#17800 closed Uncategorized (fixed)
Empty settings.SECRET_KEY should raise an error
Reported by: | Paul McMillan | Owned by: | nobody |
---|---|---|---|
Component: | Core (Other) | Version: | 1.4-alpha-1 |
Severity: | Release blocker | Keywords: | |
Cc: | Triage Stage: | Accepted | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Django does not complain if the SECRET_KEY is left to the default value. It should at least raise a warning, and (imho) should really raise an error.
If we do allow Django to run with an empty secret key, we should raise an error if an attempt is made to use cookie-based sessions.
Attachments (1)
Change History (9)
comment:1 by , 13 years ago
by , 13 years ago
Attachment: | 17800.patch added |
---|
comment:6 by , 13 years ago
Paul and I discussed this further and felt that raising an exception on an empty SECRET_KEY
, while ideally preferable, is too backwards-incompatible to be introduced at this post-beta stage of the release cycle. We decided to instead make it a DeprecationWarning
for 1.4 and elevate to an exception in 1.5; an accelerated deprecation schedule, but avoiding breaking things in an RC. Paul implemented this decision in r17616 and I documented it in r17617.
django.conf.default_settings
says:However, no check was added to match this comment in r230.