系统检查框架是一组用于验证Django项目的静态检查。 它检测常见问题并提供如何修复它们的提示。框架是可扩展的,因此您可以轻松添加自定义的检查。
有关如何添加自定义检查并将其与Django的系统检查集成的详细信息,请参阅 System check topic guide。
CheckMessage
¶CheckMessage
(level, msg, hint=None, obj=None, id=None)¶系统检查引起的警告和错误必须是 CheckMessage
的实例。
这个实例封装了一个单一的可重复使用的错误和警告。
它还提供了用于消息的上下文和提示,以及用于过滤的惟一标识符。
构造函数的参数:
level
DEBUG
,
INFO
, WARNING
, ERROR
, CRITICAL
. 如果级别大于或等于 ERROR
,
则Django将阻止管理命令执行。如果消息等级下雨 ERROR
(i.e. warnings) 将报告给控制台, 但不做其他处理。msg
hint
obj
__str__
方法的任何其他对象(在Python 2中,您需要定义 __unicode__
方法)。
在报告所有消息时使用该方法。id
applabel.X001
。X
是一个 CEWID
的一个字母,表示消息严重程度(
C
代表 CRITICAL
, E
代表 ERROR
等。) 这个数字可以由应用程序任意分配,但在应用程序中应该是唯一的。有子类可以使创建具有公共级别的消息更加容易。在使用它们时,您可以省略 level
参数,因为它是由类名隐含的
Debug
(msg, hint=None, obj=None, id=None)¶Info
(msg, hint=None, obj=None, id=None)¶Warning
(msg, hint=None obj=None, id=None)¶Error
(msg, hint=None, obj=None, id=None)¶Critical
(msg, hint=None, obj=None, id=None)¶Django的系统检查使用以下标记:
models
: 检查管理模型,字段和管理器定义。signals
: 检查信号声明和处理程序注册。admin
: 检查所有管理网站声明。compatibility
: 标记版本升级的潜在问题。security
: 检查安全相关的配置。templates
: 检查模板相关配置。caches
: 检查缓存相关配置。urls
: 检查路由相关配置。database
: 检查数据库配置相关问题。数据库检查并不是以默认方式运行,因为它们比静态的代码分析做的更多。
它们只由 migrate
命令运行,或者在调用 check
命令时指定数据库标记。database
tag 在再1.10版本开始加入的。
某些检查可能会向多个标签注册。
<swappable>
格式不是 app_label.app_name
.<SETTING>
引用的 <model>
没有被 installed,或者是抽象的。<app_label>.<model>
有两个多对多关系。id
只能用于设置了 primary_key=True
的字段名称。<model>
中的字段 <field name>
有冲突。<model>
中的字段 <field name>
存在冲突。<field name>
的列名 <column name>
已经被其他字段使用了。index_together
必须是列表或者元组。index_together
必须是列表或者元组。unique_together
必须是列表或者元组。unique_together
必须是列表或者元组。index_together/unique_together
关联到了不存在的字段名 <field name>
。index_together/unique_together
关联了
ManyToManyField
<field name>
, 但是 ManyToManyField
不支持该选项。ordering
必须是列表或者元组 ( 即使你只想按一个字段排序)。ordering
关联到了一个存在的 <field name>
。index_together/unique_together
关联的字段 <field_name>
不在本地模型 <model>
中。<model>
不能有模型字段。<field>
的自动生成列名过长。数据库 <alias>
中的最大长度是 <maximum length>
。<M2M field>
的自动生成列名过长。 数据库 <alias>
中的最大长度是 <maximum length>
。<model>.check()
类方法当前被覆盖。ordering
和 order_with_respect_to
不能同时使用。<function>
包含了 <app label>.<model>
的惰性引用,
但是应用 <app label>
没有install或者没有模型 <model>
。pk
是不能用作字段名称的保留字。choices
必须是可迭代的 (e.g., 元组或者列表).choices
必须是可迭代的返回 (实际值,易读值)
元组。db_index
必须是 None
, True
或者 False
。null=True
。AutoField
必须设置 primary_key=True.BooleanField
不接受null。CharField
必须定义 max_length
属性。max_length
必须是正整数。IntegerField
时可忽略 max_length
。DecimalField
必须定义 decimal_places
属性。decimal_places
必须是非负整数。DecimalField` 必须定义 ``max_digits
属性。max_digits
必须是非负整数。max_digits
必须大于等于 decimal_places
。FilePathField
必须设置 allow_files
或者 allow_folders
为True。GenericIPAddressField
如果不允许空值, 则不能接受空值,,因为空值存储为null。auto_now
, auto_now_add
和 default
是互斥的。这些选项中只能有一个存在。IPAddressField
已被删除,仅在历史迁移中支持。IPAddressField
已被弃用。对它的支持(除了历史迁移)将在Django 1.9中删除。
* 这个检查只在 Django 1.7 和 1.8 中* 。CommaSeparatedIntegerField
已弃用。对它的支持(除了在历史迁移)将在Django 2.0中删除。unique
不是 FileField
的合法参数。primary_key
不是 FileField
的合法参数。ImageField
