Merge remote branch 'remotes/nyergler/issue-680-csrf-optout'

* remotes/nyergler/issue-680-csrf-optout:
  Issue 680 Allow decorating views to prevent CSRF protection.
  Issue 680: Dispatch meddleware request processing post-routing

1 files changed, 13 insertions, 4 deletions

diff --git a/mediagoblin/meddleware/csrf.py b/mediagoblin/meddleware/csrf.py
index ca2eca5f..16541bee 100644
--- a/mediagoblin/meddleware/csrf.py
+++ b/mediagoblin/meddleware/csrf.py
@@ -31,6 +31,13 @@ else:
     getrandbits = random.getrandbits
 
 
+def csrf_exempt(func):
+    """Decorate a Controller to exempt it from CSRF protection."""
+
+    func.csrf_enabled = False
+    return func
+
+
 class CsrfForm(Form):
     """Simple form to handle rendering a CSRF token and confirming it
     is included in the POST."""
@@ -58,7 +65,7 @@ class CsrfMeddleware(BaseMeddleware):
     CSRF_KEYLEN = 64
     SAFE_HTTP_METHODS = ("GET", "HEAD", "OPTIONS", "TRACE")
 
-    def process_request(self, request):
+    def process_request(self, request, controller):
         """For non-safe requests, confirm that the tokens are present
         and match.
         """
@@ -75,9 +82,11 @@ class CsrfMeddleware(BaseMeddleware):
         # if this is a non-"safe" request (ie, one that could have
         # side effects), confirm that the CSRF tokens are present and
         # valid
-        if request.method not in self.SAFE_HTTP_METHODS \
-            and ('gmg.verify_csrf' in request.environ or
-                 'paste.testing' not in request.environ):
+        if (getattr(controller, 'csrf_enabled', True) and
+            request.method not in self.SAFE_HTTP_METHODS and
+            ('gmg.verify_csrf' in request.environ or
+             'paste.testing' not in request.environ)
+        ):
 
             return self.verify_tokens(request)