id	summary	reporter	owner	description	type	status	priority	milestone	component	resolution	keywords	cc	parents
331	Allow prevention of csrf protection	Elrond	nyergler	"{{{
#!rst
Intro¶
======

Sounds strange, right?
Well, if we want to implement most APIs, we need to handle POST
security directly in the views and our current CSRF protection will
interfere.
So we need to disable it on a pre view basis.

How to mark views for disabling csrf protection¶
================================================

We have two simple options:

On the view directly¶
---------------------

::

    def disable_csrf_protection(func):
        func.no_csrf = True
        return func
    
    @disable_csrf_protection
    def view(...):

I prefer this one.

In the Routing tables¶
----------------------

::

      Route('mediagoblin.auth.resend_verification', '/resend_verification/',
            no_csrf=True,
            controller='mediagoblin.auth.views:resend_activation'),

Middleware needs¶
=================

Currently the middleware (meddleware) handles requests before they
hit routing. So inside the middleware we don't know the routing
table entry / controller.
So we should either add a ""post routing"" middleware method or move
the current handling a bit down.



}}}"	defect	closed	minor	0.2.0	programming	FIXED