系统检查框架是一组验证Django项目的静态检查。 它检测到常见的问题,并提供了如何解决这些问题的提示。 该框架是可扩展的,所以你可以轻松地添加自己的检查。
有关如何添加自己的检查并将其与 Django 的系统检查集成的详细信息,请参阅:doc:系统检查主题指南</topics/checks>。
CheckMessage
(level, msg, hint=None, obj=None, id=None)系统检查提出的警告和错误必须是“CheckMessage”的实例。 一个实例封装了一个可报告的错误或警告。 它还提供适用于消息的上下文和提示以及用于过滤目的的唯一标识符。
构造方法的参数:
level
msg
hint
obj
__str__()
method. The method is used while reporting all messages and its result precedes the message.id
applabel.X001
, where X
is one of the letters CEWID
, indicating the message severity (C
for criticals, E
for errors and so). The number can be allocated by the application, but should be unique within that application.有一些子类可以使创建通用级别的消息更简单。 当使用它们时,可以省略“level”参数,因为它是由类名所隐含的。
Debug
(msg, hint=None, obj=None, id=None)Info
(msg, hint=None, obj=None, id=None)Warning
(msg, hint=None obj=None, id=None)Error
(msg, hint=None, obj=None, id=None)Critical
(msg, hint=None, obj=None, id=None)
Django 的系统检查按以下标签组织:
admin
:检查所有后台站点申明。caches
:检查缓存相关的配置。compatibility
:标记版本升级可能导致的问题。database
: Checks database-related configuration issues. Database checks are not run by default because they do more than static code analysis as regular checks do. They are only run by the migrate
command or if you specify the database
tag when calling the check
command.models
:检查模型,字段和管理器定义。security
:检查安全相关配置。signals
:检查信号申明和处理器注册信息。staticfiles
:检查 django.contrib.staticfiles
配置。templates
:检查模板相关配置。translation
:检查翻译相关配置。urls
:检查 URL 配置。一些可能通过多个标签同时注册的检查项。
兼容性检查警告那些升级 Django 后可能出现的问题。
<pattern>
has a route
that contains (?P<
, begins with a ^
, or ends with a $
. This was likely an oversight when migrating from url()
to path()
.
The following checks verify that your CACHES
setting is correctly
configured:
'default'
cache in your CACHES
setting.
如果您使用MySQL,需要执行以下检查:
CharField
s to have a max_length
> 255.<alias>
. See also Setting sql_mode.
"__"
.pk
是保留关键字,不能作为字段名使用。db_index``必须是`None`,``True``或`False
。validators
必须都是可调用的。max_length
is too small to fit the longest value in choices
(<count>
characters).AutoField`
必须设置 primary_key=True。BooleanField
s do not accept null values. This check appeared before support for null values was added in Django 2.1.CharField
必须定义一个 max_length
属性。max_length
必须是个正整数。max_length
在使用 <integer field type>
时会被忽略。DecimalField
必须定义一个 decimal_places
属性。decimal_places
必须是个非负整数。DecimalField
必须定义一个 max_digits
属性。max_digits
必须是一个非负整数。max_digits
必须大于或等于 decimal_places
。FilePathField
的 allow_files
或 allow_folders
必须有一个被设为 True。auto_now
, auto_now_add
, and default
are mutually exclusive. Only one of these options may be present.<database>
并不支持在 <field data type>
列上创建数据库索引。BinaryField
’s default
cannot be a string. Use bytes content instead.IPAddressField
has been removed except for support in historical migrations.IPAddressField
has been deprecated. Support for it (except in historical migrations) will be removed in Django 1.9. This check appeared in Django 1.7 and 1.8.CommaSeparatedIntegerField
has been deprecated. Support for it (except in historical migrations) will be removed in Django 2.0. This check appeared in Django 1.10 and 1.11.CommaSeparatedIntegerField
is removed except for support in historical migrations.FloatRangeField
is deprecated and will be removed in Django 3.1.unique
is not a valid argument for a FileField
. This check is removed in Django 1.11.primary_key
对于 FileField
来说不是个有效的参数。FileField
的 upload_to
参数必须是个相对路径,而不是一个相对路径。ImageField
,因为未安装 Pillow。
<model>
, which is either not installed, or is abstract.<model>
which has been swapped out.<field name>
clashes with field <field name>
.<field name>
clashes with field <field name>
.<field name>
clashes with accessor for <field name>
.<field name>
clashes with reverse query name for <field name>
.'+'
.<app label>.<model>.<field name>
was declared with a lazy reference to <app label>.<model>
, but app <app label>
isn't installed or doesn't provide model <model>
.<related query name>
must not end with an underscore.<related query name>
must not contain '__'
.<field1>
, <field2>
, ... on model <model>
