aboutsummaryrefslogtreecommitdiffstats
path: root/mediagoblin/meddleware/csrf.py
diff options
context:
space:
mode:
authorNathan Yergler <nathan@yergler.net>2011-11-26 15:32:35 -0800
committerNathan Yergler <nathan@yergler.net>2011-11-26 15:32:35 -0800
commitca9ebfe2e05c83248d647b442ff29a9758a6a05c (patch)
treecc1a3cf8e6cb20066402e957656e93e061aff573 /mediagoblin/meddleware/csrf.py
parent91cf67385a78a59af7874df327b96f7ea0b4259b (diff)
downloadmediagoblin-ca9ebfe2e05c83248d647b442ff29a9758a6a05c.tar.lz
mediagoblin-ca9ebfe2e05c83248d647b442ff29a9758a6a05c.tar.xz
mediagoblin-ca9ebfe2e05c83248d647b442ff29a9758a6a05c.zip
Issue 680 Allow decorating views to prevent CSRF protection.
Diffstat (limited to 'mediagoblin/meddleware/csrf.py')
-rw-r--r--mediagoblin/meddleware/csrf.py15
1 files changed, 12 insertions, 3 deletions
diff --git a/mediagoblin/meddleware/csrf.py b/mediagoblin/meddleware/csrf.py
index 961fa7a6..16541bee 100644
--- a/mediagoblin/meddleware/csrf.py
+++ b/mediagoblin/meddleware/csrf.py
@@ -31,6 +31,13 @@ else:
getrandbits = random.getrandbits
+def csrf_exempt(func):
+ """Decorate a Controller to exempt it from CSRF protection."""
+
+ func.csrf_enabled = False
+ return func
+
+
class CsrfForm(Form):
"""Simple form to handle rendering a CSRF token and confirming it
is included in the POST."""
@@ -75,9 +82,11 @@ class CsrfMeddleware(BaseMeddleware):
# if this is a non-"safe" request (ie, one that could have
# side effects), confirm that the CSRF tokens are present and
# valid
- if request.method not in self.SAFE_HTTP_METHODS \
- and ('gmg.verify_csrf' in request.environ or
- 'paste.testing' not in request.environ):
+ if (getattr(controller, 'csrf_enabled', True) and
+ request.method not in self.SAFE_HTTP_METHODS and
+ ('gmg.verify_csrf' in request.environ or
+ 'paste.testing' not in request.environ)
+ ):
return self.verify_tokens(request)
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-08 05:24:25 +0000