Opened 9 years ago

Last modified 9 years ago

#331 closed defect (FIXED)

Allow prevention of csrf protection

Reported by: Elrond Owned by: nyergler
Priority: minor Milestone: 0.2.0
Component: programming Keywords:
Cc: Parent Tickets:

Description

Intro¶
======

Sounds strange, right?
Well, if we want to implement most APIs, we need to handle POST
security directly in the views and our current CSRF protection will
interfere.
So we need to disable it on a pre view basis.

How to mark views for disabling csrf protection¶
================================================

We have two simple options:

On the view directly¶
---------------------

::

    def disable_csrf_protection(func):
        func.no_csrf = True
        return func
    
    @disable_csrf_protection
    def view(...):

I prefer this one.

In the Routing tables¶
----------------------

::

      Route('mediagoblin.auth.resend_verification', '/resend_verification/',
            no_csrf=True,
            controller='mediagoblin.auth.views:resend_activation'),

Middleware needs¶
=================

Currently the middleware (meddleware) handles requests before they
hit routing. So inside the middleware we don't know the routing
table entry / controller.
So we should either add a "post routing" middleware method or move
the current handling a bit down.



Subtickets

Change History (6)

comment:1 Changed 9 years ago by nyergler

Owner: set to Nathan Yergler
Status: NewIn Progress
Yes, I deliberately punted on this earlier, although I knew we'd
need it in the future.

I'm going to go with the decorator approach and move around the
meddleware dispatch.



comment:2 Changed 9 years ago by nyergler

Status: In ProgressResolved
This is ready for merging in
`https://gitorious.org/mediagoblin/mediagoblin/merge\_requests/32 <https://gitorious.org/mediagoblin/mediagoblin/merge_requests/32>`_

You can now do something like:

::

    from mediagoblin.meddleware.csrf import csrf_exempt
    
    @csrf_exempt
    def some_controller(request):
        pass



comment:3 Changed 9 years ago by Elrond

Status: ResolvedFeedback
We currently use "Feedback" to tell "Someone needs to review and
merge it".
I'll try to review/merge this evening.



comment:4 Changed 9 years ago by nyergler

Ah, I assumed it was managed through open merge requests on
Gitorious. Thanks, Elrond.



comment:5 Changed 9 years ago by Elrond

Milestone: 0.2.0
Status: FeedbackClosed
Merged.
Thanks!

Now we can start implementing some APIs. ;)



comment:6 Changed 9 years ago by Will Kahn-Greene

The original url for this bug was http://bugs.foocorp.net/issues/680 .

Note: See TracTickets for help on using tickets.