heckyel/mediagoblin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge remote branch 'remotes/nyergler/issue-680-csrf-optout'

Browse Source 
* remotes/nyergler/issue-680-csrf-optout:
  Issue 680 Allow decorating views to prevent CSRF protection.
  Issue 680: Dispatch meddleware request processing post-routing
This commit is contained in:
Elrond 2011-11-28 18:40:45 +01:00
commit 72567762e3
5 changed files with 43 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
mediagoblin/app.py
View File

@ -107,12 +107,6 @@ class MediaGoblinApp(object):
def __call__(self, environ, start_response): def __call__(self, environ, start_response):
request = Request(environ) request = Request(environ)
# pass the request through our meddleware classes
for m in self.meddleware:
response = m.process_request(request)
if response is not None:
return response(environ, start_response)
## Routing / controller loading stuff ## Routing / controller loading stuff
path_info = request.path_info path_info = request.path_info
route_match = self.routing.match(path_info) route_match = self.routing.match(path_info)
@ -164,6 +158,13 @@ class MediaGoblinApp(object):
return render_404(request)(environ, start_response) return render_404(request)(environ, start_response)
controller = common.import_component(route_match['controller']) controller = common.import_component(route_match['controller'])
# pass the request through our meddleware classes
for m in self.meddleware:
response = m.process_request(request, controller)
if response is not None:
return response(environ, start_response)
request.start_response = start_response request.start_response = start_response
# get the response from the controller # get the response from the controller

2
mediagoblin/meddleware/__init__.py
View File

@ -25,7 +25,7 @@ class BaseMeddleware(object):
def __init__(self, mg_app): def __init__(self, mg_app):
self.app = mg_app self.app = mg_app
def process_request(self, request): def process_request(self, request, controller):
pass pass
def process_response(self, request, response): def process_response(self, request, response):

17
mediagoblin/meddleware/csrf.py
View File

@ -31,6 +31,13 @@ else:
getrandbits = random.getrandbits getrandbits = random.getrandbits
def csrf_exempt(func):
"""Decorate a Controller to exempt it from CSRF protection."""
func.csrf_enabled = False
return func
class CsrfForm(Form): class CsrfForm(Form):
"""Simple form to handle rendering a CSRF token and confirming it """Simple form to handle rendering a CSRF token and confirming it
is included in the POST.""" is included in the POST."""
@ -58,7 +65,7 @@ class CsrfMeddleware(BaseMeddleware):
CSRF_KEYLEN = 64 CSRF_KEYLEN = 64
SAFE_HTTP_METHODS = ("GET", "HEAD", "OPTIONS", "TRACE") SAFE_HTTP_METHODS = ("GET", "HEAD", "OPTIONS", "TRACE")
def process_request(self, request): def process_request(self, request, controller):
"""For non-safe requests, confirm that the tokens are present """For non-safe requests, confirm that the tokens are present
and match. and match.
""" """
@ -75,9 +82,11 @@ class CsrfMeddleware(BaseMeddleware):
# if this is a non-"safe" request (ie, one that could have # if this is a non-"safe" request (ie, one that could have
# side effects), confirm that the CSRF tokens are present and # side effects), confirm that the CSRF tokens are present and
# valid # valid
if request.method not in self.SAFE_HTTP_METHODS \ if (getattr(controller, 'csrf_enabled', True) and
and ('gmg.verify_csrf' in request.environ or request.method not in self.SAFE_HTTP_METHODS and
'paste.testing' not in request.environ): ('gmg.verify_csrf' in request.environ or
'paste.testing' not in request.environ)
):
return self.verify_tokens(request) return self.verify_tokens(request)

3
mediagoblin/meddleware/noop.py
View File

@ -19,7 +19,8 @@ from mediagoblin.meddleware import BaseMeddleware
class NoOpMeddleware(BaseMeddleware): class NoOpMeddleware(BaseMeddleware):
def process_request(self, request):
def process_request(self, request, controller):
pass pass
def process_response(self, request, response): def process_response(self, request, response):

19
mediagoblin/tests/test_csrf_middleware.py
View File

@ -69,3 +69,22 @@ def test_csrf_token_must_match(test_app):
mg_globals.app_config['csrf_cookie_name'])}, mg_globals.app_config['csrf_cookie_name'])},
extra_environ={'gmg.verify_csrf': True}).\ extra_environ={'gmg.verify_csrf': True}).\
status_int == 200 status_int == 200
@setup_fresh_app
def test_csrf_exempt(test_app):
# monkey with the views to decorate a known endpoint
import mediagoblin.auth.views
from mediagoblin.meddleware.csrf import csrf_exempt
mediagoblin.auth.views.login = csrf_exempt(
mediagoblin.auth.views.login
)
# construct a request with no cookie or form token
assert test_app.post('/auth/login/',
extra_environ={'gmg.verify_csrf': True},
expect_errors=False).status_int == 200
# restore the CSRF protection in case other tests expect it
mediagoblin.auth.views.login.csrf_enabled = True