Sunday, May 29, 2011

Retrieving the URL of a namespaced Django view

I've finally got around to learning the new class based views approach in Django 1.3 with the goal of writing a mixin that can be used with django-tables to avoid some of the boilerplate code that's currently required. I ended up with a handy SingleTableMixin class which I'll be merging into the development branch when I get a chance.

However I find learning-by-doing is optimal so I started by refactored some legacy CRUD CMS-like views to use the class based views approach. I became a little side-tracked while looking over the old code and found myself cleaning them up. During this process I noticed that it might be a good idea to create URLs via reverse(view_func) rather than reverse(urlname). However it did not work.

After some painful debugging it seems that view functions that are hooked into the URLconf via a namespaced URL can not be reversed via their function reference.

Wednesday, May 25, 2011

Creating a separate linux user for each Web site

For added security it's a good idea to run each Web site as a separate user. For this, I use the following command:

sudo adduser --system --no-create-home <username>

You can then instruct mod_wsgi to use this user:

WSGIDaemonProcess bradleyayers.com user=<username>

Obviously in both snippets, you replace <username> with an actual username.

Forcing SSH to authenticate via public key for all but one user

When setting up a Ubuntu Web server I generally want to disable password authentication for SSH (and instead use public key), which has been all well and good until now. While experimenting with automatic deployment solutions for Django, I wanted to be able to use password authentication for a the deployment account, whilst enforcing public key authentication for everyone else.

The solution is very simple. In my /etc/ssh/sshd_config I have the typical:

RSAAuthentication no
PubkeyAuthentication yes

And to enable password authentication for a single user I added the following to the end of the file:

# Allow the 'deployment' user to login
# using their password
Match User deployment
PasswordAuthentication no

It's documented in detail in the Match section of the man page.