django - Coffee on the Keyboard

Open Source Update: Waffle

I just pushed version 0.11 of Waffle [https://pypi.python.org/pypi/django-waffle/0.11], the feature flipper for Django [https://www.djangoproject.com/]. It contains a number of code and documentation fixes [https://github.com/jsocol/django-waffle/compare/v0.10.1...v0.11] which you can also see

Back-end

An Object Caching Pattern for Django

Increasingly I’ve been treating even RDBMSes like structured key-value stores. There are still foreign keys and relationships in there, but the access patterns are most commonly by some kind of “primary” key (not always the primary key on the table, but a natural one). Normally when I do something

Back-end

Visualizing the 2015 SotU on TodaysMeet

Now that you know how TodaysMeet works [https://coffeeonthekeyboard.ghost.io/how-todaysmeet-works-1237/], here’s part 2: using the message queue architecture to build the SotU visualizations. TodaysMeet [https://todaysmeet.com] has a long history [http://blog.todaysmeet.com/case-study-meeting-during-debates-88/] with political events [http://blog.todaysmeet.com/2014-state-of-the-union-room-205/]. During the 2012

django

How TodaysMeet Works

I want to write about TodaysMeet’s 2015 State of the Union [http://blog.todaysmeet.com/sotu2015-on-todaysmeet-426/] site, but I realized I spent half the time on the existing architecture. So, this is part 1, and here is part 2 [https://coffeeonthekeyboard.ghost.io/visualizing-the-2015-sotu-on-todaysmeet-1246/]! A little over two years

django

Testing with Django's Cache

I don’t love my solution to this problem, so I’m writing about it in hopes that someone has something better. When you run tests with Django, you get an isolated test database. This can be wiped out and the consistency makes life a lot easier when you are

django

Mozilla's Security Best Practices

This list of resources is meant as a companion to the talk I gave at DjangoCon 2012, but it should stand on its own as a useful list for Django developers. Best Practices? What are “best practices,” anyway? The internet loves to debate these things. For us, think of it

django

Mass Assignment - Security Part 10

NB: This is the tenth post in a series [https://coffeeonthekeyboard.ghost.io/best-basic-security-practices-especially-with-django-697/] of posts on web application security. > “Mass assignment”? That’s a Rails [http://rubyonrails.org/] thing! GitHub [https://github.com/] was the recent, high-profile target of an “attack”—it wasn’t so much a vicious

django

Stay Up to Date - Basic Security Part 9

NB: This is the ninth post in a series [https://coffeeonthekeyboard.ghost.io/best-basic-security-practices-especially-with-django-697/] of posts on web application security. Rounding out this week is the last, but perhaps most important part of the basic security series: staying up to date. Keeping everything up-to-date is a pain. You have to

click-jacking

Click-Jacking and a little Phishing - Basic Security Part 8

NB: This is the eighth post in a series [https://coffeeonthekeyboard.ghost.io/best-basic-security-practices-especially-with-django-697/] of posts on web application security. Click-jacking is a process of “stealing” clicks on your site, redirecting them to other places, either by using an XSS vector [https://coffeeonthekeyboard.ghost.io/xss-cross-site-scripting-basic-security-part-2-711/] to replace the targets

django

Server Configuration - Basic Security Part 7

NB: This is the seventh post in a series [https://coffeeonthekeyboard.ghost.io/best-basic-security-practices-especially-with-django-697/] of posts on web application security. Configuring a server correctly is both 1) hard and 2) critical. You’ve probably spent a bunch of time configuring Apache [http://httpd.apache.org/] or nginx [http://nginx.org/

django

Session Fixation and Hijacking - Basic Security Part 6

NB: This is the sixth post in a series [https://coffeeonthekeyboard.ghost.io/best-basic-security-practices-especially-with-django-697/] of posts on web application security. 1. Don’t put session IDs in the URL. Django explicitly does not support [https://docs.djangoproject.com/en/dev/topics/http/sessions/#session-ids-in-urls] this because it’s just dangerous.

