diff options
Diffstat (limited to 'mediagoblin/meddleware')
| -rw-r--r-- | mediagoblin/meddleware/__init__.py | 2 | ||||
| -rw-r--r-- | mediagoblin/meddleware/csrf.py | 17 | ||||
| -rw-r--r-- | mediagoblin/meddleware/noop.py | 3 |
3 files changed, 16 insertions, 6 deletions
diff --git a/mediagoblin/meddleware/__init__.py b/mediagoblin/meddleware/__init__.py index 729a020d..7ba70d87 100644 --- a/mediagoblin/meddleware/__init__.py +++ b/mediagoblin/meddleware/__init__.py @@ -25,7 +25,7 @@ class BaseMeddleware(object): def __init__(self, mg_app): self.app = mg_app - def process_request(self, request): + def process_request(self, request, controller): pass def process_response(self, request, response): diff --git a/mediagoblin/meddleware/csrf.py b/mediagoblin/meddleware/csrf.py index ca2eca5f..16541bee 100644 --- a/mediagoblin/meddleware/csrf.py +++ b/mediagoblin/meddleware/csrf.py @@ -31,6 +31,13 @@ else: getrandbits = random.getrandbits +def csrf_exempt(func): + """Decorate a Controller to exempt it from CSRF protection.""" + + func.csrf_enabled = False + return func + + class CsrfForm(Form): """Simple form to handle rendering a CSRF token and confirming it is included in the POST.""" @@ -58,7 +65,7 @@ class CsrfMeddleware(BaseMeddleware): CSRF_KEYLEN = 64 SAFE_HTTP_METHODS = ("GET", "HEAD", "OPTIONS", "TRACE") - def process_request(self, request): + def process_request(self, request, controller): """For non-safe requests, confirm that the tokens are present and match. """ @@ -75,9 +82,11 @@ class CsrfMeddleware(BaseMeddleware): # if this is a non-"safe" request (ie, one that could have # side effects), confirm that the CSRF tokens are present and # valid - if request.method not in self.SAFE_HTTP_METHODS \ - and ('gmg.verify_csrf' in request.environ or - 'paste.testing' not in request.environ): + if (getattr(controller, 'csrf_enabled', True) and + request.method not in self.SAFE_HTTP_METHODS and + ('gmg.verify_csrf' in request.environ or + 'paste.testing' not in request.environ) + ): return self.verify_tokens(request) diff --git a/mediagoblin/meddleware/noop.py b/mediagoblin/meddleware/noop.py index b43053de..f5376494 100644 --- a/mediagoblin/meddleware/noop.py +++ b/mediagoblin/meddleware/noop.py @@ -19,7 +19,8 @@ from mediagoblin.meddleware import BaseMeddleware class NoOpMeddleware(BaseMeddleware): - def process_request(self, request): + + def process_request(self, request, controller): pass def process_response(self, request, response): |