Issue 680 Allow decorating views to prevent CSRF protection.
This commit is contained in:
Nathan Yergler
parent
91cf67385a
commit
ca9ebfe2e0
@ -31,6 +31,13 @@ else:
|
|||||||
getrandbits = random.getrandbits
|
getrandbits = random.getrandbits
|
||||||
|
|
||||||
|
|
||||||
|
def csrf_exempt(func):
|
||||||
|
"""Decorate a Controller to exempt it from CSRF protection."""
|
||||||
|
|
||||||
|
func.csrf_enabled = False
|
||||||
|
return func
|
||||||
|
|
||||||
|
|
||||||
class CsrfForm(Form):
|
class CsrfForm(Form):
|
||||||
"""Simple form to handle rendering a CSRF token and confirming it
|
"""Simple form to handle rendering a CSRF token and confirming it
|
||||||
is included in the POST."""
|
is included in the POST."""
|
||||||
@ -75,9 +82,11 @@ class CsrfMeddleware(BaseMeddleware):
|
|||||||
# if this is a non-"safe" request (ie, one that could have
|
# if this is a non-"safe" request (ie, one that could have
|
||||||
# side effects), confirm that the CSRF tokens are present and
|
# side effects), confirm that the CSRF tokens are present and
|
||||||
# valid
|
# valid
|
||||||
if request.method not in self.SAFE_HTTP_METHODS \
|
if (getattr(controller, 'csrf_enabled', True) and
|
||||||
and ('gmg.verify_csrf' in request.environ or
|
request.method not in self.SAFE_HTTP_METHODS and
|
||||||
'paste.testing' not in request.environ):
|
('gmg.verify_csrf' in request.environ or
|
||||||
|
'paste.testing' not in request.environ)
|
||||||
|
):
|
||||||
|
|
||||||
return self.verify_tokens(request)
|
return self.verify_tokens(request)
|
||||||
|
|
||||||
|
|||||||
@ -27,7 +27,7 @@ from mediagoblin import mg_globals
|
|||||||
def test_csrf_cookie_set(test_app):
|
def test_csrf_cookie_set(test_app):
|
||||||
|
|
||||||
cookie_name = mg_globals.app_config['csrf_cookie_name']
|
cookie_name = mg_globals.app_config['csrf_cookie_name']
|
||||||
|
|
||||||
# get login page
|
# get login page
|
||||||
response = test_app.get('/auth/login/')
|
response = test_app.get('/auth/login/')
|
||||||
|
|
||||||
@ -69,3 +69,22 @@ def test_csrf_token_must_match(test_app):
|
|||||||
mg_globals.app_config['csrf_cookie_name'])},
|
mg_globals.app_config['csrf_cookie_name'])},
|
||||||
extra_environ={'gmg.verify_csrf': True}).\
|
extra_environ={'gmg.verify_csrf': True}).\
|
||||||
status_int == 200
|
status_int == 200
|
||||||
|
|
||||||
|
@setup_fresh_app
|
||||||
|
def test_csrf_exempt(test_app):
|
||||||
|
|
||||||
|
# monkey with the views to decorate a known endpoint
|
||||||
|
import mediagoblin.auth.views
|
||||||
|
from mediagoblin.meddleware.csrf import csrf_exempt
|
||||||
|
|
||||||
|
mediagoblin.auth.views.login = csrf_exempt(
|
||||||
|
mediagoblin.auth.views.login
|
||||||
|
)
|
||||||
|
|
||||||
|
# construct a request with no cookie or form token
|
||||||
|
assert test_app.post('/auth/login/',
|
||||||
|
extra_environ={'gmg.verify_csrf': True},
|
||||||
|
expect_errors=False).status_int == 200
|
||||||
|
|
||||||
|
# restore the CSRF protection in case other tests expect it
|
||||||
|
mediagoblin.auth.views.login.csrf_enabled = True
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user