diff options
| author | Dariusz Górecki <darek.krk@gmail.com> | 2016-07-15 17:21:44 +0100 |
|---|---|---|
| committer | Dariusz Górecki <darek.krk@gmail.com> | 2016-07-15 17:21:44 +0100 |
| commit | d54e0ae42b0289df89b5b73722d5c11d0f13a8ba (patch) | |
| tree | ef4aaf5781ccdc22323476ec5407dc4112b33d7e /docs/narr/viewconfig.rst | |
| parent | 744bf0565a15a40f5c04cc8b0c1fe84a2ca489da (diff) | |
| parent | 37d124e64268be3a1fb82bed78c6c45eeee52140 (diff) | |
| download | pyramid-d54e0ae42b0289df89b5b73722d5c11d0f13a8ba.tar.gz pyramid-d54e0ae42b0289df89b5b73722d5c11d0f13a8ba.tar.bz2 pyramid-d54e0ae42b0289df89b5b73722d5c11d0f13a8ba.zip | |
Merge upstream master
Diffstat (limited to 'docs/narr/viewconfig.rst')
| -rw-r--r-- | docs/narr/viewconfig.rst | 32 |
1 files changed, 31 insertions, 1 deletions
diff --git a/docs/narr/viewconfig.rst b/docs/narr/viewconfig.rst index 0bd52b6e2..cd5b8feb0 100644 --- a/docs/narr/viewconfig.rst +++ b/docs/narr/viewconfig.rst @@ -192,6 +192,36 @@ Non-Predicate Arguments only influence ``Cache-Control`` headers, pass a tuple as ``http_cache`` with the first element of ``None``, i.e., ``(None, {'public':True})``. + +``require_csrf`` + + CSRF checks will affect any request method that is not defined as a "safe" + method by RFC2616. In pratice this means that GET, HEAD, OPTIONS, and TRACE + methods will pass untouched and all others methods will require CSRF. This + option is used in combination with the ``pyramid.require_default_csrf`` + setting to control which request parameters are checked for CSRF tokens. + + This feature requires a configured :term:`session factory`. + + If this option is set to ``True`` then CSRF checks will be enabled for POST + requests to this view. The required token will be whatever was specified by + the ``pyramid.require_default_csrf`` setting, or will fallback to + ``csrf_token``. + + If this option is set to a string then CSRF checks will be enabled and it + will be used as the required token regardless of the + ``pyramid.require_default_csrf`` setting. + + If this option is set to ``False`` then CSRF checks will be disabled + regardless of the ``pyramid.require_default_csrf`` setting. + + In addition, if this option is set to ``True`` or a string then CSRF origin + checking will be enabled. + + See :ref:`auto_csrf_checking` for more information. + + .. versionadded:: 1.7 + ``wrapper`` The :term:`view name` of a different :term:`view configuration` which will receive the response body of this view as the ``request.wrapped_body`` @@ -433,7 +463,7 @@ configured view. check name. If CSRF checking is performed, the checked value will be the value of - ``request.params[check_name]``. This value will be compared against the + ``request.POST[check_name]``. This value will be compared against the value of ``request.session.get_csrf_token()``, and the check will pass if these two values are the same. If the check passes, the associated view will be permitted to execute. If the check fails, the associated view will not be |