Re: Drop CSRF middleware from the settings template

[Jacob Rief]

On Monday, April 17, 2023 at 8:45:16 AM UTC+2 Curtis Maloney wrote:

Are you implying that all CSRF attacks protected by Django's current 
machinery are entirely mitigated by SameSite=Lax on the _session_ cookiue?

Yes. Therefore imho, the CSRF protection is just some nasty legacy, 
developers have to fiddle with. It doesn't add any security benefit anymore.
That said, maybe there is still a possible attack vector on cross site 
request forgeries, but I was unable to exploit them with disabled CSRF 
protection.
Therefore it would be great, if someone with more hacking experience than 
myself, could try this.

– Jacob

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/18aaa4cf-4612-4373-bd91-90cfb3fd07b8n%40googlegroups.com.

Re: Proposal: Constructing urls outside the request cycle

[Florian Apolloner]

On Sunday, April 16, 2023 at 10:21:20 AM UTC+2 Adam Johnson wrote:

One question though, how will we support projects that are served at 
multiple domains? Would Django only support the "main" site through 
BASE_URL and require you to perform URL construction for other domains as 
required?


As usual it depends (tm) :D As long as `reverse` keeps generating URLs 
without a host then we'd only use BASE_URL as a fallback in certain cases 
where no request is available. In the longrun I'd love to support something 
along the lines of 
https://werkzeug.palletsprojects.com/en/2.2.x/routing/#werkzeug.routing.Subdomain
 and 
then `reverse` would probably be able to generate the proper URLs. But yes, 
there are certainly many things to think about.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/bd70d579-9ad9-4102-bcb2-20bab28f1783n%40googlegroups.com.

Re: Select API choice when starting new project.

[Florian Apolloner]

Hi, this is something which is already supported via the template argument 
to startproject/startapp.

Cheers,
florian

On Sunday, April 16, 2023 at 11:47:44 PM UTC+2 Daniel Azubuine wrote:

> When starting a new Django project, the user can select if he wants to 
> build an API or use the Django template. 
> If he chooses API, then Django-rest framework will be installed, and then 
> serializers.py will be added to the folders.
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/e6df6bae-b417-4a0c-97bd-c2de927728dcn%40googlegroups.com.

Re: Drop CSRF middleware from the settings template

[Jure Erznožnik]

https://security.stackexchange.com/questions/262245/are-csrf-attacks-a-thing-of-the-past

Looks like lax will do the trick, but it's not like there aren't legit 
cases for same-site policy to be set to something less restrictive.


LP,
Jure

On 17. 04. 23 09:24, Jacob Rief wrote:

On Monday, April 17, 2023 at 8:45:16 AM UTC+2 Curtis Maloney wrote:

Are you implying that all CSRF attacks protected by Django's
current machinery are entirely mitigated by SameSite=Lax on the
_session_ cookiue?

Yes. Therefore imho, the CSRF protection is just some nasty legacy, 
developers have to fiddle with. It doesn't add any security benefit 
anymore.
That said, maybe there is still a possible attack vector on cross site 
request forgeries, but I was unable to exploit them with disabled CSRF 
protection.
Therefore it would be great, if someone with more hacking experience 
than myself, could try this.


– Jacob
--
You received this message because you are subscribed to the Google 
Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/18aaa4cf-4612-4373-bd91-90cfb3fd07b8n%40googlegroups.com 
.


--
You received this message because you are subscribed to the Google Groups "Django 
developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/86ced442-e7f9-aab8-9a03-d9c2362b60f9%40gmail.com.

Re: Fellow Reports - April 2023

[Mariusz Felisiak]

