In the spirit of thanksgiving, even though it isn’t a tradition here where live, and following the same path as some posts I’ve read today, here’s 5 software tools I’m thankful for.
(Of course this is not a comprehensive list, but today these are the ones that come to my mind)
This tool basically lets us sync files with multiple devices without relying on a central service/server (unlike Dropbox or Google Drive). So we don’t have to rely on a 3rd party service to sync your documents, it is all done in a p2p fashion with high security standards.
No Internet connection? no worries, it works through the local network as well.
I use Borg for most kinds of backups. Many will argue that there are alternatives that do X and Y better, but Borg has all I need for this task and does its job very well. It is compatible with many services, has a nice CLI and several decent GUIs.
Backups are critical, so we should rely on a mature tool that we can trust.
I don’t remember the last time I had “hair pulling” struggles when trying to play a video file or disk. VLC is one of the reasons why (perhaps the biggest of them). It’s a light and versatile Swiss army knife for dealing with video content and it handles whatever I am trying to do: watch a stream, open a video with a strange encoding or even convert between file formats.
Nowadays the mainstream websites are almost unbearable, they are slow, heavy and full of ads (displayed in many formats with all kinds of tricks). Not to mention the huge effort they make to track you “everywhere you go”.
This “little” browser extension takes care of blocking and removing a big chunk of that annoying content, making the pages faster while helping us avoid being followed online.
To finish the list, a programming language and its interpreter. Throughout the last decade I ended up using several programming languages, either on my job and for personal projects, but there is one of them that I always fallback to and is a joy to use.
Easy to read and to write, available almost everywhere, it might not be the a perfect fit for all tasks but allows you to do a lot and quickly.
One of the great builtin features of Django is the admin app. It lets you, among other things, execute the usual CRUD operations on your data, search, filter and execute bulk actions on many records.
However the interface is a bit rigid, by default you have the “dashboard” with the list of models, the page listing your records for each model and the details page for each individual item.
What if you want to display other information to the admins? Such an overview of the system, aggregate data, some statistics, etc.
In this post I will address the steps required to add custom pages to the admin and include them in the main menu of the administration.
The first step is to create a new custom admin website, so we can easily modify its contents and functionality.
from django.contrib import admin
class YourCustomAdminSite(admin.AdminSite):
pass
Now we will have to use this admin site across your project, which means changing your current admin settings to use this “site” (such as your ModelAdmins and your urls.py.
If the above is too much trouble and requires to many changes, this small “hack” before including the admin URLs will also work:
(I chose to extend admin/change_list.html, but the content of this template is up to you, no restrictions here. If you decide to not extend any existing admin template, the last steps of 5. will not apply to your case)
4. Extend the admin URLs
To make this new endpoint accessible, we now have to edit the method that returns all existing URLs of the administration and append our new page.
At this point the custom page should be available at /admin/custom_page/, but users will not be able to find it, since no other link or button points to it.
5. Extend the menu items
The final step is to include a link to the new page in the existing menu, in order for it to be easily accessible. First we need to replace the current index_template:
...
class YourCustomAdminSite(admin.AdminSite):
index_template = "admin/custom_index.html"
...
And add the following content to your new template:
Basically we added a new section to the list containing a link to our new page.
Links were added to the index pageThe custom page we just created
Looking good, the page is there with our content and is accessible through the index page. However many traditional elements on the page are missing (side menu, logout button, etc). To add them we just need some small changes to our view:
Note: The app where you put the above template must be placed before the “admin” app in your “INSTALLED_APPS” list, otherwise the default template will be used anyway.
Custom admin page with all the elements
And for today, this is it. With the above changes you can add as many custom pages to your admin as you need and have full controls over their functionality.
This time I just used this tool to build a “planet” software. You might be wondering about what is a planet, so I will try to explain it in a simple and practical way: A planet is a web page (and RSS feed) that gathers content about a specific topic from multiple other sources and displays them in a chronological order, using the feeds provided by those sources.
This is specially useful if you want to cover all the content and activity of a given community in an open way (without extra intermediaries or curators). A few examples are:
There are other software available for this purpose, such as moonmoon, but if you don’t want to manage a server just for this purpose, Cloudflare workers can be very useful.
So I built worker-planet in order to easily create these community pages without having to worry with managing servers. There are many improvements that can be added, but the base functionality is there, and many configurations and theming options are already supported.
