From 39fd5c6b25475402a238f9c4b1f931d0669bf713 Mon Sep 17 00:00:00 2001
From: Tatsuyuki Ishi <ishitatsuyuki@gmail.com>
Date: Thu, 27 Jul 2017 17:40:14 +0900
Subject: [PATCH] Remove default value of SECRET_KEY in Django's settings.py
 (#102)

The default value of SECRET_KEY was hard-coded in the settings.py which would turn out to be used all the time even if people are not forced to change it. So this commit removes that value and instead gets the SECRET_KEY from the environment variable.

Closes #99
---
 README.md                   | 2 ++
 tests/generate_tests.sh     | 2 ++
 web/README.md               | 2 ++
 web/assets/run.sh           | 6 ++++++
 web/mailman-web/settings.py | 2 +-
 5 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 60d2139..f26b5a8 100644
--- a/README.md
+++ b/README.md
@@ -121,6 +121,8 @@ These are the settings that you MUST change before deploying:
 
 - `MAILMAN_ADMIN_EMAIL`: The email for the admin user to be created by default.
 
+- `SECRET_KEY`: Django's secret key, mainly used for signing cookies and others.
+
 For more details on how to configure this image, please look at [Mailman-web's
 Readme](web/README.md)
 
diff --git a/tests/generate_tests.sh b/tests/generate_tests.sh
index 32577a4..7412dd4 100644
--- a/tests/generate_tests.sh
+++ b/tests/generate_tests.sh
@@ -16,4 +16,6 @@ services:
 
   mailman-web:
     image: maxking/mailman-web:$TAG
+    environment:
+    - SECRET_KEY=abcdefghijklmnopqrstuv
 EOF
diff --git a/web/README.md b/web/README.md
index 700af92..de1ef25 100644
--- a/web/README.md
+++ b/web/README.md
@@ -23,6 +23,8 @@ These are the settings that you MUST change before deploying:
 
 - `MAILMAN_ADMIN_EMAIL`: The email for the admin user to be created by default.
 
+- `SECRET_KEY`: Django's secret key, mainly used for signing cookies and others.
+
 These are the settings that are set to sane default and you do not need to
 change them unless you know what you want.
 
diff --git a/web/assets/run.sh b/web/assets/run.sh
index d97dc8c..5671a40 100755
--- a/web/assets/run.sh
+++ b/web/assets/run.sh
@@ -34,6 +34,12 @@ function check_or_create () {
 # END
 # }
 
+# Check if $SECRET_KEY is defined, if not, bail out.
+if [[ ! -v SECRET_KEY ]]; then
+	echo "SECRET_KEY is not defined. Aborting."
+	exit 1
+fi
+
 # Check if $DATABASE_URL is defined, if not, use a standard sqlite database.
 #
 # If the $DATABASE_URL is defined and is postgres, check if it is available
diff --git a/web/mailman-web/settings.py b/web/mailman-web/settings.py
index 26ebed9..a7ebba1 100644
--- a/web/mailman-web/settings.py
+++ b/web/mailman-web/settings.py
@@ -32,7 +32,7 @@ import dj_database_url
 BASE_DIR = os.path.dirname(os.path.abspath(__file__))
 
 # SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = 'change-this-on-your-production-server'
+SECRET_KEY = os.environ.get('SECRET_KEY')
 
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = False