Re: #28398: Allow management command invocation to suggest for incomplete commands?

[Tom Forbes]

Vlada:
I think this is a great idea for improving the usability of manage.py,
especially for newcomers. When I looked your current implementation used a
simple 'in' to find suggestions, but this is not great for the most
obvious/common use case: typos.

I would strongly advocate for using the levenshtein distance algorithm if
this does get merged, there are some simple and succinct python
implementations we can use, and the algorithm itself is what git uses to
suggest commands (and I've always found that quite good).

Brice:
You are right in that this is a case that could happen in part due to this
feature, but it's a long shot and IMO the benefits outweigh the risks. This
can happen without this feature anyway - if someone is typing in random
manage.py commands without thinking then issues can and will arise. The
only preventative measure we could take would be to add an "are you sure?"
prompt after every manage.py invocation which is not a great idea overall.

For newcomers though this could be great, seeing the 'command not found'
message can be confusing and unhelpful, any help we can add to that is a
good thing IMO. Adding stars to the command invocation can be even more
confusing as users have to escape them (and if they don't they could end up
running random commands) and it's not terribly nice UI wise.

Built in shell autocompletion would be the best way forward in this case,
at least for non-windows users. Kubectl has a nice way of doing this:
source <(kubectl completion bash|zsh). Maybe something like this could be
adapted for manage.py?


On 17 Jul 2017 08:49, "Brice PARENT"  wrote:

Hi!

I'm not sure how I feel about that. It feels like a good idea at first, but
it might lead to dangerous behaviours.

Let me explain my thought: having such a feature would encourage people to
use it (of course). Doing so can lead so side effects. For example,  if, in
a project you're working on, you want to use a custom management command
named "migrate_data_to_other_server", you might end up typing "./manage.oy
migrate" in hope for the system to display the exact name that you probably
have forgotten. But it won't, it will migrate your database instead. What I
mean is that executing commands that shouldn't work on purpose might lead
to executing the wrong command instead. And management commands might be
dangerous if not used at the right time (I've seen management commands
being used to push code to production for example. Executing them by error
in a dev environment might be a real issue!).

I'd prefer to encourage the use of "./manage.py help", which lists all
available commands, or use masks when searching for a command ("./manage.py
migrate*"). When you want to look for the name of a command, you'd know
that adding a star somewhere won't execute anything other than listing
available commands matching the value you just gave. And every developer
knows (I think) how to use wildcards.

-Brice

Le 15/07/17 à 18:36, Vláďa Macek a écrit :

Hi everyone,

I had an idea that would save me time working with Django:

The manage.py wouldn't only print "Unknown command" when incomplete
subcommand name given, but also print those available by substring search.

https://code.djangoproject.com/ticket/28398

I added a screenshot and a patch there.

In my opinion, such first implementation could be as simple as that.
Smarter versions may come later.

As suggested by Tim Graham (thanks, Tim), I resort here for opinions.

Thank you,

Vlada Macek

-- 
You received this message because you are subscribed to the Google Groups
"Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/
msgid/django-developers/5abdab10-e9e2-4dbd-81c7-ffd492781977%40googlegroups.
com

.
For more options, visit https://groups.google.com/d/optout.


-- 
You received this message because you are subscribed to the Google Groups
"Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/
msgid/django-developers/d67e85bc-c117-d527-d4f3-791782c15acd%40brice.xyz

.

For more options, visit https://groups

Re: #28398: Allow management command invocation to suggest for incomplete commands?

[Adam Johnson]

I feel like this mostly duplicates the bash completion logic we have, which
is also more standard across other CLI's

However I agree with Tom that correcting for typos is the main use case,
using levehshtein distance is a good idea.

Another thing that some CLI's have, like npm or arc is auto-correction for
common typos, e.g. ./manage.py mgriate could print out a message 'Assuming
you meant migrate' and then continue executing migrate, not sure if this is
the best for Django though where commands can be arbitrarily added by third
party apps.