The project is open-source and free (as in freedom) software, so please test it and use it as you wish.
This time I’m gonna address Django’s builtin authentication system, more specifically the ways we can build custom improvements over the already very solid foundations it provides.
The idea for this post came from reading an article summing up some considerations we should have when dealing with passwords. Most of those considerations are about what controls to implement (what “types” of passwords to accept) and how to securely store those passwords. By default Django does the following:
Passwords are stored using PBKDF2. There are also other alternatives such as Argon2 and bcrypt, that can be defined in the setting PASSWORD_HASHERS.
Every Django release the “strength”/cost of this algorithm is increased. For example, version 3.1 applied 216000 iterations and the last version (3.2 at the time of writing) applies 260000. The migration from one to another is done automatically once the user logs in.
There are a set of validators that control the kinds of passwords allowed to be used in the system, such as enforcing a minimum length. These validators are defined on the setting AUTH_PASSWORD_VALIDATORS.
By default when we start a new project these are the included validators :
UserAttributeSimilarityValidator
MinimumLengthValidator
CommonPasswordValidator
NumericPasswordValidator
The names are very descriptive and I would say a good starting point. But as the article mentions the next step is to make sure users aren’t reusing previously breached passwords or using passwords that are known to be easily guessed (even when complying with the other rules). CommonPasswordValidator already does part of this job but with a very limited list (20000 entries).
Improving password validation
So for the rest of this post I will show you some ideas on how we can make this even better. More precisely, prevent users from using a known weak password.
1. Use your own list
The easiest approach, but also the more limited one, is providing your own list to `CommonPasswordValidator`, containing more entries than the ones provided by default. The list must be provided as a file with one entry in lower case per line. It can be set like this:
Another approach is to use an existing and well-known library that evaluates the password, compares it with a list of known passwords (30000) but also takes into account slight variations and common patterns.
To use zxcvbn-python we need to implement our own validator, something that isn’t hard and can be done this way:
# <your_app>/validators.py
from django.core.exceptions import ValidationError
from zxcvbn import zxcvbn
class ZxcvbnValidator:
def __init__(self, min_score=3):
self.min_score = min_score
def validate(self, password, user=None):
user_info = []
if user:
user_info = [
user.email,
user.first_name,
user.last_name,
user.username
]
result = zxcvbn(password, user_inputs=user_info)
if result.get("score") < self.min_score:
raise ValidationError(
"This passoword is too weak",
code="not_strong_enough",
params={"min_score": self.min_score},
)
def get_help_text(self):
return "The password must be long and not obvious"
Then we just need to add to the settings just like the other validators. It’s an improvement but we still can do better.
3. Use “have i been pwned?”
As suggested by the article, a good approach is to make use of the biggest source of leaked passwords we have available, haveibeenpwned.com.
The full list is available for download, but I find it hard to justify a 12GiB dependency on most projects. The alternative is to use their API (documentation available here), but again we must build our own validator.
# <your_app>/validators.py
from hashlib import sha1
from io import StringIO
from django.core.exceptions import ValidationError
import requests
from requests.exceptions import RequestException
class LeakedPasswordValidator:
def validate(self, password, user=None):
hasher = sha1(password.encode("utf-8"))
hash = hasher.hexdigest().upper()
url = "https://api.pwnedpasswords.com/range/"
try:
resp = requests.get(f"{url}{hash[:5]}")
resp.raise_for_status()
except RequestException:
raise ValidationError(
"Unable to evaluate password.",
code="network_failure",
)
lines = StringIO(resp.text).readlines()
for line in lines:
suffix = line.split(":")[0]
if hash == f"{hash[:5]}{suffix}":
raise ValidationError(
"This password has been leaked before",
code="leaked_password",
)
def get_help_text(self):
return "Use a different password"
Then add it to the settings.
Edit: As suggested by one reader, instead of this custom implementation we could use pwned-passwords-django (which does practically the same thing).
And for today this is it. If you have any suggestions for other improvements related to this matter, please share them in the comments, I would like to hear about them.
Sooner or later everybody that works with computers will have to deal with software licenses. Newcomers usually assume that software is either open-source (aka free stuff) or proprietary, but this is a very simplistic view of the world and wrong most of the time.
