Security
The installation gives you a step by step guide. However, it is your responsibility to secure the server following the standard Linux security guidelines that you should know before going live with your project.
We would recommend you to follow some of the following links:
Note
Some of these links might not work because the owners would change them, or even remove them.
PYBOSSA server security¶
Use always an unprivileged user to run PYBOSSA. Also, add secure passwords in all the variables, as this will be key to ensure that your signatures cannot be broken easily.
Redis and Sentinel¶
To secure these services, read the official documentation.
PostgreSQL¶
To secure the database, read the official documentation.
Data security¶
PYBOSSA keeps everything private for anonymous users unless you specify in the settings_local.py file fields that you want to disclose.
PYBOSSA can store any information within the info field of the following domain objects:
- Announcement.
- Blogpost.
- Category.
- Helpingmaterial,
- Page,
- Project, and
- User.
Announcement¶
PYBOSSA includes the following fields in a GET API call:
- created
- updated
- id
- user_id
- title
- body
- media_url
- published
- info
From info, everything is public for users that are anonymous or are not the owner of the announcement.
Blogpost¶
PYBOSSA includes the following fields in a GET API call:
- created
- updated
- project_id
- id
- user_id
- title
- body
- media_url
- published
- info
From info, everything is public for users that are anonymous or are not the owner of the blogpost.
Category¶
PYBOSSA includes the following fields in a GET API call:
- description
- short_name
- created
- id
- name
- info
From info, everything is public for users that are anonymous or are not the owner of the category.
Helpingmaterial¶
PYBOSSA includes the following fields in a GET API call:
- created
- id
- info
- media_url
- priority
From info, everything is public for users that are anonymous or are not the owner of the helpingmaterial.
Page¶
PYBOSSA includes the following fields in a GET API call:
- created
- id
- info
- media_url
- slug
From info, everything is public for users that are anonymous or are not the owner of the page.
Project¶
PYBOSSA includes the following fields in a GET API call:
- id
- description
- info
- n_tasks
- n_volunteers
- name
- overall_progress
- short_name
- created
- category_id
- long_description
- last_activity
- last_activity_raw
- n_task_runs
- n_results
- owner
- updated
- featured
- owner_id
- n_completed_tasks
- n_blogposts
- owners_ids
From info, only the following items are public: * container * thumbnail * thumbnail_url * task_presenter * tutorial * sched
Any other key will be private except for the owner or an admin. If you want to add more keys, just use the following flag in the settings_local.py file:
PROJECT_INFO_PUBLIC_FIELDS = ['key1', 'key2', .., 'keyN']
User¶
PYBOSSA includes the following fields in a GET API call:
- created
- name
- fullname
- info
- n_answers
- registered_ago
- rank
- score
- locale
From info, only the following items are public:
- avatar
- container
- extra
- avatar_url
Any other key will be private except for the owner or an admin. If you want to add more keys, just use the following flag in the settings_local.py file:
USER_INFO_PUBLIC_FIELDS = ['key1', 'key2', .., 'keyN']