Admin
Admin checks are all performed as part of the admin tag.
The following checks are performed on any ModelAdmin (or subclass) that is registered with the admin site:
- admin.E001: The value of raw_id_fields must be a list or tuple.
- admin.E002: The value of raw_id_fields[n] refers to <field name>, which is not an attribute of <model>.
- admin.E003: The value of raw_id_fields[n] must be a ForeignKey or ManyToManyField.
- admin.E004: The value of fields must be a list or tuple.
- admin.E005: Both fieldsets and fields are specified.
- admin.E006: The value of fields contains duplicate field(s).
- admin.E007: The value of fieldsets must be a list or tuple.
- admin.E008: The value of fieldsets[n] must be a list or tuple.
- admin.E009: The value of fieldsets[n] must be of length 2.
- admin.E010: The value of fieldsets[n][1] must be a dictionary.
- admin.E011: The value of fieldsets[n][1] must contain the key fields.
- admin.E012: There are duplicate field(s) in fieldsets[n][1].
- admin.E013: fields[n]/fieldsets[n][m] cannot include the ManyToManyField <field name>, because that field manually specifies a relationship model.
- admin.E014: The value of exclude must be a list or tuple.
- admin.E015: The value of exclude contains duplicate field(s).
- admin.E016: The value of form must inherit from BaseModelForm.
- admin.E017: The value of filter_vertical must be a list or tuple.
- admin.E018: The value of filter_horizontal must be a list or tuple.
- admin.E019: The value of filter_vertical[n]/filter_vertical[n] refers to <field name>, which is not an attribute of <model>.
- admin.E020: The value of filter_vertical[n]/filter_vertical[n] must be a ManyToManyField.
- admin.E021: The value of radio_fields must be a dictionary.
- admin.E022: The value of radio_fields refers to <field name>, which is not an attribute of <model>.
- admin.E023: The value of radio_fields refers to <field name>, which is not a ForeignKey, and does not have a choices definition.
- admin.E024: The value of radio_fields[<field name>] must be either admin.HORIZONTAL or admin.VERTICAL.
- admin.E025: The value of view_on_site must be either a callable or a boolean value.
- admin.E026: The value of prepopulated_fields must be a dictionary.
- admin.E027: The value of prepopulated_fields refers to <field name>, which is not an attribute of <model>.
- admin.E028: The value of prepopulated_fields refers to <field name>, which must not be a DateTimeField, ForeignKey or ManyToManyField.
- admin.E029: The value of prepopulated_fields[<field name>] must be a list or tuple.
- admin.E030: The value of prepopulated_fields refers to <field name>, which is not an attribute of <model>.
- admin.E031: The value of ordering must be a list or tuple.
- admin.E032: The value of ordering has the random ordering marker ?, but contains other fields as well.
- admin.E033: The value of ordering refers to <field name>, which is not an attribute of <model>.
- admin.E034: The value of readonly_fields must be a list or tuple.
- admin.E035: The value of readonly_fields[n] is not a callable, an attribute of <ModelAdmin class>, or an attribute of <model>.
ModelAdmin
The following checks are performed on any ModelAdmin that is registered with the admin site:
- admin.E101: The value of save_as must be a boolean.
- admin.E102: The value of save_on_top must be a boolean.
- admin.E103: The value of inlines must be a list or tuple.
- admin.E104: <InlineModelAdmin class> must inherit from BaseModelAdmin.
- admin.E105: <InlineModelAdmin class> must have a model attribute.
- admin.E106: The value of <InlineModelAdmin class>.model must be a Model.
- admin.E107: The value of list_display must be a list or tuple.
- admin.E108: The value of list_display[n] refers to <label>, which is not a callable, an attribute of <ModelAdmin class>, or an attribute or method on <model>.
- admin.E109: The value of list_display[n] must not be a ManyToManyField.
- admin.E110: The value of list_display_links must be a list, a tuple, or None.
- admin.E111: The value of list_display_links[n] refers to <label>, which is not defined in list_display.
- admin.E112: The value of list_filter must be a list or tuple.
- admin.E113: The value of list_filter[n] must inherit from ListFilter.
- admin.E114: The value of list_filter[n] must not inherit from FieldListFilter.
- admin.E115: The value of list_filter[n][1] must inherit from FieldListFilter.
- admin.E116: The value of list_filter[n] refers to <label>, which does not refer to a Field.
- admin.E117: The value of list_select_related must be a boolean, tuple or list.
- admin.E118: The value of list_per_page must be an integer.
- admin.E119: The value of list_max_show_all must be an integer.
- admin.E120: The value of list_editable must be a list or tuple.
- admin.E121: The value of list_editable[n] refers to <label>, which is not an attribute of <model>.
- admin.E122: The value of list_editable[n] refers to <label>, which is not contained in list_display.
- admin.E123: The value of list_editable[n] cannot be in both list_editable and list_display_links.
- admin.E124: The value of list_editable[n] refers to the first field in list_display (<label>), which cannot be used unless list_display_links is set.
- admin.E125: The value of list_editable[n] refers to <field name>, which is not editable through the admin.
- admin.E126: The value of search_fields must be a list or tuple.
- admin.E127: The value of date_hierarchy refers to <field name>, which is not an attribute of <model>.
- admin.E128: The value of date_hierarchy must be a DateField or DateTimeField.
InlineModelAdmin
The following checks are performed on any InlineModelAdmin that is registered as an inline on a ModelAdmin.
- admin.E201: Cannot exclude the field <field name>, because it is the foreign key to the parent model <app_label>.<model>.
- admin.E202: <model> has no ForeignKey to <parent model>./ <model> has more than one ForeignKey to <parent model>.
- admin.E203: The value of extra must be an integer.
- admin.E204: The value of max_num must be an integer.