is unique.<model>
must set unique=True
because it is referenced by a ForeignKey
.to_field
<field name>
doesn't exist on the related model <app label>.<model>
.on_delete=SET_NULL
, but cannot be null.on_delete=SET_DEFAULT
, but has no default value.ManyToManyField
s cannot be unique.<model>
, which has not been installed.<model>
, but it has more than two foreign keys to <model>
, which is ambiguous. You must specify which two foreign keys Django should use via the through_fields
keyword argument.<model>
, but it has more than one foreign key from <model>
, which is ambiguous. You must specify which foreign key Django should use via the through_fields
keyword argument.<model>
, but it has more than one foreign key to <model>
, which is ambiguous. You must specify which foreign key Django should use via the through_fields
keyword argument.<model>
, but it does not have foreign key to <model>
or <model>
.through_fields
but does not provide the names of the two link fields that should be used for the relation through <model>
.<through model>
has no field <field name>
.<model>.<field name>
is not a foreign key to <model>
.<table name>
clashes with the table name of <model>
/<model>.<field name>
.null
has no effect on ManyToManyField
.ManyToManyField
does not support validators
.unique=True
on a ForeignKey
has the same effect as using a OneToOneField
.limit_choices_to
has no effect on ManyToManyField
with a through
model.
<swappable>
不是表单 app_label.app_name
。<SETTING>
references <model>
, which has not been installed, or is abstract.<app_label>.<model>
.id
can only be used as a field name if the field also sets primary_key=True
.<field name>
from parent model <model>
clashes with the field <field name>
from parent model <model>
.<model>
的字段 <field name>
冲突的字段。<column name>
被其它字段使用的字段 <field name>
。index_together
必须是个列表或元组。index_together
元素都必须是列表或元组。unique_together
必须是个列表或元组。unique_together
元素都必须是列表或元组。indexes/index_together/unique_together
指向了不存在的字段 <field name>
。indexes/index_together/unique_together
指向一个 ManyToManyField
<field name>
,但此选项不支持 ManyToManyField
。ordering
必须是个元组或列表(即便你只想按照一个字段进行排序)。ordering
refers to the nonexistent field, related field, or lookup <field name>
.indexes/index_together/unique_together
refers to field <field_name>
which is not local to model <model>
.<model>
contains model fields.<field>
. Maximum length is <maximum length>
for database <alias>
.<M2M field>
. Maximum length is <maximum length>
for database <alias>
.<model>.check()
class method is currently overridden.ordering
and order_with_respect_to
cannot be used together.<function>
contains a lazy reference to <app label>.<model>
, but app <app label>
isn't installed or doesn't provide model <model>
.<model>
cannot start or end with an underscore as it collides with the query lookup syntax.<model>
cannot contain double underscores as it collides with the query lookup syntax.<property name>
clashes with a related field accessor.primary_key=True
.<database>
does not support check constraints.db_table
<db_table>
is used by multiple models: <model list>
.<index>
is not unique for model <model>
.<index>
is not unique amongst models: <model list>
.<constraint>
is not unique for model <model>
.<constraint>
is not unique amongst models: <model list>
.<index>
cannot start with an underscore or a number.<index>
cannot be longer than <max_length>
characters.db_table
<db_table>
is used by multiple models: <model list>
.
The security checks do not make your site secure. They do not audit code, do intrusion detection, or do anything particularly complex. Rather, they help perform an automated, low-hanging-fruit checklist, that can help you to improve your site's security.
Some of these checks may not be appropriate for your particular deployment
configuration. For instance, if you do your HTTP to HTTPS redirection in a load
balancer, it'd be irritating to be constantly warned about not having enabled
SECURE_SSL_REDIRECT
. Use SILENCED_SYSTEM_CHECKS
to
silence unneeded checks.
