TIME_ZONE UTC, remove unused file settings, https settings by default

Author: davegaeddert

plain-sessions/plain/sessions/default_settings.py

@@ -5,7 +5,7 @@
 # A string like "example.com", or None for standard domain cookie.
 SESSION_COOKIE_DOMAIN = None
 # Whether the session cookie should be secure (https:// only).
-SESSION_COOKIE_SECURE = False
+SESSION_COOKIE_SECURE = True
 # The path of the session cookie.
 SESSION_COOKIE_PATH = "/"
 # Whether to use the HttpOnly flag.

plain/plain/runtime/global_settings.py

@@ -22,7 +22,7 @@
 # https://en.wikipedia.org/wiki/List_of_tz_zones_by_name (although not all
 # systems may support all possibilities). When USE_TZ is True, this is
 # interpreted as the default user time zone.
-TIME_ZONE = "America/Chicago"
+TIME_ZONE: str = "UTC"
 
 # If you set this to True, Plain will use timezone-aware datetimes.
 USE_TZ = True
@@ -75,16 +75,6 @@
 # (i.e. "/tmp" on *nix systems).
 FILE_UPLOAD_TEMP_DIR = None
 
-# The numeric mode to set newly-uploaded files to. The value should be a mode
-# you'd pass directly to os.chmod; see
-# https://docs.python.org/library/os.html#files-and-directories.
-FILE_UPLOAD_PERMISSIONS = 0o644
-
-# The numeric mode to assign to newly-created directories, when uploading files.
-# The value should be a mode as you'd pass to os.chmod;
-# see https://docs.python.org/library/os.html#files-and-directories.
-FILE_UPLOAD_DIRECTORY_PERMISSIONS = None
-
 # Default X-Frame-Options header value
 X_FRAME_OPTIONS = "DENY"
 
@@ -121,7 +111,7 @@
 # SIGNING #
 ###########
 
-SIGNING_BACKEND = "plain.signing.TimestampSigner"
+COOKIE_SIGNING_BACKEND = "plain.signing.TimestampSigner"
 
 ########
 # CSRF #
@@ -132,7 +122,7 @@
 CSRF_COOKIE_AGE = 60 * 60 * 24 * 7 * 52
 CSRF_COOKIE_DOMAIN = None
 CSRF_COOKIE_PATH = "/"
-CSRF_COOKIE_SECURE = False
+CSRF_COOKIE_SECURE = True
 CSRF_COOKIE_HTTPONLY = False
 CSRF_COOKIE_SAMESITE = "Lax"
 CSRF_HEADER_NAME = "HTTP_X_CSRFTOKEN"
@@ -178,7 +168,7 @@
 SECURE_REDIRECT_EXEMPT = []
 SECURE_REFERRER_POLICY = "same-origin"
 SECURE_SSL_HOST = None
-SECURE_SSL_REDIRECT = False
+SECURE_SSL_REDIRECT = True
 
 #############
 # Templates #

plain/plain/runtime/user_settings.py

@@ -275,7 +275,7 @@ def _load_explicit_settings(self, settings_module):
                 setattr(self, setting, setting_value)
                 self._explicit_settings.add(setting)
 
-        if hasattr(time, "tzset") and self.TIME_ZONE:
+        if hasattr(time, "tzset") and getattr(self, "TIME_ZONE", None):
             # When we can, attempt to validate the timezone. If we can't find
             # this file, no check happens and it's harmless.
             zoneinfo_root = Path("/usr/share/zoneinfo")

plain/plain/signing.py

@@ -107,7 +107,7 @@ def _cookie_signer_key(key):
 
 
 def get_cookie_signer(salt="plain.signing.get_cookie_signer"):
-    Signer = import_string(settings.SIGNING_BACKEND)
+    Signer = import_string(settings.COOKIE_SIGNING_BACKEND)
     return Signer(
         key=_cookie_signer_key(settings.SECRET_KEY),
         fallback_keys=map(_cookie_signer_key, settings.SECRET_KEY_FALLBACKS),

plain/tests/test_wsgi.py

@@ -14,6 +14,7 @@ def test_wsgi_app():
         {
             "REQUEST_METHOD": "GET",
             "wsgi.input": BytesIO(b""),
+            "wsgi.url_scheme": "https",
         },
         lambda *args: None,
     )

scripts/install

@@ -5,6 +5,7 @@ do
     echo ""
     echo "${BOLD}Installing dependencies for $package${NORMAL}"
     cd $package
+    poetry env use $(uv python find)
     POETRY_VIRTUALENVS_IN_PROJECT=true poetry install
     cd ..
 done