jdetaeye
commented
8 months ago Yes, the djangosettings file has secret key, database passwords, email passwords, erp passwords... Access to the file is sensitive indeed. File permissions are set to keep the access to members of the "frepple" user group.
Nothing to be done here - this is how the django web application framework is designed, see https://docs.djangoproject.com/en/4.2/ref/settings/#secret-key
If this isn't sufficient to you, a google search on the keywords "django" and "secret" will provide inspiration for alternative approaches.
This SECRET_KEY could be used to run the system locally, optain an access token and take over a production user. (Depending on the implementation of the authentication, I haven't checked that)
https://github.com/frePPLe/frepple/blob/f6d5c386ed4e2a5248a7f5c37c6b23fbea06f055/djangosettings.py#L44