Opened 15 years ago

Last modified 15 years ago

#331 closed defect (FIXED)

Allow prevention of csrf protection

Reported by: Elrond Owned by: nyergler
Priority: minor Milestone: 0.2.0
Component: programming Keywords:
Cc: Parent Tickets:

Description

Intro¶

Sounds strange, right? Well, if we want to implement most APIs, we need to handle POST security directly in the views and our current CSRF protection will interfere. So we need to disable it on a pre view basis.

How to mark views for disabling csrf protection¶

We have two simple options:

On the view directly¶

def disable_csrf_protection(func):
    func.no_csrf = True
    return func

@disable_csrf_protection
def view(...):

I prefer this one.

In the Routing tables¶

Route('mediagoblin.auth.resend_verification', '/resend_verification/',
      no_csrf=True,
      controller='mediagoblin.auth.views:resend_activation'),

Middleware needs¶

Currently the middleware (meddleware) handles requests before they hit routing. So inside the middleware we don't know the routing table entry / controller. So we should either add a "post routing" middleware method or move the current handling a bit down.

Change History (6)

comment:1 by nyergler, 15 years ago

Owner: set to Nathan Yergler
Status: NewIn Progress

Yes, I deliberately punted on this earlier, although I knew we'd need it in the future.

I'm going to go with the decorator approach and move around the meddleware dispatch.

comment:2 by nyergler, 15 years ago

Status: In ProgressResolved

This is ready for merging in https://gitorious.org/mediagoblin/mediagoblin/merge_requests/32

You can now do something like:

from mediagoblin.meddleware.csrf import csrf_exempt

@csrf_exempt
def some_controller(request):
    pass

comment:3 by Elrond, 15 years ago

Status: ResolvedFeedback

We currently use "Feedback" to tell "Someone needs to review and merge it". I'll try to review/merge this evening.

comment:4 by nyergler, 15 years ago

Ah, I assumed it was managed through open merge requests on Gitorious. Thanks, Elrond.

comment:5 by Elrond, 15 years ago

Milestone: 0.2.0
Status: FeedbackClosed

Merged. Thanks!

Now we can start implementing some APIs. ;)

comment:6 by Will Kahn-Greene, 14 years ago

The original url for this bug was http://bugs.foocorp.net/issues/680 .

Note: See TracTickets for help on using tickets.