plain 0.10.0__py3-none-any.whl → 0.12.0__py3-none-any.whl

plain/http/request.py

@@ -267,12 +267,12 @@ class HttpRequest:
 
     @property
     def scheme(self):
-        if settings.SECURE_PROXY_SSL_HEADER:
+        if settings.HTTPS_PROXY_HEADER:
             try:
-                header, secure_value = settings.SECURE_PROXY_SSL_HEADER
+                header, secure_value = settings.HTTPS_PROXY_HEADER
             except ValueError:
                 raise ImproperlyConfigured(
-                    "The SECURE_PROXY_SSL_HEADER setting must be a tuple containing "
+                    "The HTTPS_PROXY_HEADER setting must be a tuple containing "
                     "two values."
                 )
             header_value = self.META.get(header)

plain/preflight/__init__.py

@@ -15,8 +15,7 @@ from .registry import register, run_checks
 
 # Import these to force registration of checks
 import plain.preflight.files  # NOQA isort:skip
-import plain.preflight.security.base  # NOQA isort:skip
-import plain.preflight.security.csrf  # NOQA isort:skip
+import plain.preflight.security  # NOQA isort:skip
 import plain.preflight.urls  # NOQA isort:skip
 
 

plain/preflight/{security/base.py → security.py}

@@ -16,40 +16,6 @@ SECRET_KEY_WARNING_MSG = (
     f"vulnerable to attack."
 )
 
-# TODO
-W001 = Warning(
-    "You do not have 'plain.middleware.https.HttpsRedirectMiddleware' "
-    "in your MIDDLEWARE so the SECURE_HSTS_SECONDS, "
-    "SECURE_CONTENT_TYPE_NOSNIFF, SECURE_REFERRER_POLICY, "
-    "SECURE_CROSS_ORIGIN_OPENER_POLICY, and HTTPS_REDIRECT_ENABLED settings will "
-    "have no effect.",
-    id="security.W001",
-)
-
-W008 = Warning(
-    "Your HTTPS_REDIRECT_ENABLED setting is not set to True. "
-    "Unless your site should be available over both SSL and non-SSL "
-    "connections, you may want to either set this setting True "
-    "or configure a load balancer or reverse-proxy server "
-    "to redirect all connections to HTTPS.",
-    id="security.W008",
-)
-
-W009 = Warning(
-    SECRET_KEY_WARNING_MSG % "SECRET_KEY",
-    id="security.W009",
-)
-
-W018 = Warning(
-    "You should not have DEBUG set to True in deployment.",
-    id="security.W018",
-)
-
-W020 = Warning(
-    "ALLOWED_HOSTS must not be empty in deployment.",
-    id="security.W020",
-)
-
 W025 = Warning(SECRET_KEY_WARNING_MSG, id="security.W025")
 
 
@@ -69,7 +35,16 @@ def check_secret_key(package_configs, **kwargs):
         passed_check = False
     else:
         passed_check = _check_secret_key(secret_key)
-    return [] if passed_check else [W009]
+    return (
+        []
+        if passed_check
+        else [
+            Warning(
+                SECRET_KEY_WARNING_MSG % "SECRET_KEY",
+                id="security.W009",
+            )
+        ]
+    )
 
 
 @register(deploy=True)
@@ -91,9 +66,27 @@ def check_secret_key_fallbacks(package_configs, **kwargs):
 @register(deploy=True)
 def check_debug(package_configs, **kwargs):
     passed_check = not settings.DEBUG
-    return [] if passed_check else [W018]
+    return (
+        []
+        if passed_check
+        else [
+            Warning(
+                "You should not have DEBUG set to True in deployment.",
+                id="security.W018",
+            )
+        ]
+    )
 
 
 @register(deploy=True)
 def check_allowed_hosts(package_configs, **kwargs):
-    return [] if settings.ALLOWED_HOSTS else [W020]
+    return (
+        []
+        if settings.ALLOWED_HOSTS
+        else [
+            Warning(
+                "ALLOWED_HOSTS must not be empty in deployment.",
+                id="security.W020",
+            )
+        ]
+    )

plain/runtime/global_settings.py

@@ -50,6 +50,20 @@ HTTPS_REDIRECT_ENABLED = True
 HTTPS_REDIRECT_EXEMPT = []
 HTTPS_REDIRECT_HOST = None
 
+# If your Plain app is behind a proxy that sets a header to specify secure
+# connections, AND that proxy ensures that user-submitted headers with the
+# same name are ignored (so that people can't spoof it), set this value to
+# a tuple of (header_name, header_value). For any requests that come in with
+# that header/value, request.is_https() will return True.
+# WARNING! Only set this if you fully understand what you're doing. Otherwise,
+# you may be opening yourself up to a security risk.
+HTTPS_PROXY_HEADER = None
+
+# Whether to use the X-Forwarded-Host and X-Forwarded-Port headers
+# when determining the host and port for the request.
+USE_X_FORWARDED_HOST = False
+USE_X_FORWARDED_PORT = False
+
 # A secret key for this particular Plain installation. Used in secret-key
 # hashing algorithms. Set this in your settings, or Plain will complain
 # loudly.
@@ -88,21 +102,9 @@ DATA_UPLOAD_MAX_NUMBER_FILES = 100
 # (i.e. "/tmp" on *nix systems).
 FILE_UPLOAD_TEMP_DIR = None
 
