubicweb-devel mailing list