Allow overriding settings in trusted apps
For Tezor, we have reached the point where selectively amending some settings values is not enough anymore, because we need to set PAYMENT_MODEL
. We also cannot amend the settings at runtime (e.g. in the app's ready
method), because the setting is needed at model import time.
Thus, I want to allow trusted apps (i.e. those under the aleksis.apps
namespace) to set a override_settings
list in their saettings.py
marking setting names to be overridden completely.
Security rationale: We originally did not want to support this, as letting thir-dparty apps override arbitrary settings poses a security risk. However, the approach using the ready
method in Tezor demonstrates that not allowing this does not improve security, because Django does in no way guard against settings being modified from any point in the code afte rstartup. We still guard against accidental changes by only taking into account settings denoted in a special list.