Week ending April 16, 2023

*Triaged:*
https://code.djangoproject.com/ticket/34480 - Annotating with Chr 
raises ValueError (accepted)
https://code.djangoproject.com/ticket/34481 - Admin check for reversed 
foreign key used in "list_display" (accepted)
https://code.djangoproject.com/ticket/34482 - Unable to access 
"non-picklable" attributes of empty HttpRequest and HttpResponse objects 
after shallow copy. (accepted)
https://code.djangoproject.com/ticket/34483 - Negative result of 
django.utils.timesince.timesince (accepted)
https://code.djangoproject.com/ticket/34486 - SearchHeadline crashes 
without an active connection. (accepted)
https://code.djangoproject.com/ticket/34484 - HttpRequest.__deepcopy__ 
doesn't deepcopy attributes (accepted)
https://code.djangoproject.com/ticket/34487 - Django crashes due to 
ManifestStaticFilesStorage plugin in 4.2 (needsinfo)
https://code.djangoproject.com/ticket/34488 - ClearableFileInput widget 
forgets "Clear" selection when form is not valid (duplicate)
https://code.djangoproject.com/ticket/34492 - I get an error when using 
BinaryField in sqllite3. (invalid)
https://code.djangoproject.com/ticket/34491 - Unable to have 
constraints with same name on different models (wontfix)
https://code.djangoproject.com/ticket/34493 - wrong translation 
(invalid)
https://code.djangoproject.com/ticket/34494 - This is suggestion about 
customizing AdminSite documents (invalid)
https://code.djangoproject.com/ticket/34496 - 
ManifestStaticFilesStorage.patterns for sourceMappingURL does not retrieve 
matched line to return for for example data URI (needsinfo)
https://code.djangoproject.com/ticket/34498 - error 403 in login in 
django (invalid)
https://code.djangoproject.com/ticket/34495 - Queryset update fails 
when updating parent model field with default ordering on MySQL backend 
(worksforme)
https://code.djangoproject.com/ticket/34499 - In tutorial part08, 
Django debug toolbar shows up in admin site but not in public site (wontfix)

*Reviewed/committed:*
https://github.com/django/django/pull/16735 - Fixed #34455 -- Restored 
i18n_patterns() respect of prefix_default_language argument when fallback 
language is used.
https://github.com/django/django/pull/16750 - Fixed #34480 -- Fixed 
crash of annotations with Chr().
https://github.com/django/djangoproject.com/pull/1346 - Fixed #1341 -- 
Updated info about past and present Django Fellows.
https://github.com/django/django/pull/16749 - Fixed #34394 -- Made 
ASGIRequest respect FORCE_SCRIPT_NAME.
https://github.com/django/django/pull/16746 - Fixed #27505 -- Allowed 
customizing Paginator's error messages.
https://github.com/django/django/pull/16760 - Fixed #34486 -- Fixed 
DatabaseOperations.compose_sql() crash with no existing database connection 
on PostgreSQL.
https://github.com/django/django/pull/16712 - Fixed #34419 -- Doc'd 
django.contrib.admin.sites.all_sites.

*Reviewed:*
https://github.com/django/django/pull/16756 - Fixed #34483 -- Fixed 
timesince()/timeuntil() with timezone-aware dates and interval less than 1 
day.

*Authored:*
https://github.com/django/django/pull/16755 - Fixed #34484, Fixed 
#34482 -- Fixed cloning/deep cloning HttpRequest, HttpResponse, and their 
subclasses.
https://github.com/django/django/pull/16763 - [4.2.x] Refs #34483 -- 
Fixed utils_tests.test_timesince crash on Python 3.8.
https://github.com/django/django/pull/16764 - Refs #34483 -- Fixed 
timesince()/timeuntil() with timezone-aware dates on different days and 
interval less than 1 day.

Best,
Mariusz

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/c9d37891-9499-46bb-9660-34e40a054a39n%40googlegroups.com.

Re: Select API choice when starting new project.

[Daniel Azubuine]

thank you i didn't know.


On Mon, Apr 17, 2023 at 8:26 AM Florian Apolloner 
wrote:

> Hi, this is something which is already supported via the template argument
> to startproject/startapp.
>
> Cheers,
> florian
>
> On Sunday, April 16, 2023 at 11:47:44 PM UTC+2 Daniel Azubuine wrote:
>
>> When starting a new Django project, the user can select if he wants to
>> build an API or use the Django template.
>> If he chooses API, then Django-rest framework will be installed, and then
>> serializers.py will be added to the folders.
>>
>>
>> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/e6df6bae-b417-4a0c-97bd-c2de927728dcn%40googlegroups.com
> 
> .
>


-- 

Best regards,
[image: Daniel Azubuine]
[image: photo]
Daniel Azubuine
He/Him
Music Composer and Software Engineer, Dflat

+2349071177001  |  azubuinedanie...@gmail.com
[image: github]  [image: facebook]
 [image: linkedin]
 [image: twitter]


"Love, Trust, Few A fool thinks himself to be wise, but a wise man knows
himself to be a fool." - William Shakespeare
Create your own email signature


-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAHRz_NZN4%3D8g7zbUPUbrQicyUH17eAyXbeWQfUsfPvax1ix5eQ%40mail.gmail.com.

