1 files changed, 20 insertions, 1 deletions

diff --git a/budget/run.py b/budget/run.py
index 00d4326..7fe4e24 100644
--- a/budget/run.py
+++ b/budget/run.py
@@ -12,6 +12,8 @@ from api import api
 from utils import PrefixedWSGI
 from utils import minimal_round
 
+import default_settings
+
 app = Flask(__name__, instance_path='/etc/ihatemoney', instance_relative_config=True)
 
 
@@ -41,17 +43,34 @@ def configure():
         app.config.from_pyfile('ihatemoney.cfg', silent=True)
     app.wsgi_app = PrefixedWSGI(app)
 
+    if app.config['SECRET_KEY'] == default_settings.SECRET_KEY:
+        warnings.warn(
+            "Running a server without changing the SECRET_KEY can lead to"
+            + " user impersonation. Please update your configuration file.",
+            UserWarning
+        )
     # Deprecations
     if 'DEFAULT_MAIL_SENDER' in app.config:
         # Since flask-mail  0.8
         warnings.warn(
             "DEFAULT_MAIL_SENDER is deprecated in favor of MAIL_DEFAULT_SENDER"
-            +" and will be removed in further version",
+            + " and will be removed in further version",
             UserWarning
         )
         if not 'MAIL_DEFAULT_SENDER' in app.config:
             app.config['MAIL_DEFAULT_SENDER'] = DEFAULT_MAIL_SENDER
 
+    if "pbkdf2:sha256:" not in app.config['ADMIN_PASSWORD'] and app.config['ADMIN_PASSWORD']:
+        # Since 2.0
+        warnings.warn(
+            "The way Ihatemoney stores your ADMIN_PASSWORD has changed. You are using an unhashed"
+            +" ADMIN_PASSWORD, which is not supported anymore and won't let you access your admin"
+            +" endpoints. Please use the command './budget/manage.py generate_password_hash'"
+            +" to generate a proper password HASH and copy the output to the value of"
+            +" ADMIN_PASSWORD in your settings file.",
+            UserWarning
+        )
+
 configure()