deprecate the check_csrf predicate

3 files changed, 37 insertions, 1 deletions

diff --git a/docs/narr/sessions.rst b/docs/narr/sessions.rst
index 3baed1cb8..4e8f6db88 100644
--- a/docs/narr/sessions.rst
+++ b/docs/narr/sessions.rst
@@ -430,6 +430,10 @@ resposne being sent to the client.
 Checking CSRF Tokens with a View Predicate
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
+.. deprecated:: 1.7
+   Use the ``require_csrf`` option or read :ref:`auto_csrf_checking` instead
+   to have :class:`pyramid.exceptions.BadCSRFToken` exceptions raised.
+
 A convenient way to require a valid CSRF token for a particular view is to
 include ``check_csrf=True`` as a view predicate. See
 :meth:`pyramid.config.Configurator.add_view`.
diff --git a/pyramid/config/views.py b/pyramid/config/views.py
index 8b066bc1e..6fe31fd4a 100644
--- a/pyramid/config/views.py
+++ b/pyramid/config/views.py
@@ -613,6 +613,11 @@ class ViewsConfiguratorMixin(object):
 
         check_csrf
 
+          .. deprecated:: 1.7
+             Use the ``require_csrf`` option or see :ref:`auto_csrf_checking`
+             instead to have :class:`pyramid.exceptions.BadCSRFToken`
+             exceptions raised.
+
           If specified, this value should be one of ``None``, ``True``,
           ``False``, or a string representing the 'check name'.  If the value
           is ``True`` or a string, CSRF checking will be performed.  If the
@@ -708,7 +713,18 @@ class ViewsConfiguratorMixin(object):
                  'Predicate" in the "Hooks" chapter of the documentation '
                  'for more information.'),
                 DeprecationWarning,
-                stacklevel=4
+                stacklevel=4,
+                )
+
+        if check_csrf is not None:
+            warnings.warn(
+                ('The "check_csrf" argument to Configurator.add_view is '
+                 'deprecated as of Pyramid 1.7. Use the "require_csrf" option '
+                 'instead or see "Checking CSRF Tokens Automatically" in the '
+                 '"Sessions" chapter of the documentation for more '
+                 'information.'),
+                DeprecationWarning,
+                stacklevel=4,
                 )
 
         view = self.maybe_dotted(view)
diff --git a/pyramid/tests/test_config/test_views.py b/pyramid/tests/test_config/test_views.py
index f3c51f985..0bf0bd0b3 100644
--- a/pyramid/tests/test_config/test_views.py
+++ b/pyramid/tests/test_config/test_views.py
@@ -1491,6 +1491,22 @@ class TestViewsConfigurationMixin(unittest.TestCase):
         request.upath_info = text_('/')
         self._assertNotFound(wrapper, None, request)
 
+    def test_add_view_with_check_csrf_predicates_match(self):
+        import warnings
+        from pyramid.renderers import null_renderer
+        view = lambda *arg: 'OK'
+        config = self._makeOne(autocommit=True)
+        with warnings.catch_warnings(record=True) as w:
+            warnings.filterwarnings('always')
+            config.add_view(view=view, check_csrf=True, renderer=null_renderer)
+            self.assertEqual(len(w), 1)
+        wrapper = self._getViewCallable(config)
+        request = self._makeRequest(config)
+        request.session = DummySession({'csrf_token': 'foo'})
+        request.params = {'csrf_token': 'foo'}
+        request.headers = {}
+        self.assertEqual(wrapper(None, request), 'OK')
+
     def test_add_view_with_custom_predicates_match(self):
         import warnings
         from pyramid.renderers import null_renderer