Oracle 23c released earlier this month

[David Sanders]

Hi folks,

For anyone interested Oracle 23c was released earlier this month

.

There are a couple of interesting features but just looking over the
changes it looks like it resolves some caveats that Django has to supply
workarounds for:

   - There's now a BOOLEAN datatype (from the tickets I've worked on this
   is by far the biggest pain point) quoting from the docs: "This enables you
   to store TRUE and FALSE values in tables and use BOOLEAN expressions in SQL
   statements."
   - SELECT now no longer requires a FROM
   - GROUP BY now supports column aliases & position numbers

I realise that we still support older versions of Oracle but perhaps at
least there's some potential for fixing issues that couldn't be resolved
due to the lack of bools if some version detection was put in place?

There may be a few other interesting tidbits related to Django that I've
missed. Here are the updates for application developers:
https://docs.oracle.com/en/database/oracle/oracle-database/23/nfcoa/application-development.html

Cheers,
David

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CADyZw-7c-ggryJzTE2AT7wy88dNJFWGB0ceW%2Bf2UkwD6N3cJXg%40mail.gmail.com.

Re: Oracle 23c released earlier this month

[Mariusz Felisiak]

Hi,

  Thanks! Also, they finally update VM: 
https://www.oracle.com/database/technologies/databaseappdev-vm.html 
  We still have to wait for a compatible driver, cx_Oracle and 
python-oracledb don't support it yet.

Best,
Mariusz

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/325ce2ee-fbeb-48b5-84c7-5b70cb6c8d99n%40googlegroups.com.

Re: Fellow Reports - April 2023

[Natalia Bidart]

Week ending 2023-04-16 (Week 16)

Triaged:
  https://code.djangoproject.com/ticket/34490 - Tests with mirror database
not working as expected (invalid)
  https://code.djangoproject.com/ticket/34489 - feature: Support for
PostgreSQL table partitioning (needsinfo)

Reviewed:
  https://github.com/django/django/pull/16726 - Solved #10743: Support
lookup separators
  https://github.com/django/django/pull/16756 - Fixed #34484, Fixed #34482
-- Fixed cloning/deep cloning HttpRequest, HttpResponse, and their
subclasses.
  https://github.com/django/django/pull/16759 - Fixed #22569 -- Made
ModelAdmin.lookup_allowed() respect get_list_filter().

Authored:
  https://github.com/django/djangoproject.com/pull/1346 - Fixed #1341 --
Updated info about past and present Django Fellows.
  https://github.com/django/django/pull/16756 - Fixed #34483 -- Fixed
timesince()/timeuntil() with timezone-aware dates and interval less than 1
day.

Other/Misc:
  Security mailing list monitoring and follow ups
  More docs reading
  Setup access to various services and projects
  Investigated and commented on https://code.djangoproject.com/ticket/32847
- Adjust models.E025 system check for updated field descriptor setting.

Cheers! Natalia.

On Tue, Apr 11, 2023 at 10:52 AM Natalia Bidart 
wrote:

> Week ending April 9, 2023
>
> Hello! I'm Natalia (AKA nessita), the new Django Fellow. I officially
> started on April 1st (really :-)) though I had a slow start since I had a
> long-time planned vacation.
>
> So far I have held catch up calls with both current and former Django
> Fellows (thanks Mariusz and Carlton for your patience and support!), and I
> have been deep diving into documentation.
>
> I'm looking forward to working with you all!
>
> Thank you!
> Natalia.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CA%2BfOnFbfvPxU7fPr5gVhcgzm7sTm%3Dj0NYqY7rZLvHy9aFSWbvQ%40mail.gmail.com.

Re: Oracle 23c released earlier this month

[charettes]

Thanks for sharing the news David!

Support for true BOOLEAN type and GROUP BY position are effectively very 
welcome changes as they account for a few hacks. I do wonder if that's 
paving the way for grouping by subquery in future versions.

Best,
Simon

Le lundi 17 avril 2023 à 08:06:57 UTC-4, Mariusz Felisiak a écrit :

> Hi,
>
>   Thanks! Also, they finally update VM: 
> https://www.oracle.com/database/technologies/databaseappdev-vm.html 
>   We still have to wait for a compatible driver, cx_Oracle and 
> python-oracledb don't support it yet.
>
> Best,
> Mariusz
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/22e7a2d5-7bed-4938-81fd-d6074b13f300n%40googlegroups.com.