On 17 July 2017 at 09:47, Tom Forbes  wrote:

> Vlada:
> I think this is a great idea for improving the usability of manage.py,
> especially for newcomers. When I looked your current implementation used a
> simple 'in' to find suggestions, but this is not great for the most
> obvious/common use case: typos.
>
> I would strongly advocate for using the levenshtein distance algorithm if
> this does get merged, there are some simple and succinct python
> implementations we can use, and the algorithm itself is what git uses to
> suggest commands (and I've always found that quite good).
>
> Brice:
> You are right in that this is a case that could happen in part due to this
> feature, but it's a long shot and IMO the benefits outweigh the risks. This
> can happen without this feature anyway - if someone is typing in random
> manage.py commands without thinking then issues can and will arise. The
> only preventative measure we could take would be to add an "are you sure?"
> prompt after every manage.py invocation which is not a great idea overall.
>
> For newcomers though this could be great, seeing the 'command not found'
> message can be confusing and unhelpful, any help we can add to that is a
> good thing IMO. Adding stars to the command invocation can be even more
> confusing as users have to escape them (and if they don't they could end up
> running random commands) and it's not terribly nice UI wise.
>
> Built in shell autocompletion would be the best way forward in this case,
> at least for non-windows users. Kubectl has a nice way of doing this:
> source <(kubectl completion bash|zsh). Maybe something like this could be
> adapted for manage.py?
>
>
> On 17 Jul 2017 08:49, "Brice PARENT"  wrote:
>
> Hi!
>
> I'm not sure how I feel about that. It feels like a good idea at first,
> but it might lead to dangerous behaviours.
>
> Let me explain my thought: having such a feature would encourage people to
> use it (of course). Doing so can lead so side effects. For example,  if, in
> a project you're working on, you want to use a custom management command
> named "migrate_data_to_other_server", you might end up typing
> "./manage.oy migrate" in hope for the system to display the exact name that
> you probably have forgotten. But it won't, it will migrate your database
> instead. What I mean is that executing commands that shouldn't work on
> purpose might lead to executing the wrong command instead. And management
> commands might be dangerous if not used at the right time (I've seen
> management commands being used to push code to production for example.
> Executing them by error in a dev environment might be a real issue!).
>
> I'd prefer to encourage the use of "./manage.py help", which lists all
> available commands, or use masks when searching for a command ("./manage.py
> migrate*"). When you want to look for the name of a command, you'd know
> that adding a star somewhere won't execute anything other than listing
> available commands matching the value you just gave. And every developer
> knows (I think) how to use wildcards.
>
> -Brice
>
> Le 15/07/17 à 18:36, Vláďa Macek a écrit :
>
> Hi everyone,
>
> I had an idea that would save me time working with Django:
>
> The manage.py wouldn't only print "Unknown command" when incomplete
> subcommand name given, but also print those available by substring search.
>
> https://code.djangoproject.com/ticket/28398
>
> I added a screenshot and a patch there.
>
> In my opinion, such first implementation could be as simple as that.
> Smarter versions may come later.
>
> As suggested by Tim Graham (thanks, Tim), I resort here for opinions.
>
> Thank you,
>
> Vlada Macek
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To post to this group, send email to django-developers@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-developers.
> To view this discussion on the web visit https://groups.google.com/d/ms
> gid/django-developers/5abdab10-e9e2-4dbd-81c7-ffd492781977%
> 40googlegroups.com
> 
> .
> For more options, visit https://gr

Re: Should the Django session-id be hashed?

['Chris Griffin' via Django developers (Contributions to Django itself)]

Hi Everyone,

I took a stab at implementing this. I'd appreciate any feedback on the PR 
. The 8tracks leak over the 
weekend  
highlights 
the importance of hashing session ids. The attacker only gained access to 
backups of the database. AFAIK with the current version of Django, the 
attacker would've been able to login as any user that hadn't been logged 
out by simply setting a cookie. By storing the session ids as hashes, we 
can effectively mitigate this attack vector.

Thanks for the feedback,

Chris

On Thursday, September 22, 2016 at 2:41:22 PM UTC-4, Aymeric Augustin wrote:
>
> On 22 Sep 2016, at 20:32, James Bennett > 
> wrote: 
>
> > So personally I'd like to hear some more about why this is seen as 
> necessary before I'd endorse work to actually implement it. 
>
>
> The reason why I originally filed a security report is that session stores 
> tend to have less focus on security than databases. 
>
> Of course this is a moot point when sessions are stored in the database, 
> but I won’t start a debate about why Django still encourages this, this 
> isn’t the point of this thread ;-) 
>
> For example Redis is well known for advertising that it has no security 
> and should only be run within a secure network. (Defense in depth, anyone?) 
> Still a bunch of companies provide Redis as a service, usually on random 
> EC2 instances directly reachable from the Internet. The best ones require 
> going through an SSL endpoint and providing a password, but an attacker can 
> still talk directly to Redis, which is concerning given its stance on 
> security. 
>
> In contrast, the authors of PostgreSQL have implemented an authentication 
> and authorization framework. I’m not qualified to say if it’s robust, but 
> at least it’s better than shrugging off security entirely. 
>
> -- 
> Aymeric. 
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/d7471896-c17e-4c7f-b6eb-757f223229d3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.