This topic can quickly become complex and small details really matter. You might find yourself using a piece of software in a way that the license does not allow.
There are many types of open-source licenses with different sets of conditions, while you can use some for basically whatever you want, others might impose some limits and/or duties. If you aren’t familiar with the most common options take look at choosealicense.com.
This is also a topic that was recently the source of a certain level of drama in the industry, when companies that usually released their software and source code with a very permissive license opted to change it, in order to protect their work from certain behaviors they viewed as abusive.
In this post I share my current approach regarding the licenses of the computer programs I end up releasing as FOSS (Free and Open Source Software).
Let’s start with libraries, that is, packages of code containing instructions to solve specific problems, aimed to be used by other software developers in their own apps and programs. On this case, my choice is MIT, a very permissive license which allows it to be used for any purpose without creating any other implications for the end result (app/product/service). In my view this is exactly the aim an open source library should have.
The next category is “apps and tools”, these are regular computer programs aimed to be installed by the end user in his computer. For this scenario, my choice is GPLv3. So I’m providing a tool with the source code for free, that the user can use and modify as he sees fit. The only thing I ask for is: if you modify it in any way, to make it better or address a different scenario, please share your changes using the same license.
Finally, the last category is “network applications”, which are computer programs that can be used through the network without having to install them on the local machine. Here I think AGPLv3 is a good compromise, it basically says if the end user modifies the software and let his users access it over the network (so he doesn’t distribute copies of it), he is free to do so, as long as he shares is changes using the same license.
And this is it. I think this is a good enough approach for now (even though I’m certain it isn’t a perfect fit for every scenario). What do you think?
As you might have guessed from the title, today’s tip is about how to add “Subresource integrity” (SRI) checks to your website’s static assets.
First lets see what SRI is. According to the Mozilla’s Developers Network:
Subresource Integrity (SRI) is a security feature that enables browsers to verify that resources they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched resource must match.
So basically, if you don’t serve all your static assets and rely on any sort of external provider, you can force the browser to check that the delivered contents are exactly the ones you expect.
To trigger that behavior you just need to add the hash of the content to the integrity attribute of the <script> and/or <link> elements in question.
This is all very nice but adding this info manually isn’t that fun or even practical, when your resources might change frequently or are built dynamically on each deployment.
To help with this task I recently found a little tool called django-sri that automates these steps for you (and is compatible with whitenoise if you happen to use it).
After the install, you just need to replace the {% static ... %} tags in your templates with the new one provided by this package ({% sri_static .. %}) and the integrity attribute will be automatically added.
One critical piece of the software development process that often gets neglected by companies and also by many open-source projects is explaining how it works and how it can be used to solve the problem in question.
Documentation is often lacking and people have an hard time figuring out how they can use or contribute to a particular piece of software. I think most developers and users have faced this situation at least once.
Looking at it from the other side, it isn’t always easy to pick and share the right information so others can hit the ground running. The fact that not everybody is starting from the same point and have the same goal, makes the job a bit harder.
It splits the problems in 4 areas targeting different stages and needs of the person reading the documentation. Django uses this system and is frequently praised for having great documentation.
From a user point of view it looks solid. You should take a look and apply it on your packages/projects, I surely will.
The first post I published on this blog is now 10 years old. This wasn’t my first website or even the first blog, but it’s the one that stuck for the longest time.
The initial goal was to have a place to share anything I might find interesting on the Web, a place that would allow me to publish my opinions on all kinds of issues (if I felt like it) and to be able to publish information about my projects. I think you still can deduce that from the tag line, that remained unchanged ever since.
From the start, being able to host my own content was one of the priorities, in order to be able to control its distribution and ensuring that it is universally accessible to anyone without any locks on how and by whom it should be consumed.
The reasoning behind this decision was related to a trend that started a couple of years earlier, the departure from the open web and the big migration to the walled gardens.
Many people thought it was an inoffensive move, something that would improve the user experience and make the life easier for everyone. But as anything in life, with time we started to see the costs.
Today the world is different, using closed platforms that barely interact with each other is the rule and the downsides became evident: Users started to be spied for profit, platforms decide what speech is acceptable, manipulation is more present than ever, big monopolies are now gate keepers to many markets, etc. Summing up, the information and power is concentrated in fewer hands.