无法使用。<model>
没有install或者是抽象的。<model>
已经换出。<field name>
与字段 <field name>
冲突。<field name>
与字段 <field name>
冲突。<field name>
与访问字段 <field name>
冲突。<field name>
与反向查询字段 <field name>
冲突。'+'
结尾。<app label>.<model>.<field name>
是惰性关联到模型 <app label>.<model>
,
但是应用 <app label>
并没有install,或是没有此模型 <model>
。<field1>
, <field2>
, … on
model <model>
is unique. Add unique=True
on any of those fields or
add at least a subset of them to a unique_together constraint.<model>
must set unique=True
because it is
referenced by a ForeignKey
.on_delete=SET_NULL
, but cannot be null.on_delete=SET_DEFAULT
, but has no
default value.ManyToManyField
s cannot be unique.<model>
, which has not been installed.<model>
,
but it has more than two foreign keys to <model>
, which is ambiguous.
You must specify which two foreign keys Django should use via the
through_fields
keyword argument.<model>
,
but it has more than one foreign key from <model>
, which is ambiguous.
You must specify which foreign key Django should use via the
through_fields
keyword argument.<model>
,
but it has more than one foreign key to <model>
, which is ambiguous.
You must specify which foreign key Django should use via the
through_fields
keyword argument.<model>
,
but it does not have foreign key to <model>
or <model>
.through_fields
but does not provide the
names of the two link fields that should be used for the relation through
<model>
.<through model>
has no field
<field name>
.<model>.<field name>
is not a foreign key to <model>
.null
has no effect on ManyToManyField
.ManyToManyField
does not support validators
.unique=True
on a ForeignKey
has the same
effect as using a OneToOneField
.<handler>
was connected to the <signal>
signal with
a lazy reference to the sender <app label>.<model>
, but app <app label>
isn’t installed or doesn’t provide model <model>
.The following checks are performed to warn the user of any potential problems that might occur as a result of a version upgrade.
BooleanField
does not have a default value. This
check was removed in Django 1.8 due to false positives.MIDDLEWARE_CLASSES.
django.contrib.sessions.middleware.SessionMiddleware
,
django.contrib.auth.middleware.AuthenticationMiddleware
, and
django.contrib.messages.middleware.MessageMiddleware
were removed from
the defaults. If your project needs these middleware then you should
configure this setting. This check was removed in Django 1.9.TEMPLATE_*
settings were deprecated in
Django 1.8 and the TEMPLATES
dictionary takes precedence. You must
put the values of the following settings into your defaults TEMPLATES
dict: TEMPLATE_DIRS
, TEMPLATE_CONTEXT_PROCESSORS
, TEMPLATE_DEBUG
,
TEMPLATE_LOADERS
, TEMPLATE_STRING_IF_INVALID
.MIDDLEWARE_CLASSES
setting is deprecated in Django
1.10 and the MIDDLEWARE
setting takes precedence. Since you’ve
set MIDDLEWARE
, the value of MIDDLEWARE_CLASSES
is ignored.Admin checks are all performed as part of the admin
tag.