The following checks are run if you use the check --deploy
option:
django.middleware.security.SecurityMiddleware
in your MIDDLEWARE
so the SECURE_HSTS_SECONDS
, SECURE_CONTENT_TYPE_NOSNIFF
, SECURE_BROWSER_XSS_FILTER
, SECURE_REFERRER_POLICY
, and SECURE_SSL_REDIRECT
settings will have no effect.django.middleware.clickjacking.XFrameOptionsMiddleware
in your MIDDLEWARE
, so your pages will not be served with an 'x-frame-options'
header. Unless there is a good reason for your site to be served in a frame, you should consider enabling this header to help prevent clickjacking attacks.django.middleware.csrf.CsrfViewMiddleware
is not in your MIDDLEWARE
). Enabling the middleware is the safest approach to ensure you don't leave any holes.SECURE_HSTS_SECONDS
setting. If your entire site is served only over SSL, you may want to consider setting a value and enabling HTTP Strict Transport Security. Be sure to read the documentation first; enabling HSTS carelessly can cause serious, irreversible problems.SECURE_HSTS_INCLUDE_SUBDOMAINS
setting to True
. Without this, your site is potentially vulnerable to attack via an insecure connection to a subdomain. Only set this to True
if you are certain that all subdomains of your domain should be served exclusively via SSL.SECURE_CONTENT_TYPE_NOSNIFF
setting is not set to True
, so your pages will not be served with an 'X-Content-Type-Options: nosniff'
header. You should consider enabling this header to prevent the browser from identifying content types incorrectly.SECURE_BROWSER_XSS_FILTER
setting is not set to True
, so your pages will not be served with an 'X-XSS-Protection: 1; mode=block'
header. You should consider enabling this header to activate the browser's XSS filtering and help prevent XSS attacks. This check is removed in Django 3.0 as the X-XSS-Protection
header is no longer honored by modern browsers.SECURE_SSL_REDIRECT
setting is not set to True
. Unless your site should be available over both SSL and non-SSL connections, you may want to either set this setting to True
or configure a load balancer or reverse-proxy server to redirect all connections to HTTPS.SECRET_KEY
has less than 50 characters or less than 5 unique characters. Please generate a long and random SECRET_KEY
, otherwise many of Django's security-critical features will be vulnerable to attack.django.contrib.sessions
in your INSTALLED_APPS
but you have not set SESSION_COOKIE_SECURE
to True
. Using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.django.contrib.sessions.middleware.SessionMiddleware
in your MIDDLEWARE
, but you have not set SESSION_COOKIE_SECURE
to True
. Using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.SESSION_COOKIE_SECURE
is not set to True
. Using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.django.contrib.sessions
in your INSTALLED_APPS
, but you have not set SESSION_COOKIE_HTTPONLY
to True
. Using an HttpOnly
session cookie makes it more difficult for cross-site scripting attacks to hijack user sessions.django.contrib.sessions.middleware.SessionMiddleware
in your MIDDLEWARE
, but you have not set SESSION_COOKIE_HTTPONLY
to True
. Using an HttpOnly
session cookie makes it more difficult for cross-site scripting attacks to hijack user sessions.SESSION_COOKIE_HTTPONLY
is not set to True
. Using an HttpOnly
session cookie makes it more difficult for cross-site scripting attacks to hijack user sessions.CSRF_COOKIE_SECURE
is not set to True
. Using a secure-only CSRF cookie makes it more difficult for network traffic sniffers to steal the CSRF token.CSRF_COOKIE_HTTPONLY
is not set to True
. Using an HttpOnly
CSRF cookie makes it more difficult for cross-site scripting attacks to steal the CSRF token. This check is removed in Django 1.11 as the CSRF_COOKIE_HTTPONLY
setting offers no practical benefit.DEBUG
set to True
in deployment.django.middleware.clickjacking.XFrameOptionsMiddleware
in your MIDDLEWARE
, but X_FRAME_OPTIONS
is not set to 'DENY'
. Unless there is a good reason for your site to serve other parts of itself in a frame, you should change it to 'DENY'
.ALLOWED_HOSTS
must not be empty in deployment.SECURE_HSTS_PRELOAD
setting to True
. Without this, your site cannot be submitted to the browser preload list.SECURE_REFERRER_POLICY
setting. Without this, your site will not send a Referrer-Policy header. You should consider enabling this header to protect user privacy.SECURE_REFERRER_POLICY
setting to an invalid value.
<handler>
was connected to the <signal>
signal with a lazy reference to the sender <app label>.<model>
, but app <app label>
isn't installed or doesn't provide model <model>
.
The following checks verify that your TEMPLATES
setting is correctly
configured:
'APP_DIRS': True
in your TEMPLATES
but also specify 'loaders'
in OPTIONS
. Either remove APP_DIRS
or remove the 'loaders'
option.string_if_invalid
in TEMPLATES
OPTIONS
must be a string but got: {value}
({type}
).
The following checks are performed on your translation configuration:
LANGUAGE_CODE
setting: <value>
.LANGUAGES
setting: <value>
.LANGUAGES_BIDI
setting: <value>
.LANGUAGE_CODE
setting that is not in the LANGUAGES
setting.
