Issue 680 Allow decorating views to prevent CSRF protection.

2011-11-26 15:32:35 -08:00 · 2011-11-26 15:32:35 -08:00 · ca9ebfe2e0
commit ca9ebfe2e0
parent 91cf67385a
2 changed files with 32 additions and 4 deletions
--- a/mediagoblin/meddleware/csrf.py
+++ b/mediagoblin/meddleware/csrf.py
@ -31,6 +31,13 @@ else:
    getrandbits = random.getrandbits


+def csrf_exempt(func):
+    """Decorate a Controller to exempt it from CSRF protection."""
+
+    func.csrf_enabled = False
+    return func
+
+
 class CsrfForm(Form):
    """Simple form to handle rendering a CSRF token and confirming it
    is included in the POST."""
@ -75,9 +82,11 @@ class CsrfMeddleware(BaseMeddleware):
        # if this is a non-"safe" request (ie, one that could have
        # side effects), confirm that the CSRF tokens are present and
        # valid
-        if request.method not in self.SAFE_HTTP_METHODS \
-            and ('gmg.verify_csrf' in request.environ or
-                 'paste.testing' not in request.environ):
+        if (getattr(controller, 'csrf_enabled', True) and
+            request.method not in self.SAFE_HTTP_METHODS and
+            ('gmg.verify_csrf' in request.environ or
+             'paste.testing' not in request.environ)
+        ):

            return self.verify_tokens(request)

--- a/mediagoblin/tests/test_csrf_middleware.py
+++ b/mediagoblin/tests/test_csrf_middleware.py
@ -27,7 +27,7 @@ from mediagoblin import mg_globals
 def test_csrf_cookie_set(test_app):

    cookie_name = mg_globals.app_config['csrf_cookie_name']
-    
+
    # get login page
    response = test_app.get('/auth/login/')

@ -69,3 +69,22 @@ def test_csrf_token_must_match(test_app):
                                  mg_globals.app_config['csrf_cookie_name'])},
                         extra_environ={'gmg.verify_csrf': True}).\
                         status_int == 200
+
+@setup_fresh_app
+def test_csrf_exempt(test_app):
+
+    # monkey with the views to decorate a known endpoint
+    import mediagoblin.auth.views
+    from mediagoblin.meddleware.csrf import csrf_exempt
+
+    mediagoblin.auth.views.login = csrf_exempt(
+        mediagoblin.auth.views.login
+    )
+
+    # construct a request with no cookie or form token
+    assert test_app.post('/auth/login/',
+                         extra_environ={'gmg.verify_csrf': True},
+                         expect_errors=False).status_int == 200
+
+    # restore the CSRF protection in case other tests expect it
+    mediagoblin.auth.views.login.csrf_enabled = True