The following checks are performed on any
ModelAdmin
(or subclass) that is registered
with the admin site:
raw_id_fields
must be a list or tuple.raw_id_fields[n]
refers to <field name>
,
which is not an attribute of <model>
.raw_id_fields[n]
must be a foreign key or
a many-to-many field.fields
must be a list or tuple.fieldsets
and fields
are specified.fields
contains duplicate field(s).fieldsets
must be a list or tuple.fieldsets[n]
must be a list or tuple.fieldsets[n]
must be of length 2.fieldsets[n][1]
must be a dictionary.fieldsets[n][1]
must contain the key
fields
.fieldsets[n][1]
.fields[n]/fieldsets[n][m]
cannot include the
ManyToManyField
<field name>
, because that field manually specifies a
relationship model.exclude
must be a list or tuple.exclude
contains duplicate field(s).form
must inherit from BaseModelForm
.filter_vertical
must be a list or tuple.filter_horizontal
must be a list or tuple.filter_vertical[n]/filter_vertical[n]
refers
to <field name>
, which is not an attribute of <model>
.filter_vertical[n]/filter_vertical[n]
must
be a many-to-many field.radio_fields
must be a dictionary.radio_fields
refers to <field name>
,
which is not an attribute of <model>
.radio_fields
refers to <field name>
,
which is not a ForeignKey
, and does not have a choices
definition.radio_fields[<field name>]
must be either
admin.HORIZONTAL
or admin.VERTICAL
.view_on_site
must be either a callable or a
boolean value.prepopulated_fields
must be a dictionary.prepopulated_fields
refers to
<field name>
, which is not an attribute of <model>
.prepopulated_fields
refers to
<field name>
, which must not be a DateTimeField
, a ForeignKey
, or a
ManyToManyField
field.prepopulated_fields[<field name>]
must be a
list or tuple.prepopulated_fields
refers to
<field name>
, which is not an attribute of <model>
.ordering
must be a list or tuple.ordering
has the random ordering marker
?
, but contains other fields as well.ordering
refers to <field name>
, which
is not an attribute of <model>
.readonly_fields
must be a list or tuple.readonly_fields[n]
is not a callable, an
attribute of <ModelAdmin class>
, or an attribute of <model>
.ModelAdmin
¶The following checks are performed on any
ModelAdmin
that is registered
with the admin site:
save_as
must be a boolean.save_on_top
must be a boolean.inlines
must be a list or tuple.<InlineModelAdmin class>
must inherit from
BaseModelAdmin
.<InlineModelAdmin class>
must have a model
attribute.<InlineModelAdmin class>.model
must be a
Model
.list_display
must be a list or tuple.list_display[n]
refers to <label>
,
which is not a callable, an attribute of <ModelAdmin class>
, or an
attribute or method on <model>
.list_display[n]
must not be a
ManyToManyField
field.list_display_links
must be a list, a tuple,
or None
.list_display_links[n]
refers to <label>
,
which is not defined in list_display
.list_filter
must be a list or tuple.list_filter[n]
must inherit from
ListFilter
.list_filter[n]
must not inherit from
FieldListFilter
.list_filter[n][1]
must inherit from
FieldListFilter
.list_filter[n]
refers to <label>
,
which does not refer to a Field.list_select_related
must be a boolean,
tuple or list.list_per_page
must be an integer.list_max_show_all
must be an integer.list_editable
must be a list or tuple.list_editable[n]
refers to <label>
,
which is not an attribute of <model>
.list_editable[n]
refers to <label>
,
which is not contained in list_display
.list_editable[n]
cannot be in both
list_editable
and list_display_links
.list_editable[n]
refers to the first field
in list_display
(<label>
), which cannot be used unless
list_display_links
is set.list_editable[n]
refers to <field name>
,
which is not editable through the admin.search_fields
must be a list or tuple.date_hierarchy
refers to <field name>
,
which is not an attribute of <model>
.date_hierarchy
must be a DateField
or
DateTimeField
.InlineModelAdmin
¶The following checks are performed on any
InlineModelAdmin
that is registered as an
inline on a ModelAdmin
.