- admin.E205: The value of min_num must be an integer.
- admin.E206: The value of formset must inherit from BaseModelFormSet.
GenericInlineModelAdmin
The following checks are performed on any GenericInlineModelAdmin that is registered as an inline on a ModelAdmin.
- admin.E301: 'ct_field' references <label>, which is not a field on <model>.
- admin.E302: 'ct_fk_field' references <label>, which is not a field on <model>.
- admin.E303: <model> has no GenericForeignKey.
- admin.E304: <model> has no GenericForeignKey using content type field <field name> and object ID field <field name>.
Content Types
The following checks are performed when a model contains a GenericForeignKey or GenericRelation:
- contenttypes.E001: The GenericForeignKey object ID references the non-existent field <field>.
- contenttypes.E002: The GenericForeignKey content type references the non-existent field <field>.
- contenttypes.E003: <field> is not a ForeignKey.
- contenttypes.E004: <field> is not a ForeignKey to contenttypes.ContentType.
Security
The security checks do not make your site secure. They do not audit code, do intrusion detection, or do anything particularly complex. Rather, they help perform an automated, low-hanging-fruit checklist. They help you remember the simple things that improve your site’s security.
Some of these checks may not be appropriate for your particular deployment configuration. For instance, if you do your HTTP to HTTPS redirection in a load balancer, it’d be irritating to be constantly warned about not having enabled SECURE_SSL_REDIRECT. Use SILENCED_SYSTEM_CHECKS to silence unneeded checks.
The following checks will be run if you use the --deploy option of the check command:
- security.W001: You do not have django.middleware.security.SecurityMiddleware in your MIDDLEWARE_CLASSES so the SECURE_HSTS_SECONDS, SECURE_CONTENT_TYPE_NOSNIFF, SECURE_BROWSER_XSS_FILTER, and SECURE_SSL_REDIRECT settings will have no effect.
- security.W002: You do not have django.middleware.clickjacking.XFrameOptionsMiddleware in your MIDDLEWARE_CLASSES, so your pages will not be served with an 'x-frame-options' header. Unless there is a good reason for your site to be served in a frame, you should consider enabling this header to help prevent clickjacking attacks.
- security.W003: You don’t appear to be using Django’s built-in cross-site request forgery protection via the middleware (django.middleware.csrf.CsrfViewMiddleware is not in your MIDDLEWARE_CLASSES). Enabling the middleware is the safest approach to ensure you don’t leave any holes.
- security.W004: You have not set a value for the SECURE_HSTS_SECONDS setting. If your entire site is served only over SSL, you may want to consider setting a value and enabling HTTP Strict Transport Security. Be sure to read the documentation first; enabling HSTS carelessly can cause serious, irreversible problems.
- security.W005: You have not set the SECURE_HSTS_INCLUDE_SUBDOMAINS setting to True. Without this, your site is potentially vulnerable to attack via an insecure connection to a subdomain. Only set this to True if you are certain that all subdomains of your domain should be served exclusively via SSL.
- security.W006: Your SECURE_CONTENT_TYPE_NOSNIFF setting is not set to True, so your pages will not be served with an 'x-content-type-options: nosniff' header. You should consider enabling this header to prevent the browser from identifying content types incorrectly.
- security.W007: Your SECURE_BROWSER_XSS_FILTER setting is not set to True, so your pages will not be served with an 'x-xss-protection: 1; mode=block' header. You should consider enabling this header to activate the browser’s XSS filtering and help prevent XSS attacks.
- security.W008: Your SECURE_SSL_REDIRECT setting is not set to True. Unless your site should be available over both SSL and non-SSL connections, you may want to either set this setting to True or configure a load balancer or reverse-proxy server to redirect all connections to HTTPS.
- security.W009: Your SECRET_KEY has less than 50 characters or less than 5 unique characters. Please generate a long and random SECRET_KEY, otherwise many of Django’s security-critical features will be vulnerable to attack.
- security.W010: You have django.contrib.sessions in your INSTALLED_APPS but you have not set SESSION_COOKIE_SECURE to True. Using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.
- security.W011: You have django.contrib.sessions.middleware.SessionMiddleware in your MIDDLEWARE_CLASSES, but you have not set SESSION_COOKIE_SECURE to True. Using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.
- security.W012: SESSION_COOKIE_SECURE is not set to True. Using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.
- security.W013: You have django.contrib.sessions in your INSTALLED_APPS, but you have not set SESSION_COOKIE_HTTPONLY to True. Using an HttpOnly session cookie makes it more difficult for cross-site scripting attacks to hijack user sessions.
- security.W014: You have django.contrib.sessions.middleware.SessionMiddleware in your MIDDLEWARE_CLASSES, but you have not set SESSION_COOKIE_HTTPONLY to True. Using an HttpOnly session cookie makes it more difficult for cross-site scripting attacks to hijack user sessions.
- security.W015: SESSION_COOKIE_HTTPONLY is not set to True. Using an HttpOnly session cookie makes it more difficult for cross-site scripting attacks to hijack user sessions.
- security.W016: CSRF_COOKIE_SECURE is not set to True. Using a secure-only CSRF cookie makes it more difficult for network traffic sniffers to steal the CSRF token.
- security.W017: CSRF_COOKIE_HTTPONLY is not set to True. Using an HttpOnly CSRF cookie makes it more difficult for cross-site scripting attacks to steal the CSRF token.
- security.W018: You should not have DEBUG set to True in deployment.
- security.W019: You have django.middleware.clickjacking.XFrameOptionsMiddleware in your MIDDLEWARE_CLASSES, but X_FRAME_OPTIONS is not set to 'DENY'. The default is 'SAMEORIGIN', but unless there is a good reason for your site to serve other parts of itself in a frame, you should change it to 'DENY'.