From 9adc48b50d0f663d9ad90ec464859228b2a5c629 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alexis=20M=C3=A9taireau?= <alexis@notmyidea.org>
Date: Wed, 21 Jun 2017 01:49:32 +0200
Subject: [PATCH] Warn user when using default 'not-so-secret' secret-key.

---
 budget/run.py | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/budget/run.py b/budget/run.py
index b576f729..7fe4e245 100644
--- a/budget/run.py
+++ b/budget/run.py
@@ -12,6 +12,8 @@ from api import api
 from utils import PrefixedWSGI
 from utils import minimal_round
 
+import default_settings
+
 app = Flask(__name__, instance_path='/etc/ihatemoney', instance_relative_config=True)
 
 
@@ -41,12 +43,18 @@ def configure():
         app.config.from_pyfile('ihatemoney.cfg', silent=True)
     app.wsgi_app = PrefixedWSGI(app)
 
+    if app.config['SECRET_KEY'] == default_settings.SECRET_KEY:
+        warnings.warn(
+            "Running a server without changing the SECRET_KEY can lead to"
+            + " user impersonation. Please update your configuration file.",
+            UserWarning
+        )
     # Deprecations
     if 'DEFAULT_MAIL_SENDER' in app.config:
         # Since flask-mail  0.8
         warnings.warn(
             "DEFAULT_MAIL_SENDER is deprecated in favor of MAIL_DEFAULT_SENDER"
-            +" and will be removed in further version",
+            + " and will be removed in further version",
             UserWarning
         )
         if not 'MAIL_DEFAULT_SENDER' in app.config: