Remove default value of SECRET_KEY in Django's settings.py (#102)

The default value of SECRET_KEY was hard-coded in the settings.py which would turn out to be used all the time even if people are not forced to change it. So this commit removes that value and instead gets the SECRET_KEY from the environment variable.

Closes #99

README.md

@@ -121,6 +121,8 @@ These are the settings that you MUST change before deploying:
 
 - `MAILMAN_ADMIN_EMAIL`: The email for the admin user to be created by default.
 
+- `SECRET_KEY`: Django's secret key, mainly used for signing cookies and others.
+
 For more details on how to configure this image, please look at [Mailman-web's
 Readme](web/README.md)
 

tests/generate_tests.sh

@@ -16,4 +16,6 @@ services:
 
   mailman-web:
     image: maxking/mailman-web:$TAG
+    environment:
+    - SECRET_KEY=abcdefghijklmnopqrstuv
 EOF

web/README.md

@@ -23,6 +23,8 @@ These are the settings that you MUST change before deploying:
 
 - `MAILMAN_ADMIN_EMAIL`: The email for the admin user to be created by default.
 
+- `SECRET_KEY`: Django's secret key, mainly used for signing cookies and others.
+
 These are the settings that are set to sane default and you do not need to
 change them unless you know what you want.
 

web/assets/run.sh

@@ -34,6 +34,12 @@ function check_or_create () {
 # END
 # }
 
+# Check if $SECRET_KEY is defined, if not, bail out.
+if [[ ! -v SECRET_KEY ]]; then
+	echo "SECRET_KEY is not defined. Aborting."
+	exit 1
+fi
+
 # Check if $DATABASE_URL is defined, if not, use a standard sqlite database.
 #
 # If the $DATABASE_URL is defined and is postgres, check if it is available

web/mailman-web/settings.py

@@ -32,7 +32,7 @@ import dj_database_url
 BASE_DIR = os.path.dirname(os.path.abspath(__file__))
 
 # SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = 'change-this-on-your-production-server'
+SECRET_KEY = os.environ.get('SECRET_KEY')
 
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = False