Adds two configuration parameters that are passed to
generate_password_hash:
- PASSWORD_HASH_METHOD
- PASSWORD_HASH_SALT_LENGTH
The unit tests use high-speed low-security values and
gain 50% speed.
F-strings are a bad idea for translations, because they cause Babel to
crash when collecting strings to translate:
https://github.com/python-babel/babel/issues/715
But even if we replaced f-strings with new-style string interpolation such
as `_("{foo}").format(foo=foo)`, it's still a bad idea, because a wrong
translation can crash Ihatemoney at runtime with a KeyError.
Instead, we must really use old-style python formatting since they are
well supported in Babel. Wrong translations that mess with string
interpolations will cause Babel to give an error when compiling
translation files, which is exactly what we want.
This is only needed for unsecure spreadsheet applications (hi Google Docs and MS Excel) that load formulae by default.
See https://owasp.org/www-community/attacks/CSV_Injection for some mitigation explanation. This is not complete, but it should be OK for now.
In one case, we were not catching a family of possible exceptions
(socket.error), and in the two other cases there was no error handling at
all. Sending emails can easily fail if no email server is configured, so
it is really necessary to handle these errors instead of crashing with a
HTTP 500 error.
Refactor email sending code and add proper error handling.
Show alert messages that tell the user if an email was sent or if there
was an error.
When sending a password reminder email or inviting people by email, we
don't proceed to the next step in case of error, because sending emails is
the whole point of these actions.
Co-Authored-By: Glandos <bugs-github@antipoul.fr>
All project activity can be tracked, using SQLAlchemy-continuum.
IP addresses can optionally be recorded.
Fix#417
* New tab upload
* Extract data from JSON
* Add users
* Black format
* Try to add bill
* Import bills
* Add french translation msg
* Black reformat missing
* Deactivated users are supported
* Test import
* Remove temp file in upload_json()
* Incomplete tests
* tests import
* Update ihatemoney/translations/fr/LC_MESSAGES/messages.po
Co-Authored-By: Rémy HUBSCHER <hubscher.remy@gmail.com>
* Remove useless variable and check json format
* Use String.IO and test for wrong json
* Remove coma
Co-authored-by: Rémy HUBSCHER <hubscher.remy@gmail.com>
Flake8 was nitpicking about:
ihatemoney/forms.py:192:13: F841 local variable 'e' is assigned to but never used
ihatemoney/utils.py:26:8: W605 invalid escape sequence '\w'
ihatemoney/utils.py:26:10: W605 invalid escape sequence '\s'
ihatemoney/utils.py:27:8: W605 invalid escape sequence '\s'
For this I had to create an Jinja2 explicit environment, so I put a
function in `ihatemoney.utils.create_jinja2_env(strict_rendering=False)`.
When using this environment and if `strict_rendering` is activated,
templates using undefined variables will now error out rather than
failing silently.
* Protect admin endpoints against brute force attacks
Add a throttling mechanism to prevent a client brute
forcing the authentication form, based on its ip address
Closes#245
* Reset attempt counters if they get memory hungry
* Use absolute imports and rename package to ihatemoney
* Add a ihatemoney command
* Factorize application creation logic
* Refactor the tests
* Update the wsgi.py module with the new create_app() function
* Fix some styling thanks to Flake8.
* Automate Flake8 check in the CI.