Last week this event set the topic for the post. A “simple chat app”, that uses an open protocol to interact with different servers, was excluded/blocked from the market unilaterally without any chance to defend itself. A more extensive discussion can be found here.
The message I wanted to leave in this commemorative post, is that we need to give another shot to decentralized and interoperable software, use open protocols and technologies to put creators and users back in control.
If there is anything that I would like to keep for the next 10 years, is the capability to reach, interact and collaborate with the world without having a huge corporation acting as middleman dictating its rules.
I will continue to put an effort in making sure open standards are used on this website (such RSS, Webmention, etc) and that I’m reachable using decentralized protocols and tools (such as email, Matrix or the “Fediverse“). It think this is the minimum a person could ask for the next decade.
In this year’s first issue of my irregular Django quick tips series, lets look at the builtin tools available for managing access control.
The framework offers a comprehensive authentication and authorization system that is able to handle the common requirements of most websites without even needing any external library.
Most of the time, simple websites only make use of the “authentication” features, such as registration, login and logout. On more complex systems only authenticating the users is not enough, since different users or even groups of users will have access to distinct sets of features and data records.
This is when the “authorization” / access control features become handy. As you will see they are very simple to use as soon as you understand the implementation and concepts behind them. Today I’m gonna focus on how to use these permissions on the Admin, perhaps in a future post I can address the usage of permissions on other situations. In any case Django has excellent documentation, so a quick visit to this page will tell you what you need to know.
Under the hood
ER diagram of Django’s “auth” package
The above picture is a quick illustration of how this feature is laid out in the database. So a User can belong to multiple groups and have multiple permissions, each Group can also have multiple permissions. So a user has a given permission if it is directly associated with him or or if it is associated with a group the user belongs to.
When a new model is added 4 permissions are created for that particular model, later if we need more we can manually add them. Those permissions are <app>.add_<model>, <app>.view_<model>, <app>.update_<model> and <app>.delete_<model>.
For demonstration purposes I will start with these to show how the admin behaves and then show how to implement an action that’s only executed if the user has the right permission.
The scenario
Lets image we have a “store” with some items being sold and it also has a blog to announce new products and promotions. Here’s what the admin looks like for the “superuser”:
The admin showing all the available models
We have several models for the described functionality and on the right you can see that I added a test user. At the start, this test user is just marked as regular “staff” (is_staff=True), without any permissions. For him the admin looks like this:
No permissions
After logging in, he can’t do anything. The store manager needs the test user to be able to view and edit articles on their blog. Since we expect in the future that multiple users will be able to do this, instead of assigning these permissions directly, lets create a group called “editors” and assign those permissions to that group.
Only two permissions for this group of users
Afterwards we also add the test user to that group (in the user details page). Then when he checks the admin he can see and edit the articles as desired, but not add or delete them.
No “Add” button there
The actions
Down the line, the test user starts doing other kinds of tasks, one of them being “reviewing the orders and then, if everything is correct, mark them as ready for shipment”. In this case, we don’t want him to be able to edit the order details or change anything else, so the existing “update” permissions cannot be used.
What we need now is to create a custom admin action and a new permission that would let specific users (or groups) execute that action. Lets start with the later:
class Order(models.Model):
...
class Meta:
...
permissions = [("set_order_ready", "Can mark the order as ready for shipment")]
What we are doing above, is telling Django there is one more permission that should be created for this model, a permission that we will use ourselves.
Once this is done (you need to run manage.py migrate), we can now create the action and ensure we check that the user executing it has the newly created permission:
class OrderAdmin(admin.ModelAdmin):
...
actions = ["mark_as_ready"]
def mark_as_ready(self, request, queryset):
if request.user.has_perm("shop.set_order_ready"):
queryset.update(ready=True)
self.message_user(
request, "Selected orders marked as ready", messages.SUCCESS
)
else:
self.message_user(
request, "You are not allowed to execute this action", messages.ERROR
)
mark_as_ready.short_description = "Mark selected orders as ready"
As you can see, we first check the user as the right permission, using has_perm and the newly defined permission name before proceeding with the changes.
And boom .. now we have this new feature that only lets certain users mark the orders as ready for shipment. If we try to execute this action with the test user (that does not have yet the required permission):
No permission assigned, no action for you sir
Finally we just add the permission to the user and it’s done. For today this is it, I hope you find it useful.
