Opened 15 years ago
Last modified 15 years ago
#331 closed defect (FIXED)
Allow prevention of csrf protection
| Reported by: | Elrond | Owned by: | nyergler |
|---|---|---|---|
| Priority: | minor | Milestone: | 0.2.0 |
| Component: | programming | Keywords: | |
| Cc: | Parent Tickets: |
Description
Intro¶
Sounds strange, right? Well, if we want to implement most APIs, we need to handle POST security directly in the views and our current CSRF protection will interfere. So we need to disable it on a pre view basis.
How to mark views for disabling csrf protection¶
We have two simple options:
On the view directly¶
def disable_csrf_protection(func):
func.no_csrf = True
return func
@disable_csrf_protection
def view(...):
I prefer this one.
In the Routing tables¶
Route('mediagoblin.auth.resend_verification', '/resend_verification/',
no_csrf=True,
controller='mediagoblin.auth.views:resend_activation'),
Middleware needs¶
Currently the middleware (meddleware) handles requests before they hit routing. So inside the middleware we don't know the routing table entry / controller. So we should either add a "post routing" middleware method or move the current handling a bit down.
Change History (6)
comment:1 by , 15 years ago
| Owner: | set to |
|---|---|
| Status: | New → In Progress |
comment:2 by , 15 years ago
| Status: | In Progress → Resolved |
|---|
This is ready for merging in https://gitorious.org/mediagoblin/mediagoblin/merge_requests/32
You can now do something like:
from mediagoblin.meddleware.csrf import csrf_exempt
@csrf_exempt
def some_controller(request):
pass
comment:3 by , 15 years ago
| Status: | Resolved → Feedback |
|---|
We currently use "Feedback" to tell "Someone needs to review and merge it". I'll try to review/merge this evening.
comment:4 by , 15 years ago
Ah, I assumed it was managed through open merge requests on Gitorious. Thanks, Elrond.
comment:5 by , 15 years ago
| Milestone: | → 0.2.0 |
|---|---|
| Status: | Feedback → Closed |
Merged. Thanks!
Now we can start implementing some APIs. ;)

Yes, I deliberately punted on this earlier, although I knew we'd need it in the future.
I'm going to go with the decorator approach and move around the meddleware dispatch.