Legacy issue tracker

You are currently viewing the legacy bug tracker for MediaGoblin. We have now switched to code hosting and issue tracking at SourceHut.

This legacy issue tracker remains available to allow us to reference old issues. If you find a ticket here which is still relevant, please feel free to continue the discussion. For new issues, please use SourceHut.

Context Navigation

← Previous Ticket
Next Ticket →

Opened 13 years ago

Last modified 13 years ago

#331 closed defect (FIXED)

Allow prevention of csrf protection

Reported by:	Elrond	Owned by:	nyergler
Priority:	minor	Milestone:	0.2.0
Component:	programming	Keywords:
Cc:		Parent Tickets:

Description

Intro¶
======

Sounds strange, right?
Well, if we want to implement most APIs, we need to handle POST
security directly in the views and our current CSRF protection will
interfere.
So we need to disable it on a pre view basis.

How to mark views for disabling csrf protection¶
================================================

We have two simple options:

On the view directly¶
---------------------

::

    def disable_csrf_protection(func):
        func.no_csrf = True
        return func
    
    @disable_csrf_protection
    def view(...):

I prefer this one.

In the Routing tables¶
----------------------

::

      Route('mediagoblin.auth.resend_verification', '/resend_verification/',
            no_csrf=True,
            controller='mediagoblin.auth.views:resend_activation'),

Middleware needs¶
=================

Currently the middleware (meddleware) handles requests before they
hit routing. So inside the middleware we don't know the routing
table entry / controller.
So we should either add a "post routing" middleware method or move
the current handling a bit down.

Change History (6)

comment:1 by nyergler, 13 years ago

Owner:	set to Nathan Yergler
Status:	New → In Progress

Yes, I deliberately punted on this earlier, although I knew we'd
need it in the future.

I'm going to go with the decorator approach and move around the
meddleware dispatch.

comment:2 by nyergler, 13 years ago

Status:	In Progress → Resolved

This is ready for merging in
`https://gitorious.org/mediagoblin/mediagoblin/merge\_requests/32 <https://gitorious.org/mediagoblin/mediagoblin/merge_requests/32>`_

You can now do something like:

::

    from mediagoblin.meddleware.csrf import csrf_exempt
    
    @csrf_exempt
    def some_controller(request):
        pass

comment:3 by Elrond, 13 years ago

Status:	Resolved → Feedback

We currently use "Feedback" to tell "Someone needs to review and
merge it".
I'll try to review/merge this evening.

comment:4 by nyergler, 13 years ago

Ah, I assumed it was managed through open merge requests on
Gitorious. Thanks, Elrond.

comment:5 by Elrond, 13 years ago

Milestone:	→ 0.2.0
Status:	Feedback → Closed

Merged.
Thanks!

Now we can start implementing some APIs. ;)

comment:6 by Will Kahn-Greene, 13 years ago

The original url for this bug was http://bugs.foocorp.net/issues/680 .

Note: See TracTickets for help on using tickets.

Download in other formats: