Age | Commit message (Collapse) | Author | Files | Lines |
|
include the mailman password
Due to spamming to arch-announce mail list, we now use a poster password to make sure only authorized
emails are allowed through to the list.
|
|
Django extensions comes with a lot of goodies, including shell_plus. As a default,
included ptpython for default shell, but this can be overridden by installing another
shell (bpython, ipython) and setting the SHELL_PLUS variable on local_settings.py.
|
|
The retro pages have been moved to a seperate git repository with static
content.
|
|
Add the content security policy for <form> posts to only allow posts to
the origin form which it's served. This disallows posting forms to a
third party if a browser supports this directive.
|
|
The archweb website contains no <base> elements so this can be
disallowed. Also set frame-ancestors is set to the same value as
X-Frame-Options.
Signed-off-by: Jelle van der Waa <jelle@archlinux.org>
|
|
Add django-csp as dependency to be able to set CSP inside django's
settings and allow setting a CSP_NONCE for inline <script>'s in
templates. Since archweb heavily uses this pattern it's the best
compromise.
|
|
The MIT keyserver is very unstable and slow during the past years. I would suggest to use a better alternative.
|
|
Harden the CSRF cookie's by allowing them HTTP ONLY and marking them as
secure.
Closes: #173
|
|
Enable X-Content-Type-Options to prevent a browser from sniffing the
MIME type if the content type is not set. Enable cross site filter
protection supported by most browsers.
|
|
By reordering INSTALLED_APPS, a large amount of false positives that
were generated during automated tests are avoided. This is the stated
(and otherwise harmless) work-around as per the Django bug:
https://code.djangoproject.com/ticket/10827
|
|
MIDDLEWARE_CLASSES is deprecated in Django 1.10.
|
|
MirrorLog entries are not cleaned up by default and will clog the
database. The django settings now defines a retention period in days for
how long to keep mirror logs, on every mirrorcheck run older logs will
be removed from the database.
|
|
Built-in template context processors were moved from
django.core.context_processors to django.template.context_processors in
Django 1.8.
|
|
* Update coveragerc to exclude newly located tests
There are now tests under main/tests/* etc, which should be omitted for
coverage.
* omit settings from coverage
settings and local_settings aren't interesting for coverage, omit them.
* remove leftover secure context processor
The secure context processor was used to determine if the cdn served
assets should be loaded over https or http. Since assets are no longer
served with a cdn and the whole site is loaded over https these days,
this code is dead and can be removed.
* packages: Add test for flagging packages out of date
Add simple test cases for flagging packages out of date, should later be
improved to query the Package model for packages and use that data
instead of hardcoding.
|
|
The ISO model was used for the releng feedback form which was removed
earlier. All this code is therefore now unused.
|
|
Remove double #'s everywhere, remove spaces between [], place : directly
after the string and correctly indent the TEMPLATES declaration
|
|
template debugging was never enabled, since TEMPLATES where defined
before the local_settings where imported. So move the TEMPLATES
definition under the local_settings import.
|
|
|
|
|
|
|
|
|
|
|
|
Update django, djang-jinja version. Use TEMPLATES = [] to configure the
django templates etc. since the old way will be obsolete.
|
|
Continue when local_settings can't be imported for an easier test setup.
Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl>
|
|
|
|
Signed-off-by: Evangelos Foutras <evangelos@foutrelis.com>
|
|
Links should not use the port 11371.
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com>
Signed-off-by: Evangelos Foutras <evangelos@foutrelis.com>
|
|
Signed-off-by: Dan McGee <dan@archlinux.org>
|
|
Signed-off-by: Dan McGee <dan@archlinux.org>
|
|
* Add country column to main mirror list overview page. Most mirrors are
strictly in one country, so do a little magic to show the right
country if it makes sense.
* Use new way of getting country names so we respect the overrides now
present in the django_countries package.
* Make the country selection box on the mirrorlist generation page a lot
taller by default so it is easier to use.
Signed-off-by: Dan McGee <dan@archlinux.org>
|
|
Signed-off-by: Dan McGee <dan@archlinux.org>
|
|
Signed-off-by: Dan McGee <dan@archlinux.org>
|
|
|
|
Signed-off-by: Dan McGee <dan@archlinux.org>
|
|
Signed-off-by: Dan McGee <dan@archlinux.org>
|
|
This doesn't do any super optimizations, but does run the very basic
cssmin and jsmin Python tools over the static resources we serve up.
Signed-off-by: Dan McGee <dan@archlinux.org>
|
|
This allows them to be overridden and changed in a central location,
like we do with the SVN URL, PXE boot URL, etc.
Signed-off-by: Dan McGee <dan@archlinux.org>
|
|
This should finally let us crank up the Expires: header to far-future
values in production since updates to JS and CSS files will take effect
immediately.
Some minor removals were made from retro stylesheets as they were
referencing files that don't actually exist because they were missing
from the web archive.
Signed-off-by: Dan McGee <dan@archlinux.org>
|
|
Let's just go with the Django database option for PostreSQL autocommit
mode instead.
Signed-off-by: Dan McGee <dan@archlinux.org>
|
|
The reason for this is documented in the middleware itself. Without
this, pgbouncer is of little use to us since it has to throw away every
connection we try to route through it because of unclean disconnects.
In theory, with the switch to using pgbouncer for all WSGI originating
connections and adding this middleware, we should see a notable decrease
in connection time to the database.
Signed-off-by: Dan McGee <dan@archlinux.org>
|
|
This is the default now in Django anyway:
https://code.djangoproject.com/ticket/7317
Signed-off-by: Dan McGee <dan@archlinux.org>
|
|
We're not using any of the injected values these context processors
provide in our templates, so remove them from our default config.
Signed-off-by: Dan McGee <dan@archlinux.org>
|
|
See https://docs.djangoproject.com/en/1.4/ref/clickjacking/ for details.
This middleware was added to the default configuration in Django 1.4.
Signed-off-by: Dan McGee <dan@archlinux.org>
|
|
Switch to the news model being able to spit out the HTML version of the
content, and don't use the markup contrib module. This is deprecated as
of Django 1.5 so we can move off it now to save trouble down the road
when it is fully removed.
Signed-off-by: Dan McGee <dan@archlinux.org>
|
|
Signed-off-by: Dan McGee <dan@archlinux.org>
|
|
Signed-off-by: Dan McGee <dan@archlinux.org>
|
|
We're not using cache middleware anymore, and this bug is fixed anyway.
Signed-off-by: Dan McGee <dan@archlinux.org>
|
|
This adds these columns and attempts to populate them with data from our
existing country column data.
Signed-off-by: Dan McGee <dan@archlinux.org>
|
|
Move this model into the devel/ application, and move the PGPKeyField
which is used only by these models into the application as well. This
involves updating some old migrations along the way to ensure we don't
reference a field class that no longer exists.
Signed-off-by: Dan McGee <dan@archlinux.org>
|
|
Signed-off-by: Dan McGee <dan@archlinux.org>
|