以下检查项针对你的 URL 配置执行:
<pattern>
uses include()
with a route
ending with a $
. Remove the dollar from the route
to avoid problems including URLs.<pattern>
has a route
beginning with a /
. Remove this slash as it is unnecessary. If this pattern is targeted in an include()
, ensure the include()
pattern has a trailing /
.<pattern>
has a name
including a :
. Remove the colon, to avoid ambiguous namespace references.<pattern>
is invalid. Ensure that urlpatterns
is a list of path()
and/or re_path()
instances.<namespace>
isn't unique. You may not be able to reverse all URLs in this namespace.MEDIA_URL
/ STATIC_URL
setting must end with a slash.handlerXXX
view 'path.to.view'
does not take the correct number of arguments (…).handlerXXX
view 'path.to.view'
could not be imported.
contrib
应用检查admin
后台检查项均作为 admin
标签的一部分执行。
以下检查项在每个通过后台站点注册的 ModelAdmin
(或其子类)上执行。
raw_id_fields
的值必须是个列表或元组。raw_id_fields[n]
的值指向 <field name>
,它并不是 <model>
的属性。raw_id_fields[n]
的值必须是个外键或一个多对多字段。fields
的值必须是列表或元组。fieldsets
和 fields
都是定制的。fields
的值包含了重复字段。fieldsets
的值必须是个列表或元组。fieldsets[n]
的值必须是个列表或元组。fieldsets[n]
的值的长度必须是 2。fieldsets[n][1]
的值必须是个字典。fieldsets[n][1]
的值必须包含键 fields
。fieldsets[n][1]
中有重复字段。fields[n]/fieldsets[n][m]
cannot include the ManyToManyField
<field name>
, because that field manually specifies a relationship model.exclude
的值必须是个列表或元组。exclude
的值必须包含重复字段。form
的值必须继承自 BaseModelForm
。filter_vertical
的值必须是个列表或元组。filter_horizontal
的值必须是个列表或元组。filter_vertical[n]/filter_vertical[n]
refers to <field name>
, which is not an attribute of <model>
.filter_vertical[n]/filter_vertical[n]
must be a many-to-many field.radio_fields
must be a dictionary.radio_fields
refers to <field name>
, which is not an attribute of <model>
.radio_fields
refers to <field name>
, which is not a ForeignKey
, and does not have a choices
definition.radio_fields[<field name>]
must be either admin.HORIZONTAL
or admin.VERTICAL
.view_on_site
must be either a callable or a boolean value.prepopulated_fields
must be a dictionary.prepopulated_fields
refers to <field name>
, which is not an attribute of <model>
.prepopulated_fields
refers to <field name>
, which must not be a DateTimeField
, a ForeignKey
, a OneToOneField
, or a ManyToManyField
field.prepopulated_fields[<field name>]
must be a list or tuple.prepopulated_fields
refers to <field name>
, which is not an attribute of <model>
.ordering
must be a list or tuple.ordering
has the random ordering marker ?
, but contains other fields as well.ordering
refers to <field name>
, which is not an attribute of <model>
.readonly_fields
must be a list or tuple.readonly_fields[n]
is not a callable, an attribute of <ModelAdmin class>
, or an attribute of <model>
.autocomplete_fields
must be a list or tuple.autocomplete_fields[n]
refers to <field name>
, which is not an attribute of <model>
.autocomplete_fields[n]
must be a foreign key or a many-to-many field.<model>
has to be registered to be referenced by <modeladmin>.autocomplete_fields
.<modeladmin>
must define search_fields
, because it's referenced by <other_modeladmin>.autocomplete_fields
.ModelAdmin
The following checks are performed on any
ModelAdmin
that is registered
with the admin site:
save_as
的值必须是个布尔值。save_on_top
的值必须是个布尔值。inlines
的值必须是个列表或元组。<InlineModelAdmin class>
必须继承自 InlineModelAdmin
。<InlineModelAdmin class>
必须有个 model
属性。<InlineModelAdmin class>.model
的值必须是个 Model
。list_display
的值必须是个列表或元组。list_display[n]
refers to <label>
, which is not a callable, an attribute of <ModelAdmin class>
, or an attribute or method on <model>
.list_display[n]
的值绝对不能是个 ManyToManyField
字段。list_display_links
must be a list, a tuple, or None
.list_display_links[n]
refers to <label>
, which is not defined in list_display
.list_filter
must be a list or tuple.list_filter[n]
must inherit from ListFilter
.list_filter[n]
must not inherit from FieldListFilter
.list_filter[n][1]
must inherit from FieldListFilter
.list_filter[n]
refers to <label>
, which does not refer to a Field.list_select_related
must be a boolean, tuple or list.list_per_page
must be an integer.list_max_show_all
must be an integer.list_editable
must be a list or tuple.list_editable[n]
refers to <label>
, which is not an attribute of <model>
.list_editable[n]
refers to <label>
, which is not contained in list_display
.list_editable[n]
cannot be in both list_editable
and list_display_links
.list_editable[n]
refers to the first field in list_display
(<label>
), which cannot be used unless list_display_links
is set.list_editable[n]
refers to <field name>
, which is not editable through the admin.search_fields
must be a list or tuple.date_hierarchy
refers to <field name>
, which does not refer to a Field.date_hierarchy
must be a DateField
or DateTimeField
.<modeladmin>
must define a has_<foo>_permission()
method for the <action>
action.__name__
attributes of actions defined in <modeladmin>
must be unique.
