diff options
| author | Bert JW Regeer <xistence@0x58.com> | 2016-04-12 20:32:08 -0600 |
|---|---|---|
| committer | Bert JW Regeer <xistence@0x58.com> | 2016-04-12 20:32:08 -0600 |
| commit | d26e3af4b220d3794c8e40103eb8bd86fd68372d (patch) | |
| tree | d7fd2961735f8a5293885d9623abb42c5fcd7f80 /docs/narr/hooks.rst | |
| parent | b1527e793bc101327050370c17e1be698f7192ff (diff) | |
| parent | 231a531fe62b82cd354dd64f5a1ffbab6df14a77 (diff) | |
| download | pyramid-d26e3af4b220d3794c8e40103eb8bd86fd68372d.tar.gz pyramid-d26e3af4b220d3794c8e40103eb8bd86fd68372d.tar.bz2 pyramid-d26e3af4b220d3794c8e40103eb8bd86fd68372d.zip | |
Merge pull request #2413 from mmerickel/feature/require-csrf
require_csrf to replace check_csrf
Diffstat (limited to 'docs/narr/hooks.rst')
| -rw-r--r-- | docs/narr/hooks.rst | 42 |
1 files changed, 6 insertions, 36 deletions
diff --git a/docs/narr/hooks.rst b/docs/narr/hooks.rst index 2c3782387..28d1e09d5 100644 --- a/docs/narr/hooks.rst +++ b/docs/narr/hooks.rst @@ -1590,6 +1590,12 @@ the user-defined :term:`view callable`: This element will also output useful debugging information when ``pyramid.debug_authorization`` is enabled. +``csrf_view`` + + Used to check the CSRF token provided in the request. This element is a + no-op if both the ``require_csrf`` view option and the + ``pyramid.require_default_csrf`` setting are disabled. + ``owrapped_view`` Invokes the wrapped view defined by the ``wrapper`` option. @@ -1656,42 +1662,6 @@ View derivers are unique in that they have access to most of the options passed to :meth:`pyramid.config.Configurator.add_view` in order to decide what to do, and they have a chance to affect every view in the application. -Let's look at one more example which will protect views by requiring a CSRF -token unless ``disable_csrf=True`` is passed to the view: - -.. code-block:: python - :linenos: - - from pyramid.response import Response - from pyramid.session import check_csrf_token - - def require_csrf_view(view, info): - wrapper_view = view - if not info.options.get('disable_csrf', False): - def wrapper_view(context, request): - if request.method == 'POST': - check_csrf_token(request) - return view(context, request) - return wrapper_view - - require_csrf_view.options = ('disable_csrf',) - - config.add_view_deriver(require_csrf_view) - - def protected_view(request): - return Response('protected') - - def unprotected_view(request): - return Response('unprotected') - - config.add_view(protected_view, name='safe') - config.add_view(unprotected_view, name='unsafe', disable_csrf=True) - -Navigating to ``/safe`` with a POST request will then fail when the call to -:func:`pyramid.session.check_csrf_token` raises a -:class:`pyramid.exceptions.BadCSRFToken` exception. However, ``/unsafe`` will -not error. - Ordering View Derivers ~~~~~~~~~~~~~~~~~~~~~~ |