Re: how to exclude some views from csrf checking
http://thesoftwarestudio.com/apex/options.html apex.no_csrf = OPTIONAL, a colon separated list of route names that should NOT be subject to CSRF tests. After a bit of back and forth with Pyramid and the way the event fires off, a decorator with the current CSRF check won't work. I've got to dig deeper into Pyramid to find an alternate, more correct solution. -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to pylons-discuss@googlegroups.com. To unsubscribe from this group, send email to pylons-discuss+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
Re: how to exclude some views from csrf checking
matched_route has been around since at least 1.0. It's only "not None" if using url dispatch. Also, it's a failed attempt at a fix anyway, because now I remember that it isn't populated until after the NewRequest subscriber has been called. Perhaps you should place your CSRF checks on a ContextFound subscriber instead. -- Michael -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to pylons-discuss@googlegroups.com. To unsubscribe from this group, send email to pylons-discuss+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
Re: how to exclude some views from csrf checking
On Sep 26, 1:58 pm, Michael Merickel wrote: > Likely you will need to add some code to the "csrf_validation" function to > exclude the RPC URL. For example: > > def csrf_validation(event): > """ CSRF token exposed to templates > """ > request = event.request > if request.matched_route.name != 'MYRPCROUTENAME' and request.method == > 'POST': What version of pyramid supports matched_route? I've tested a few versions, even 1.2.1, but, it always returns None (if specified with .name, I get AttributeError: 'NoneType' object has no attribute 'name'). Is this in a development version, if so, when will that be released? -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to pylons-discuss@googlegroups.com. To unsubscribe from this group, send email to pylons-discuss+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
Re: how to exclude some views from csrf checking
thanks a lot! On Thu, Sep 29, 2011 at 5:29 AM, cd34 wrote: > On Sep 24, 7:29 am, Viktor Nagy wrote: > > I'm building a site that uses apex for site-wide auth functionalities, > and > > would like to use pyramid_rpc for amf gatewaying. But apex adds csrf > > checking for every POST request. > > I've entered this on the issues and will have a suitable fix in the > next day or two for this. > > -- > You received this message because you are subscribed to the Google Groups > "pylons-discuss" group. > To post to this group, send email to pylons-discuss@googlegroups.com. > To unsubscribe from this group, send email to > pylons-discuss+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/pylons-discuss?hl=en. > > -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to pylons-discuss@googlegroups.com. To unsubscribe from this group, send email to pylons-discuss+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
Re: how to exclude some views from csrf checking
On Sep 24, 7:29 am, Viktor Nagy wrote: > I'm building a site that uses apex for site-wide auth functionalities, and > would like to use pyramid_rpc for amf gatewaying. But apex adds csrf > checking for every POST request. I've entered this on the issues and will have a suitable fix in the next day or two for this. -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to pylons-discuss@googlegroups.com. To unsubscribe from this group, send email to pylons-discuss+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
Re: how to exclude some views from csrf checking
Likely you will need to add some code to the "csrf_validation" function to
exclude the RPC URL. For example:
def csrf_validation(event):
""" CSRF token exposed to templates
"""
request = event.request
if request.matched_route.name != 'MYRPCROUTENAME' and request.method ==
'POST':
token = request.POST.get('csrf_token') or request.GET.get('csrf_
token')
if token is None or token != request.session.get_csrf_token():
raise HTTPForbidden(_('CSRF token is missing or invalid'))
--
Michael
--
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To post to this group, send email to pylons-discuss@googlegroups.com.
To unsubscribe from this group, send email to
pylons-discuss+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/pylons-discuss?hl=en.
how to exclude some views from csrf checking
hi,
I'm building a site that uses apex for site-wide auth functionalities, and
would like to use pyramid_rpc for amf gatewaying. But apex adds csrf
checking for every POST request.
Is there a way to exclude some routes/views from an event handling method?
The apex code is this:
config.add_subscriber('apex.lib.subscribers.csrf_validation', \
'pyramid.events.NewRequest')
and then
def csrf_validation(event):
""" CSRF token exposed to templates
"""
if event.request.method == 'POST':
token = event.request.POST.get('csrf_token') or
event.request.GET.get('csrf_token')
if token is None or token != event.request.session.get_csrf_token():
raise HTTPForbidden(_('CSRF token is missing or invalid'))
Viktor
--
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To post to this group, send email to pylons-discuss@googlegroups.com.
To unsubscribe from this group, send email to
pylons-discuss+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/pylons-discuss?hl=en.