InlineModelAdmin
The following checks are performed on any
InlineModelAdmin
that is registered as an
inline on a ModelAdmin
.
<field name>
, because it is the foreign key to the parent model <app_label>.<model>
.<model>
has no ForeignKey
to <parent model>
./ <model>
has more than one ForeignKey
to <parent model>
.extra
must be an integer.max_num
must be an integer.min_num
must be an integer.formset
must inherit from BaseModelFormSet
.
GenericInlineModelAdmin
The following checks are performed on any
GenericInlineModelAdmin
that is
registered as an inline on a ModelAdmin
.
'ct_field'
references <label>
, which is not a field on <model>
.'ct_fk_field'
references <label>
, which is not a field on <model>
.<model>
has no GenericForeignKey
.<model>
has no GenericForeignKey
using content type field <field name>
and object ID field <field name>
.
AdminSite
The following checks are performed on the default
AdminSite
:
django.contrib.contenttypes
must be in INSTALLED_APPS
in order to use the admin application.django.contrib.auth.context_processors.auth
must be enabled in DjangoTemplates
(TEMPLATES
) if using the default auth backend in order to use the admin application.django.template.backends.django.DjangoTemplates
instance must be configured in TEMPLATES
in order to use the admin application.django.contrib.messages.context_processors.messages
must be enabled in DjangoTemplates
(TEMPLATES
) in order to use the admin application.django.contrib.auth
must be in INSTALLED_APPS
in order to use the admin application.django.contrib.messages
must be in INSTALLED_APPS
in order to use the admin application.django.contrib.auth.middleware.AuthenticationMiddleware
must be in MIDDLEWARE
in order to use the admin application.django.contrib.messages.middleware.MessageMiddleware
must be in MIDDLEWARE
in order to use the admin application.django.contrib.sessions.middleware.SessionMiddleware
must be in MIDDLEWARE
in order to use the admin application.
auth
REQUIRED_FIELDS
must be a list or tuple.USERNAME_FIELD
for a custom user model must not be included in REQUIRED_FIELDS
.<field>
must be unique because it is named as the USERNAME_FIELD
.<field>
is named as the USERNAME_FIELD
, but it is not unique.<codename>
clashes with a builtin permission for model <model>
.<codename>
is duplicated for model <model>
.verbose_name
of model <model>
must be at most 244 characters for its builtin permission names to be at most 255 characters.<name>
of model <model>
is longer than 255 characters.<User model>.is_anonymous
must be an attribute or property rather than a method. Ignoring this is a security issue as anonymous users will be treated as authenticated!<User model>.is_authenticated
must be an attribute or property rather than a method. Ignoring this is a security issue as anonymous users will be treated as authenticated!
contenttypes
The following checks are performed when a model contains a
GenericForeignKey
or
GenericRelation
:
GenericForeignKey
object ID references the nonexistent field <field>
.GenericForeignKey
content type references the nonexistent field <field>
.<field>
is not a ForeignKey
.<field>
is not a ForeignKey
to contenttypes.ContentType
.
postgres
The following checks are performed on django.contrib.postgres
model
fields:
<field>
default should be a callable instead of an instance so that it's not shared between all field instances.
sites
The following checks are performed on any model using a
CurrentSiteManager
:
CurrentSiteManager
could not find a field named <field name>
.CurrentSiteManager
cannot use <field>
as it is not a foreign key or a many-to-many field.
staticfiles
The following checks verify that django.contrib.staticfiles
is correctly
configured:
STATICFILES_DIRS
setting is not a tuple or list.STATICFILES_DIRS
setting should not contain the STATIC_ROOT
setting.<prefix>
in the STATICFILES_DIRS
setting must not end with a slash.