getrandbits = random.getrandbits
+def csrf_exempt(func):
+ """Decorate a Controller to exempt it from CSRF protection."""
+
+ func.csrf_enabled = False
+ return func
+
+
class CsrfForm(Form):
"""Simple form to handle rendering a CSRF token and confirming it
is included in the POST."""
# if this is a non-"safe" request (ie, one that could have
# side effects), confirm that the CSRF tokens are present and
# valid
- if request.method not in self.SAFE_HTTP_METHODS \
- and ('gmg.verify_csrf' in request.environ or
- 'paste.testing' not in request.environ):
+ if (getattr(controller, 'csrf_enabled', True) and
+ request.method not in self.SAFE_HTTP_METHODS and
+ ('gmg.verify_csrf' in request.environ or
+ 'paste.testing' not in request.environ)
+ ):
return self.verify_tokens(request)
def test_csrf_cookie_set(test_app):
cookie_name = mg_globals.app_config['csrf_cookie_name']
-
+
# get login page
response = test_app.get('/auth/login/')
mg_globals.app_config['csrf_cookie_name'])},
extra_environ={'gmg.verify_csrf': True}).\
status_int == 200
+
+@setup_fresh_app
+def test_csrf_exempt(test_app):
+
+ # monkey with the views to decorate a known endpoint
+ import mediagoblin.auth.views
+ from mediagoblin.meddleware.csrf import csrf_exempt
+
+ mediagoblin.auth.views.login = csrf_exempt(
+ mediagoblin.auth.views.login
+ )
+
+ # construct a request with no cookie or form token
+ assert test_app.post('/auth/login/',
+ extra_environ={'gmg.verify_csrf': True},
+ expect_errors=False).status_int == 200
+
+ # restore the CSRF protection in case other tests expect it
+ mediagoblin.auth.views.login.csrf_enabled = True
projects / mediagoblin.git / commitdiff