[incubator-superset] branch master updated: Adding hook for CSRF exempting flask views. (#3435)

Thu, 14 Sep 2017 20:54:36 -0700 

This is an automated email from the ASF dual-hosted git repository.

maximebeauchemin pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-superset.git


The following commit(s) were added to refs/heads/master by this push:
     new e22aecb  Adding hook for CSRF exempting flask views. (#3435)
e22aecb is described below

commit e22aecb0d1244bae49d3e5b36ef2f9ddc7517c1a
Author: fabianmenges <fabianmen...@users.noreply.github.com>
AuthorDate: Thu Sep 14 23:54:18 2017 -0400

    Adding hook for CSRF exempting flask views. (#3435)
---
 docs/installation.rst | 7 +++++++
 superset/__init__.py  | 3 +++
 superset/config.py    | 3 +++
 3 files changed, 13 insertions(+)

diff --git a/docs/installation.rst b/docs/installation.rst
index 9cd3de6..1449fb7 100644
--- a/docs/installation.rst
+++ b/docs/installation.rst
@@ -157,6 +157,8 @@ of the parameters you can copy / paste in that 
configuration module: ::
 
     # Flask-WTF flag for CSRF
     WTF_CSRF_ENABLED = True
+    # Add endpoints that need to be exempt from CSRF protection
+    WTF_CSRF_EXEMPT_LIST = []
 
     # Set this API key to enable Mapbox visualizations
     MAPBOX_API_KEY = ''
@@ -172,6 +174,11 @@ Please make sure to change:
 * *SQLALCHEMY_DATABASE_URI*, by default it is stored at 
*~/.superset/superset.db*
 * *SECRET_KEY*, to a long random string
 
+In case you need to exempt endpoints from CSRF, e.g. you are running a custom
+auth postback endpoint, you can add them to *WTF_CSRF_EXEMPT_LIST*
+
+     WTF_CSRF_EXEMPT_LIST = ['']
+
 Database dependencies
 ---------------------
 
diff --git a/superset/__init__.py b/superset/__init__.py
index 2e44ebd..af81248 100644
--- a/superset/__init__.py
+++ b/superset/__init__.py
@@ -83,6 +83,9 @@ db = SQLA(app)
 
 if conf.get('WTF_CSRF_ENABLED'):
     csrf = CSRFProtect(app)
+    csrf_exempt_list = conf.get('WTF_CSRF_EXEMPT_LIST', [])
+    for ex in csrf_exempt_list:
+        csrf.exempt(ex)
 
 utils.pessimistic_connection_handling(db.engine)
 
diff --git a/superset/config.py b/superset/config.py
index 0cbf7d3..d4c019c 100644
--- a/superset/config.py
+++ b/superset/config.py
@@ -75,6 +75,9 @@ QUERY_SEARCH_LIMIT = 1000
 # Flask-WTF flag for CSRF
 WTF_CSRF_ENABLED = True
 
+# Add endpoints that need to be exempt from CSRF protection
+WTF_CSRF_EXEMPT_LIST = []
+
 # Whether to run the web server in debug mode or not
 DEBUG = False
 FLASK_USE_RELOAD = True

-- 
To stop receiving notification emails like this one, please contact
['"comm...@superset.apache.org" <comm...@superset.apache.org>'].

Reply via email to