<field name>
, because it is the
foreign key to the parent model <app_label>.<model>
.<model>
has no ForeignKey
to <parent model>
./
<model>
has more than one ForeignKey
to <parent model>
.extra
must be an integer.max_num
must be an integer.min_num
must be an integer.formset
must inherit from
BaseModelFormSet
.GenericInlineModelAdmin
¶The following checks are performed on any
GenericInlineModelAdmin
that is
registered as an inline on a ModelAdmin
.
'ct_field'
references <label>
, which is not a field
on <model>
.'ct_fk_field'
references <label>
, which is not a
field on <model>
.<model>
has no GenericForeignKey
.<model>
has no GenericForeignKey
using content type
field <field name>
and object ID field <field name>
.AdminSite
¶The following checks are performed on the default
AdminSite
:
django.contrib.contenttypes
must be in
INSTALLED_APPS
in order to use the admin application.django.contrib.auth.context_processors.auth
must be in TEMPLATES
in order to use the admin application.REQUIRED_FIELDS
must be a list or tuple.USERNAME_FIELD
for a custom user
model must not be included in REQUIRED_FIELDS
.<field>
must be unique because it is named as the
USERNAME_FIELD
.<field>
is named as the USERNAME_FIELD
, but it is not
unique.<codename>
clashes with a builtin
permission for model <model>
.<codename>
is duplicated for model
<model>
.verbose_name
of model <model>
must be at most
244 characters for its builtin permission names
to be at most 255 characters.<name>
of model <model>
is longer
than 255 characters.<User model>.is_anonymous
must be an attribute or property
rather than a method. Ignoring this is a security issue as anonymous users
will be treated as authenticated!<User model>.is_authenticated
must be an attribute or
property rather than a method. Ignoring this is a security issue as anonymous
users will be treated as authenticated!The following checks are performed when a model contains a
GenericForeignKey
or
GenericRelation
:
GenericForeignKey
object ID references the
non-existent field <field>
.GenericForeignKey
content type references the
non-existent field <field>
.<field>
is not a ForeignKey
.<field>
is not a ForeignKey
to
contenttypes.ContentType
.The security checks do not make your site secure. They do not audit code, do intrusion detection, or do anything particularly complex. Rather, they help perform an automated, low-hanging-fruit checklist. They help you remember the simple things that improve your site’s security.
Some of these checks may not be appropriate for your particular deployment
configuration. For instance, if you do your HTTP to HTTPS redirection in a load
balancer, it’d be irritating to be constantly warned about not having enabled
SECURE_SSL_REDIRECT
. Use SILENCED_SYSTEM_CHECKS
to
silence unneeded checks.
The following checks are run if you use the check --deploy
option:
django.middleware.security.SecurityMiddleware
in your
MIDDLEWARE
/MIDDLEWARE_CLASSES
so the SECURE_HSTS_SECONDS
,
SECURE_CONTENT_TYPE_NOSNIFF
, SECURE_BROWSER_XSS_FILTER
,
and SECURE_SSL_REDIRECT
settings will have no effect.django.middleware.clickjacking.XFrameOptionsMiddleware
in your
MIDDLEWARE
/MIDDLEWARE_CLASSES
, so your pages will not be served with an
'x-frame-options'
header. Unless there is a good reason for your
site to be served in a frame, you should consider enabling this
header to help prevent clickjacking attacks.django.middleware.csrf.CsrfViewMiddleware
is not in your
MIDDLEWARE
/MIDDLEWARE_CLASSES
). Enabling the middleware is the safest
approach to ensure you don’t leave any holes.SECURE_HSTS_SECONDS
setting. If your entire site is served only
over SSL, you may want to consider setting a value and enabling HTTP
Strict Transport Security. Be sure to read
the documentation first; enabling HSTS carelessly can cause serious,
irreversible problems.SECURE_HSTS_INCLUDE_SUBDOMAINS
setting to True
. Without this,
your site is potentially vulnerable to attack via an insecure connection to a
subdomain. Only set this to True
