Opened 12 years ago

Closed 12 years ago

#20227 closed Uncategorized (wontfix)

Accept an empty SECRET_KEY when DEBUG is True

Reported by: Luc Saffre Owned by: nobody
Component: Uncategorized Version: 1.5
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Django should accept an empty SECRET_KEY when DEBUG is True. Okay Django 1.5 is more severe about security leaks and it's okay to say that a SECRET_KEY setting is required (https://docs.djangoproject.com/en/dev/releases/1.4/#secret-key-setting-is-required), but when DEBUG is True Django shouldn't be so nit-picky.

Change History (3)

comment:1 by Aymeric Augustin, 12 years ago

This proposal assumes that no one will run a Django website in production with DEBUG = True.

Unfortunately, I'm afraid this isn't a valid assumption.

comment:2 by Baptiste Mispelon, 12 years ago

I'm -1 on this idea too:

  • It's one more thing that can break when changing DEBUG from True to False.
  • startproject will anyway generate a good SECRET_KEY for you, so you get a fully functional settings file out of the box (especially with the new project template).
  • Even if you try to use an empty secret key, django will give you an error message with instructions on how to fix it.

comment:3 by Aymeric Augustin, 12 years ago

Resolution: wontfix
Status: newclosed
Note: See TracTickets for help on using tickets.
Back to Top