-USE_X_FORWARDED_HOST = False
-USE_X_FORWARDED_PORT = False
-
 # User-defined overrides for error views by status code
 HTTP_ERROR_VIEWS: dict[int] = {}
 
-# If your Plain app is behind a proxy that sets a header to specify secure
-# connections, AND that proxy ensures that user-submitted headers with the
-# same name are ignored (so that people can't spoof it), set this value to
-# a tuple of (header_name, header_value). For any requests that come in with
-# that header/value, request.is_https() will return True.
-# WARNING! Only set this if you fully understand what you're doing. Otherwise,
-# you may be opening yourself up to a security risk.
-SECURE_PROXY_SSL_HEADER = None
-
 ##############
 # MIDDLEWARE #
 ##############

{plain-0.10.0.dist-info → plain-0.12.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: plain
-Version: 0.10.0
+Version: 0.12.0
 Summary: A web framework for building products with Python.
 Author: Dave Gaeddert
 Author-email: dave.gaeddert@dropseed.dev

{plain-0.10.0.dist-info → plain-0.12.0.dist-info}/RECORD

@@ -29,7 +29,7 @@ plain/http/README.md,sha256=00zLFQ-FPjYXu3A8QsLhCCXxaT0ImvI5I-8xd3dp8WA,7
 plain/http/__init__.py,sha256=DIsDRbBsCGa4qZgq-fUuQS0kkxfbTU_3KpIM9VvH04w,1067
 plain/http/cookie.py,sha256=11FnSG3Plo6T3jZDbPoCw7SKh9ExdBio3pTmIO03URg,597
 plain/http/multipartparser.py,sha256=Z2PFDuGucj_nFnQagwdxowJcZHqzCfDApkXl5yRlRe4,27325
-plain/http/request.py,sha256=CrfXx-Som5AOM5WU62CTuv01VpFTz_qMLQS1Jx9Rwew,26005
+plain/http/request.py,sha256=kOXN9uhgtgbd1IC25-oRupYlCofacE1jyoDZRlg2v5k,25990
 plain/http/response.py,sha256=h43Gx4PVPGEf63EHHrABYtwYu-8Y9mgAebwiGt8qeLE,24074
 plain/internal/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 plain/internal/files/README.md,sha256=kMux-NU5qiH0o1K8IajYQT8VjrYl_jLk9LkGG_kGuSc,45
@@ -61,17 +61,15 @@ plain/packages/config.py,sha256=6Vdf1TEQllZkkEvK0WK__zHJYT9nxmS3EyYrbuq0GkM,1120
 plain/packages/registry.py,sha256=Bihdu1sOVslmb2CHAJbMqqzsLIPn0FkqwHoD_JrfZy4,17936
 plain/paginator.py,sha256=4v5SbYotJH9HoNdzf-1j-AEy4ZLbLPuysf-VME4-6e0,6055
 plain/preflight/README.md,sha256=fgcfVRD6rq7IO8AffQhk49c-6akxaE8MQidRp69InDQ,59
-plain/preflight/__init__.py,sha256=jQuVhsC8FCEEMTKV1HK3mYz0cD03bI_3_evKcW4X8hw,668
+plain/preflight/__init__.py,sha256=H-TNRvaddPtOGmv4RXoc1fxDV1AOb7_K3u7ECF8mV58,607
 plain/preflight/files.py,sha256=wbHCNgps7o1c1zQNBd8FDCaVaqX90UwuvLgEQ_DbUpY,510
 plain/preflight/messages.py,sha256=u0oc7q7YmBlKYJRcF5SQpzncfOkEzDhZTcpyclQDfHg,2427
 plain/preflight/registry.py,sha256=ZpxnZPIklXuT8xZVTxCUp_IER3zhd7DdfsmqIpAbLj4,2306
-plain/preflight/security/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-plain/preflight/security/base.py,sha256=nsv-g-bFr_188mkOQwC1ZDnyS0rE6eZED8xZT-FEM8M,3074
-plain/preflight/security/csrf.py,sha256=8dKzs5kQwTTKeyfHbkrzdPk3OEoUN8mc-0xhSBo1KmM,1175
+plain/preflight/security.py,sha256=n4X71leOFKqalvEPH3QwVzMs5FB7xu840EEYpLj6Ymw,2617
 plain/preflight/urls.py,sha256=O4PQ_v205VA2872fQlhPfxaihDDRCsVp0ZVKQ92aX4k,3019