if you are certain that all subdomains of
your domain should be served exclusively via SSL.SECURE_CONTENT_TYPE_NOSNIFF
setting is not
set to True
, so your pages will not be served with an
'x-content-type-options: nosniff'
header. You should consider enabling
this header to prevent the browser from identifying content types incorrectly.SECURE_BROWSER_XSS_FILTER
setting is not
set to True
, so your pages will not be served with an
'x-xss-protection: 1; mode=block'
header. You should consider enabling
this header to activate the browser’s XSS filtering and help prevent XSS
attacks.SECURE_SSL_REDIRECT
setting is not set to
True
. Unless your site should be available over both SSL and non-SSL
connections, you may want to either set this setting to True
or configure
a load balancer or reverse-proxy server to redirect all connections to HTTPS.SECRET_KEY
has less than 50 characters or
less than 5 unique characters. Please generate a long and random
SECRET_KEY
, otherwise many of Django’s security-critical features will be
vulnerable to attack.django.contrib.sessions
in your
INSTALLED_APPS
but you have not set
SESSION_COOKIE_SECURE
to True
. Using a secure-only session
cookie makes it more difficult for network traffic sniffers to hijack user
sessions.django.contrib.sessions.middleware.SessionMiddleware
in your
MIDDLEWARE
/MIDDLEWARE_CLASSES
, but you have not set
SESSION_COOKIE_SECURE
to True
. Using a secure-only session
cookie makes it more difficult for network traffic sniffers to hijack user
sessions.SESSION_COOKIE_SECURE
is not set to True
.
Using a secure-only session cookie makes it more difficult for network traffic
sniffers to hijack user sessions.django.contrib.sessions
in your
INSTALLED_APPS
, but you have not set
SESSION_COOKIE_HTTPONLY
to True
. Using an HttpOnly
session
cookie makes it more difficult for cross-site scripting attacks to hijack user
sessions.django.contrib.sessions.middleware.SessionMiddleware
in your
MIDDLEWARE
/MIDDLEWARE_CLASSES
, but you have not set
SESSION_COOKIE_HTTPONLY
to True
. Using an HttpOnly
session
cookie makes it more difficult for cross-site scripting attacks to hijack user
sessions.SESSION_COOKIE_HTTPONLY
is not set to True
.
Using an HttpOnly
session cookie makes it more difficult for cross-site
scripting attacks to hijack user sessions.CSRF_COOKIE_SECURE
is not set to True
.
Using a secure-only CSRF cookie makes it more difficult for network traffic
sniffers to steal the CSRF token.CSRF_COOKIE_HTTPONLY
is not set to True
.
Using an HttpOnly
CSRF cookie makes it more difficult for cross-site
scripting attacks to steal the CSRF token.DEBUG
set to True
in
deployment.django.middleware.clickjacking.XFrameOptionsMiddleware
in your
MIDDLEWARE
/MIDDLEWARE_CLASSES
, but X_FRAME_OPTIONS
is not set to
'DENY'
. The default is 'SAMEORIGIN'
, but unless there is a good reason
for your site to serve other parts of itself in a frame, you should change
it to 'DENY'
.ALLOWED_HOSTS
must not be empty in deployment.The following checks are performed on any model using a
CurrentSiteManager
:
CurrentSiteManager
could not find a field named
<field name>
.CurrentSiteManager
cannot use <field>
as it is not a
foreign key or a many-to-many field.If you’re using MySQL, the following checks will be performed:
CharField
s to have a
max_length
> 255.The following checks verify that your CACHES
setting is correctly
configured:
'default'
cache in your
CACHES
setting.The following checks are performed on your URL configuration:
<pattern>
uses
include()
with a regex
ending with a
$
. Remove the dollar from the regex
to avoid problems
including URLs.<pattern>
has a regex
beginning with a /
. Remove this slash as it is unnecessary.
If this pattern is targeted in an include()
, ensure
the include()
pattern has a trailing /
.<pattern>
has a name
including a :
. Remove the colon, to avoid ambiguous namespace
references.<pattern>
is invalid. Ensure that
urlpatterns
is a list of url()
instances.10月 29, 2021