2 files changed, 32 insertions, 4 deletions

diff --git a/mediagoblin/meddleware/csrf.py b/mediagoblin/meddleware/csrf.py
index 961fa7a6..16541bee 100644
--- a/mediagoblin/meddleware/csrf.py
+++ b/mediagoblin/meddleware/csrf.py
@@ -31,6 +31,13 @@ else:
     getrandbits = random.getrandbits
 
 
+def csrf_exempt(func):
+    """Decorate a Controller to exempt it from CSRF protection."""
+
+    func.csrf_enabled = False
+    return func
+
+
 class CsrfForm(Form):
     """Simple form to handle rendering a CSRF token and confirming it
     is included in the POST."""
@@ -75,9 +82,11 @@ class CsrfMeddleware(BaseMeddleware):
         # if this is a non-"safe" request (ie, one that could have
         # side effects), confirm that the CSRF tokens are present and
         # valid
-        if request.method not in self.SAFE_HTTP_METHODS \
-            and ('gmg.verify_csrf' in request.environ or
-                 'paste.testing' not in request.environ):
+        if (getattr(controller, 'csrf_enabled', True) and
+            request.method not in self.SAFE_HTTP_METHODS and
+            ('gmg.verify_csrf' in request.environ or
+             'paste.testing' not in request.environ)
+        ):
 
             return self.verify_tokens(request)
 
diff --git a/mediagoblin/tests/test_csrf_middleware.py b/mediagoblin/tests/test_csrf_middleware.py
index 691f10b9..c8fca23a 100644
--- a/mediagoblin/tests/test_csrf_middleware.py
+++ b/mediagoblin/tests/test_csrf_middleware.py
@@ -27,7 +27,7 @@ from mediagoblin import mg_globals
 def test_csrf_cookie_set(test_app):
 
     cookie_name = mg_globals.app_config['csrf_cookie_name']
-    
+
     # get login page
     response = test_app.get('/auth/login/')
 
@@ -69,3 +69,22 @@ def test_csrf_token_must_match(test_app):
                                   mg_globals.app_config['csrf_cookie_name'])},
                          extra_environ={'gmg.verify_csrf': True}).\
                          status_int == 200
+
+@setup_fresh_app
+def test_csrf_exempt(test_app):
+
+    # monkey with the views to decorate a known endpoint
+    import mediagoblin.auth.views
+    from mediagoblin.meddleware.csrf import csrf_exempt
+
+    mediagoblin.auth.views.login = csrf_exempt(
+        mediagoblin.auth.views.login
+    )
+
+    # construct a request with no cookie or form token
+    assert test_app.post('/auth/login/',
+                         extra_environ={'gmg.verify_csrf': True},
+                         expect_errors=False).status_int == 200
+
+    # restore the CSRF protection in case other tests expect it
+    mediagoblin.auth.views.login.csrf_enabled = True