rattail/tailbone
2
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

Add global CSRF protection

Browse source
This commit is contained in:
Lance Edgar 2016-12-14 18:37:17 -06:00
parent ab09314ed3
commit 4ed522ae47
15 changed files with 28 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

2
tailbone/forms/__init__.py
View file

@ -28,7 +28,7 @@ from __future__ import unicode_literals, absolute_import
from formencode import Schema
from .core import Form, Field, FieldSet, GenericFieldSet, invalid_csrf_token
from .core import Form, Field, FieldSet, GenericFieldSet
from .simpleform import SimpleForm, FormRenderer
from .alchemy import AlchemyForm
from .fields import AssociationProxyField

4
tailbone/forms/alchemy.py
View file

@ -33,7 +33,6 @@ from pyramid.renderers import render
from webhelpers.html import HTML, tags
from tailbone.db import Session
from tailbone.forms import invalid_csrf_token
class TemplateEngine(fa.templates.TemplateEngine):
@ -114,8 +113,5 @@ class AlchemyForm(Object):
self.session.flush()
def validate(self):
if invalid_csrf_token(self.request):
self.request.session.flash("Invalid CSRF token", 'error')
return False
self.fieldset.rebind(data=self.request.params)
return self.fieldset.validate()

11
tailbone/forms/core.py
View file

@ -33,17 +33,6 @@ from formalchemy.helpers import content_tag
from pyramid.renderers import render
def invalid_csrf_token(request):
"""
Returns boolean indicating whether the given request has an *invalid* CSRF token.
"""
if request.method == 'POST':
csrf_token = request.session.get_csrf_token()
if request.POST.get('_csrf') != csrf_token:
return True
return False
class Form(object):
"""
Base class for all forms.

5
tailbone/forms/simpleform.py
View file

@ -33,7 +33,7 @@ from pyramid_simpleform import renderers
from webhelpers.html import tags
from webhelpers.html import HTML
from tailbone.forms import Form, invalid_csrf_token
from tailbone.forms import Form
class SimpleForm(Form):
@ -53,9 +53,6 @@ class SimpleForm(Form):
return super(SimpleForm, self).render(**kwargs)
def validate(self):
if invalid_csrf_token(self.request):
self.request.session.flash("Invalid CSRF token", 'error')
return False
return self._form.validate()