Provide a check for settings removed (post deprecation)

[Serafeim Papastefanos]

This ticket was repurposed following the original report and a related ​forum conversation to provide a check for "outdated settings", meaning those settings that went thru the usual and expected deprecation process and have been removed from the code base. These settings are effectively pointless to have defined, as they no longer have any effect, and even in some cases, having them defined might lead project maintainers to mistakenly believe they are still in effect.

Original report:

Hello friends, I had a DEFAULT_FILE_STORAGE = "storages.backends.s3.S3Storage" in my Django 5.0.8 project. When I upgraded it the project worked but the user-uploaded content was uploaded to the filesystem instead of S3. This happened because my DEFAULT_FILE_STORAGE setting was ignored so it fall back to the STORAGES default (​https://docs.djangoproject.com/en/5.0/ref/settings/#storages):

{
    "default": {
        "BACKEND": "django.core.files.storage.FileSystemStorage",
    },
    "staticfiles": {
        "BACKEND": "django.contrib.staticfiles.storage.StaticFilesStorage",
    },
}

I know that the release notes mention that these settings are removed but since I fell for it there may be also other users that experience the same problems.

My recommendation is to provide a patch in 5.1 that uses the checks framewortk (​https://docs.djangoproject.com/en/5.0/topics/checks/) to make sure that there is no DEFAULT_FILE_STORAGE (and probably a STATICFILES_STORAGE) setting and do not allow starting the project unless the user fixes it.

[Natalia Bidart]

Hello Serafeim Papastefanos, thank you for taking the time to create this report. While I do understand your situation, please note that Django has a strict deprecation policy described in ​this doc link, where it indicates that a deprecation should last for at least 2 feature releases, including the raising of deprecation warnings accordingly.

There is also ​a doc describing in detail the recommended steps to upgrade Django to a newer version, which explains how to use the -Wall Python flag to catch and fix deprecations early.

Specifically, in Django 4.2, when running any Django command with this -Wall Python flag, the following deprecation message was being shown:

RemovedInDjango51Warning: The DEFAULT_FILE_STORAGE setting is deprecated. Use STORAGES instead.

Because of the above, and because Django can't possibly add a check for every possible misconfiguration of a Django project, I'll be closing this ticket accordingly.
If you disagree, you can consider starting a new conversation on the ​Django Forum, where you'll reach a wider audience and likely get extra feedback. More information in ​the documented guidelines for requesting features.

[Serafeim Papastefanos]

Hello Natalia Bidart, I understand and will try to integrate -Wall to my management commands from now on.

Kind regards,
Serafeim

[Natalia Bidart]

There is an on-going conversation about a related topic in the Forum so we may re-open this ticket. Further details: ​https://forum.djangoproject.com/t/deprecation-of-default-file-storage-can-we-easen-the-migration/34284

[Natalia Bidart]

Edited the description to match what was agreed on the referenced forum topic.

[Adam Johnson]

I did a quick grep for setting.*removed in docs/releases and found the below. It’s likely incomplete but a good starting place. I think we shouldn’t have a cut off and should feature all these settings in the check. Projects can be very long-lived...

5.1

• DEFAULT_FILE_STORAGE
• STATICFILES_STORAGE

5.0

• DATABASES->name->TEST->SERIALIZE
• USE_L10N
• USE_DEPRECATED_PYTZ
• CSRF_COOKIE_MASKED

4.1

• CSRF_COOKIE_MASKED

4.0

• SECURE_BROWSER_XSS_FILTER
• PASSWORD_RESET_TIMEOUT_DAYS
• DEFAULT_HASHING_ALGORITHM

3.1

• FILE_CHARSET

3.0

• DEFAULT_CONTENT_TYPE

2.1

• USE_ETAGS

1.10

• LOGOUT_URL
• ALLOWED_INCLUDE_ROOTS
• TEMPLATE_CONTEXT_PROCESSORS
• TEMPLATE_DEBUG
• TEMPLATE_DIRS
• TEMPLATE_LOADERS
• TEMPLATE_STRING_IF_INVALID

1.8

• SEND_BROKEN_LINK_EMAILS
• CACHE_MIDDLEWARE_ANONYMOUS_ONLY

[Natalia Bidart]

Adding to the above, one obvious candidate I see missing is the set of DATABASE_* settings. I think another key file to inspect is docs/internals/deprecation.txt.

[Derek Bantel]

In the forum discussion for this ticket, it seems to have someone working on it. If that is not true could this ticket be assigned to me?

[Tim Graham]

While I see some benefit of the proposed check, it's also possible for users to define their own custom settings. Thus, I'm not sure it's reasonable to disallow these names for the rest of time.

[Ronny Vedrilla]

Hi there! I created the first PR, thx Adam for your list. I asked GPT as well and came up with a list, which we have do double-check. Furthermore, it might be a good idea to go back until v1? After all, it's Django, right?

[Ronny Vedrilla]

@Tim: You are right and we talked about that. But since maintenance is a huge thing in a softwares lifecycle, all the help you can get is a huge plus IMHO.

Therefore I argue in favour of somehow "disencouraging" variables that were already used by the framework. If someone really insists on naming a variable this way (why should you have such a strong opinion about it?), you can still disable the check, right?

[Ronny Vedrilla]

@Derek Bantel: I've started working on it but need some support. If you want to join, please, feel free to do so 🙂

[Derek Bantel]

Replying to Ronny Vedrilla:

@Derek Bantel: I've started working on it but need some support. If you want to join, please, feel free to do so 🙂

Will do thanks, Ronny.

[Ronny Vedrilla]

We came up with a first version. Would be happy about some more thoughts/reviews 🙂

[Ronny Vedrilla]

Added new feature to 5.2 release notes

[Tim Graham]

I remain unconvinced that this is a wise change. Are we going to document an ever growing list of ​a disallowed settings names? Disallowing something so generic as LOGOUT_URL seems like it will cause unneeded annoyance.

Although the check could be disabled (usage of one disallowed setting requires disabling the check completely), this is more of a backward-incompatible change than a new feature.

We have had ​temporary compatibility checks to point out deprecated settings. I guess that may have been more visible than a deprecation warning in the case of DEFAULT_FILE_STORAGE.

[Natalia Bidart]

Replying to Tim Graham:

I remain unconvinced that this is a wise change. Are we going to document an ever growing list of ​a disallowed settings names? Disallowing something so generic as LOGOUT_URL seems like it will cause unneeded annoyance.

Although the check could be disabled (usage of one disallowed setting requires disabling the check completely), this is more of a backward-incompatible change than a new feature.

We have had ​temporary compatibility checks to point out deprecated settings. I guess that may have been more visible than a deprecation warning in the case of DEFAULT_FILE_STORAGE.

Hey Tim, thank you for sharing your thoughts. I appreciate your engagement. However, I want to clarify that the change was discussed and agreed upon in the Django Forum, which is where these conversations typically take place. The audience for ticket comments is smaller, so I encourage you to continue the discussion in the forum. This way, we can follow the usual process and involve more people in the conversation.

Personally, I believe practicality beats purity, and in this case, the benefits of letting users know outweigh any potential issues with someone who chose to use a setting name that was deprecated by Django. Having said that, I agree that we should consider a way to ignore a subset of deprecated setting names. I'll consider this when reviewing the PR.