This is an automated email from the ASF dual-hosted git repository. maximebeauchemin pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/incubator-superset.git
The following commit(s) were added to refs/heads/master by this push: new e22aecb Adding hook for CSRF exempting flask views. (#3435) e22aecb is described below commit e22aecb0d1244bae49d3e5b36ef2f9ddc7517c1a Author: fabianmenges <fabianmen...@users.noreply.github.com> AuthorDate: Thu Sep 14 23:54:18 2017 -0400 Adding hook for CSRF exempting flask views. (#3435) --- docs/installation.rst | 7 +++++++ superset/__init__.py | 3 +++ superset/config.py | 3 +++ 3 files changed, 13 insertions(+) diff --git a/docs/installation.rst b/docs/installation.rst index 9cd3de6..1449fb7 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -157,6 +157,8 @@ of the parameters you can copy / paste in that configuration module: :: # Flask-WTF flag for CSRF WTF_CSRF_ENABLED = True + # Add endpoints that need to be exempt from CSRF protection + WTF_CSRF_EXEMPT_LIST = [] # Set this API key to enable Mapbox visualizations MAPBOX_API_KEY = '' @@ -172,6 +174,11 @@ Please make sure to change: * *SQLALCHEMY_DATABASE_URI*, by default it is stored at *~/.superset/superset.db* * *SECRET_KEY*, to a long random string +In case you need to exempt endpoints from CSRF, e.g. you are running a custom +auth postback endpoint, you can add them to *WTF_CSRF_EXEMPT_LIST* + + WTF_CSRF_EXEMPT_LIST = [''] + Database dependencies --------------------- diff --git a/superset/__init__.py b/superset/__init__.py index 2e44ebd..af81248 100644 --- a/superset/__init__.py +++ b/superset/__init__.py @@ -83,6 +83,9 @@ db = SQLA(app) if conf.get('WTF_CSRF_ENABLED'): csrf = CSRFProtect(app) + csrf_exempt_list = conf.get('WTF_CSRF_EXEMPT_LIST', []) + for ex in csrf_exempt_list: + csrf.exempt(ex) utils.pessimistic_connection_handling(db.engine) diff --git a/superset/config.py b/superset/config.py index 0cbf7d3..d4c019c 100644 --- a/superset/config.py +++ b/superset/config.py @@ -75,6 +75,9 @@ QUERY_SEARCH_LIMIT = 1000 # Flask-WTF flag for CSRF WTF_CSRF_ENABLED = True +# Add endpoints that need to be exempt from CSRF protection +WTF_CSRF_EXEMPT_LIST = [] + # Whether to run the web server in debug mode or not DEBUG = False FLASK_USE_RELOAD = True -- To stop receiving notification emails like this one, please contact ['"comm...@superset.apache.org" <comm...@superset.apache.org>'].