 plain/runtime/README.md,sha256=Q8VVO7JRGuYrDxzuYL6ptoilhclbecxKzpRXKgbWGkU,2061
 plain/runtime/__init__.py,sha256=DH8TwKTGJhjviOy4yh_d051v8YGaAWMlFBPhK8ZuC9g,1499
-plain/runtime/global_settings.py,sha256=SeW8vVk4rOQyABhRa_5USe8ru_ZDhyiNYz0yhGx0blg,5438
+plain/runtime/global_settings.py,sha256=_FaHDQjtLDoRCTv1-2EEA8GZWCiCVPJHIm_O7OxwrsU,5554
 plain/runtime/user_settings.py,sha256=-1xXUggueuOF3YlgnLfeyG55CUvR3azOGWr2UkTOmfs,11259
 plain/signals/README.md,sha256=cd3tKEgH-xc88CUWyDxl4-qv-HBXx8VT32BXVwA5azA,230
 plain/signals/__init__.py,sha256=eAs0kLqptuP6I31dWXeAqRNji3svplpAV4Ez6ktjwXM,131
@@ -141,8 +139,8 @@ plain/views/objects.py,sha256=9QBYyb8PgkRirXCQ8-Pms4_yMzP37dfeL30hWRYmtZg,7909
 plain/views/redirect.py,sha256=KLnlktzK6ZNMTlaEiZpMKQMEP5zeTgGLJ9BIkIJfwBo,1733
 plain/views/templates.py,sha256=nF9CcdhhjAyp3LB0RrSYnBaHpHzMfPSw719RCdcXk7o,2007
 plain/wsgi.py,sha256=R6k5FiAElvGDApEbMPTT0MPqSD7n2e2Az5chQqJZU0I,236
-plain-0.10.0.dist-info/LICENSE,sha256=m0D5O7QoH9l5Vz_rrX_9r-C8d9UNr_ciK6Qwac7o6yo,3175
-plain-0.10.0.dist-info/METADATA,sha256=SwlNbU7qUpXXojHWCorLfkK8RYYI03YyVPgfv3Y19yY,2722
-plain-0.10.0.dist-info/WHEEL,sha256=Nq82e9rUAnEjt98J6MlVmMCZb-t9cYE2Ir1kpBmnWfs,88
-plain-0.10.0.dist-info/entry_points.txt,sha256=7O1RZTmMasKYB73bfqQcTwIhsXo7RjEIKv2WbtTtOIM,39
-plain-0.10.0.dist-info/RECORD,,
+plain-0.12.0.dist-info/LICENSE,sha256=m0D5O7QoH9l5Vz_rrX_9r-C8d9UNr_ciK6Qwac7o6yo,3175
+plain-0.12.0.dist-info/METADATA,sha256=eaEqCJ_ZZATzE_wZcodAprf9OO-aru1xTeWRADCCeMo,2722
+plain-0.12.0.dist-info/WHEEL,sha256=Nq82e9rUAnEjt98J6MlVmMCZb-t9cYE2Ir1kpBmnWfs,88
+plain-0.12.0.dist-info/entry_points.txt,sha256=7O1RZTmMasKYB73bfqQcTwIhsXo7RjEIKv2WbtTtOIM,39
+plain-0.12.0.dist-info/RECORD,,

plain/preflight/security/csrf.py

@@ -1,36 +0,0 @@
-from plain.runtime import settings
-
-from .. import Warning, register
-
-W003 = Warning(
-    "You don't appear to be using Plain's built-in "
-    "cross-site request forgery protection via the middleware "
-    "('plain.csrf.middleware.CsrfViewMiddleware' is not in your "
-    "MIDDLEWARE). Enabling the middleware is the safest approach "
-    "to ensure you don't leave any holes.",
-    id="security.W003",
-)
-
-W016 = Warning(
-    "You have 'plain.csrf.middleware.CsrfViewMiddleware' in your "
-    "MIDDLEWARE, but you have not set CSRF_COOKIE_SECURE to True. "
-    "Using a secure-only CSRF cookie makes it more difficult for network "
-    "traffic sniffers to steal the CSRF token.",
-    id="security.W016",
-)
-
-
-def _csrf_middleware():
-    return "plain.csrf.middleware.CsrfViewMiddleware" in settings.MIDDLEWARE
-
-
-@register(deploy=True)
-def check_csrf_middleware(package_configs, **kwargs):
-    passed_check = _csrf_middleware()
-    return [] if passed_check else [W003]
-
-
-@register(deploy=True)
-def check_csrf_cookie_secure(package_configs, **kwargs):
-    passed_check = not _csrf_middleware() or settings.CSRF_COOKIE_SECURE is True
-    return [] if passed_check else [W016]