Merge branch 'master' of gitorious.org:mediagoblin/mediagoblin

mediagoblin/app.py

@@ -107,12 +107,6 @@ class MediaGoblinApp(object):
     def __call__(self, environ, start_response):
         request = Request(environ)
 
-        # pass the request through our meddleware classes
-        for m in self.meddleware:
-            response = m.process_request(request)
-            if response is not None:
-                return response(environ, start_response)
-
         ## Routing / controller loading stuff
         path_info = request.path_info
         route_match = self.routing.match(path_info)
@@ -164,6 +158,13 @@ class MediaGoblinApp(object):
             return render_404(request)(environ, start_response)
 
         controller = common.import_component(route_match['controller'])
+
+        # pass the request through our meddleware classes
+        for m in self.meddleware:
+            response = m.process_request(request, controller)
+            if response is not None:
+                return response(environ, start_response)
+
         request.start_response = start_response
 
         # get the response from the controller

mediagoblin/edit/forms.py

@@ -28,7 +28,7 @@ class EditForm(wtforms.Form):
         _('Tags'),
         [tag_length_validator],
         description=_(
-            "Seperate tags by commas or spaces."))
+            "Seperate tags by commas."))
     slug = wtforms.TextField(
         _('Slug'),
         [wtforms.validators.Required(message=_("The slug can't be empty"))],

mediagoblin/meddleware/__init__.py

@@ -25,7 +25,7 @@ class BaseMeddleware(object):
     def __init__(self, mg_app):
         self.app = mg_app
 
-    def process_request(self, request):
+    def process_request(self, request, controller):
         pass
 
     def process_response(self, request, response):

mediagoblin/meddleware/csrf.py

@@ -31,6 +31,13 @@ else:
     getrandbits = random.getrandbits
 
 
+def csrf_exempt(func):
+    """Decorate a Controller to exempt it from CSRF protection."""
+
+    func.csrf_enabled = False
+    return func
+
+
 class CsrfForm(Form):
     """Simple form to handle rendering a CSRF token and confirming it
     is included in the POST."""
@@ -58,7 +65,7 @@ class CsrfMeddleware(BaseMeddleware):
     CSRF_KEYLEN = 64
     SAFE_HTTP_METHODS = ("GET", "HEAD", "OPTIONS", "TRACE")
 
-    def process_request(self, request):
+    def process_request(self, request, controller):
         """For non-safe requests, confirm that the tokens are present
         and match.
         """
@@ -75,9 +82,11 @@ class CsrfMeddleware(BaseMeddleware):
         # if this is a non-"safe" request (ie, one that could have
         # side effects), confirm that the CSRF tokens are present and
         # valid
-        if request.method not in self.SAFE_HTTP_METHODS \
+        if (getattr(controller, 'csrf_enabled', True) and
-            and ('gmg.verify_csrf' in request.environ or
+            request.method not in self.SAFE_HTTP_METHODS and
-                 'paste.testing' not in request.environ):
+            ('gmg.verify_csrf' in request.environ or
+             'paste.testing' not in request.environ)
+        ):
 
             return self.verify_tokens(request)
 

mediagoblin/meddleware/noop.py

@@ -19,7 +19,8 @@ from mediagoblin.meddleware import BaseMeddleware
 
 
 class NoOpMeddleware(BaseMeddleware):
-    def process_request(self, request):
+
+    def process_request(self, request, controller):
         pass
 
     def process_response(self, request, response):

mediagoblin/submit/forms.py

@@ -32,4 +32,4 @@ class SubmitStartForm(wtforms.Form):
         _('Tags'),
         [tag_length_validator],
         description=_(
-          "Seperate tags by commas or spaces."))
+          "Seperate tags by commas."))

mediagoblin/templates/mediagoblin/auth/change_fp.html

@@ -30,7 +30,7 @@
 
       {{ wtforms_util.render_divs(cp_form) }}
       <div class="form_submit_buttons">
-        <input type="submit" value="submit" class="button_form"/>
+        <input type="submit" value="{% trans %}Submit{% endtrans %}" class="button_form"/>
       </div>
 
     </div>

mediagoblin/templates/mediagoblin/utils/pagination.html

@@ -47,7 +47,7 @@
           <a href="{{ next_url }}"><img class="pagination_arrow" src="{{ request.staticdirect('/images/pagination_right.png') }}" alt="Next page" /></a>
         {% endif %}
         <br />
-        Go to page: 
+        {% trans %}Go to page:{% endtrans %}
         {%- for page in pagination.iter_pages() %}
           {% if page %}
             {% if page != pagination.page %}

mediagoblin/tests/test_csrf_middleware.py

@@ -69,3 +69,22 @@ def test_csrf_token_must_match(test_app):
                                   mg_globals.app_config['csrf_cookie_name'])},
                          extra_environ={'gmg.verify_csrf': True}).\
                          status_int == 200
+
+@setup_fresh_app
+def test_csrf_exempt(test_app):
+
+    # monkey with the views to decorate a known endpoint
+    import mediagoblin.auth.views
+    from mediagoblin.meddleware.csrf import csrf_exempt
+
+    mediagoblin.auth.views.login = csrf_exempt(
+        mediagoblin.auth.views.login
+    )
+
+    # construct a request with no cookie or form token
+    assert test_app.post('/auth/login/',
+                         extra_environ={'gmg.verify_csrf': True},
+                         expect_errors=False).status_int == 200
+
+    # restore the CSRF protection in case other tests expect it
+    mediagoblin.auth.views.login.csrf_enabled = True