CSRF shouldn’t need a custom root factory or a security policy, the only
requirement for the default CSRF (SessionCSRFStoragePolicy) is a session
factory. If you swap it out for CookieCSRFStoragePolicy, you don’t even need
that.
— Theron
> On May 24, 2021, at 12:40 PM, Zsolt Ero wrote:
>
CSRF has nothing to do with authentication other than that you should rotate it
at login/logout privilege boundaries at the very least.
You can use the CSRF system without configuring a security/auth policy at all.
- Michael
> On May 24, 2021, at 14:40, Zsolt Ero wrote:
>
> Hi Theron,
>
>
Hi Theron,
Thanks for your reply. It looks indeed simpler. How much more minimal can I
make it? I definitely want to "circumvent" the whole security system, I'm
perfectly happy with using my new require_admin=True like options.
I just want CSRF to work and it seems to be dependent on
You may have better luck with the Pyramid 2.0 security system. It’s much
simpler for cases like yours where you don’t need ACL. For example, your
implementation might look like:
class CustomSecurityPolicy:
def identity(self, request):
return request.user
def