security settings for django application

2025-05-16 10:46:53 +03:00
parent ac8c3a33ed
commit 21498f8f25
2 changed files with 60 additions and 13 deletions
--- a/backend/base/settings.py
+++ b/backend/base/settings.py
@@ -5,10 +5,21 @@ from dotenv import load_dotenv
 BASE_DIR = Path(__file__).resolve().parent.parent
 load_dotenv(dotenv_path=BASE_DIR / './.env')

+BASE_URL = os.environ.get("BASE_URL")
+MEDIA_URL = '/media/'
+MEDIA_ROOT = os.environ.get("MEDIA_ROOT")
+# MEDIA_ROOT = '/root/tripwb/uploads/' -- закинь в .env.production
+
 SECRET_KEY = os.environ.get("SECRET_KEY")
 DEBUG = os.environ.get("DEBUG_MODE")

-ALLOWED_HOSTS = []
+ALLOWED_HOSTS = ['localhost', 'tripwb.com', '127.0.0.1', 'tripwb-backend-app', 'v2.tripwb.com']
+
+CSRF_TRUSTED_ORIGINS = [
+    'https://tripwb.com',
+    'http://localhost:3000',
+    'https://v2.triwp.com',
+]

 INSTALLED_APPS = [
    'django.contrib.admin',
@@ -63,20 +74,42 @@ DATABASES = {
    }
 }

+BOT_TOKEN = os.environ.get("BOT_TOKEN")
+CHAT_ID = os.environ.get("CHAT_ID")
+
+CORS_ALLOW_CREDENTIALS = True  # для разрешения cookie
+
+CORS_ALLOWED_ORIGINS = [
+    "http://localhost:3000",
+    "https://tripwb.com",
+    "https://v2.tripwb.com",
+]
+
+CORS_ALLOW_METHODS = [
+    "GET",
+    "POST",
+    "HEAD",
+    "PUT",
+    "DELETE",
+    "OPTIONS",
+    "PATCH"
+]
+
+CORS_ALLOW_ALL_ORIGINS = False # запрет всех доменов, кроме whitelist
+
+CORS_ALLOW_HEADERS = [
+    'x-api-key', 
+    'content-type',
+    'authorization',
+    'accept',
+    'cookie'
+]

 AUTH_PASSWORD_VALIDATORS = [
-    {
-        'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
-    },
-    {
-        'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
-    },
-    {
-        'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
-    },
-    {
-        'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
-    },
+    {'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',},
+    {'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',},
+    {'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',},
+    {'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',},
 ]

 LANGUAGE_CODE = 'en-us'
--- a/backend/sitemanagement/models.py
+++ b/backend/sitemanagement/models.py
@@ -1,3 +1,5 @@
+import os
+from django.conf import settings
 from django.db import models
 from django.utils.text import slugify
 from django.db.models.signals import pre_save
@@ -31,6 +33,18 @@ class News(models.Model):
    def __str__(self):
        return self.title

+    def save(self, *args, **kwargs):
+        super().save(*args, **kwargs)  #сохраняем изображение
+        
+        # генерируем путь к файлу если удалось его сохранить
+        if self.titleImage:
+            self.filename = os.path.basename(self.titleImage.name)
+            self.path = f'{settings.BASE_URL}{settings.MEDIA_URL}{self.titleImage.name}'
+            super().save(*args, **kwargs)   # записываем путь и имя файла в базу
+        else:
+            self.filename = ''
+            self.path = ''
+    
@receiver(pre_save, sender=News)
 def generate_slug(sender, instance, **kwargs):
    if not instance.slug: