Opened 12 years ago

Last modified 12 years ago

#331 closed defect (FIXED)

Allow prevention of csrf protection

Reported by: Elrond Owned by: nyergler
Priority: minor Milestone: 0.2.0
Component: programming Keywords:
Cc: Parent Tickets:



Sounds strange, right?
Well, if we want to implement most APIs, we need to handle POST
security directly in the views and our current CSRF protection will
So we need to disable it on a pre view basis.

How to mark views for disabling csrf protection¶

We have two simple options:

On the view directly¶


    def disable_csrf_protection(func):
        func.no_csrf = True
        return func
    def view(...):

I prefer this one.

In the Routing tables¶


      Route('mediagoblin.auth.resend_verification', '/resend_verification/',

Middleware needs¶

Currently the middleware (meddleware) handles requests before they
hit routing. So inside the middleware we don't know the routing
table entry / controller.
So we should either add a "post routing" middleware method or move
the current handling a bit down.

Change History (6)

comment:1 by nyergler, 12 years ago

Owner: set to Nathan Yergler
Status: NewIn Progress
Yes, I deliberately punted on this earlier, although I knew we'd
need it in the future.

I'm going to go with the decorator approach and move around the
meddleware dispatch.

comment:2 by nyergler, 12 years ago

Status: In ProgressResolved
This is ready for merging in
`\_requests/32 <>`_

You can now do something like:


    from mediagoblin.meddleware.csrf import csrf_exempt
    def some_controller(request):

comment:3 by Elrond, 12 years ago

Status: ResolvedFeedback
We currently use "Feedback" to tell "Someone needs to review and
merge it".
I'll try to review/merge this evening.

comment:4 by nyergler, 12 years ago

Ah, I assumed it was managed through open merge requests on
Gitorious. Thanks, Elrond.

comment:5 by Elrond, 12 years ago

Milestone: 0.2.0
Status: FeedbackClosed

Now we can start implementing some APIs. ;)

comment:6 by Will Kahn-Greene, 12 years ago

The original url for this bug was .

Note: See TracTickets for help on using tickets.