access control

Access Control - Basic Security Part 5

NB: This is the fifth post in a series [https://coffeeonthekeyboard.ghost.io/best-basic-security-practices-especially-with-django-697/] of posts on web application security. Proper access control is an absolutely key part of web app security and is easily overlooked—possibly because it’s so easy. In Django, to hide a link from someone,

django

Injections, SQL and otherwise - Basic Security Part 4

NB: This is the fourth post in a series [https://coffeeonthekeyboard.ghost.io/best-basic-security-practices-especially-with-django-697/] of posts on web application security. SQL Injection SQL injection is a vector that lets a user insert their own SQL into a statement sent to your database server. The typical example is: 1. "SELECT

csrf

CSRF: Cross-Site Request Forgeries - Basic Security Part 3

NB: This is the third post in a series [https://coffeeonthekeyboard.ghost.io/best-basic-security-practices-especially-with-django-697/] of posts on web application security. The quintessential example of a CSRF (sometimes pronounced “sea-surf”) is a bank that naively does transfers over a GET request without any other security: http://badbank.com/transfer?from=act1&

django

XSS: Cross-Site Scripting - Basic Security Part 2

NB: This is the second post in a series [https://coffeeonthekeyboard.ghost.io/best-basic-security-practices-especially-with-django-697/] of posts on web application security. XSS covers a number of various attacks, but the common thread is that someone gets to execute code in the context of your web page and domain. Doing that, they

django

Password Storage - Basic Security Part 1

NB-1: This is the first post in a series [https://coffeeonthekeyboard.ghost.io/best-basic-security-practices-especially-with-django-697/] of posts on web application security. NB-2: Fred [http://fredericiana.com/] wrote a great post on password storage [https://blog.mozilla.org/webdev/2012/06/08/lets-talk-about-password-storage/]. You should read it. I’m assuming we’re

django

Best Basic Security Practices (Especially with Django)

Or: Locking Your Doors This goes along with a talk I gave at Django-NYC [http://www.djangonyc.org/events/70626822/] in July 2012, but is meant to stand on its own. It is the first in a series of posts, because I realized it was too big for one. Security

django

Putting My Slides Where My Mouth Is

I’m giving a talk tonight [http://www.djangonyc.org/events/70626822/] at GetGlue [http://getglue.com/] on web app security, particularly with Django. Over the next several days—starting tonight—parts of that talk will be posted here as blog posts (I’ve realized there’s too much material

Code

Why Django Sucks, Except When It Doesn't

Ken Reitz [https://twitter.com/kennethreitz] is a smart man. Very smart. Smarter than me. He’s responsible for some of the best [https://github.com/kennethreitz/flask-sslify], most widely-used [https://crate.io/packages/requests/] Python libraries out there. So when he talks, I listen. And recently, he talked about

django

O Hai Django AdminPlus

Last night, as happens sometimes, I was wishing it was possible to add some of our custom admin views to the Django admin’s index page. It’s kind of a pain to have to type the URL every time, especially when talking to other people: “It’s in the

comet

The Future of TodaysMeet

This is the second half of a two-part post. Start with part 1 [https://coffeeonthekeyboard.ghost.io/the-problem-with-todaysmeet-550/]. TodaysMeet [http://todaysmeet.com/] is an interesting challenge because it has components that are absolutely real-time and should be built like a messaging system, not a CMS, and parts that aren’t

django

Introducing Waffle for Django

Waffle is a feature-flipping library for Django that strives to be easy and intuitive, and work with both the Django/Jingo/Jinja2 stack we use at Mozilla, and Django templates out of the box. Waffle lets you define various reasons a flag can be active for a given request. You

Database

Django Fixtures with Circular Foreign Keys

If you create a nice, perfectly normalized database, you (probably) won’t ever run into circular foreign keys (when a row in table A references a row in table B that references the same row in table A). In the real world, this happens pretty regularly. The most common situation

django

Playing with the Real-Time Web

Since I left Facebook [https://coffeeonthekeyboard.ghost.io/farewell-facebook-410/], I’ve been working on a little project to take its place as an aggregator, or a central hub of all me-related activity on the internet: Planetoid [http://github.com/jsocol/planetoid]. Right now, if you’ve got the patience to

amo

Code-sharing Update

When we decided to move SUMO to a new platform [https://coffeeonthekeyboard.ghost.io/the-evolution-of-sumo-339/], one of the reasons we chose Django [http://www.djangoproject.com/] was code sharing and reuse—specifically that SUMO [http://support.mozilla.com/] and AMO [https://addons.mozilla.org] would be able to share code,