diff options
| author | Michael Merickel <michael@merickel.org> | 2019-10-17 19:25:37 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-10-17 19:25:37 -0500 |
| commit | 2153b4b878d77aa0cb5b79805dd185d133c26451 (patch) | |
| tree | 51c0724f4633027ed53fb208a9a7af962bc8c153 /docs/narr | |
| parent | 4ec5d21033fbf27b4128feeef8627a7401c71951 (diff) | |
| parent | c67cc8722e3b26b729c3fed75db51395b56ac8a0 (diff) | |
| download | pyramid-2153b4b878d77aa0cb5b79805dd185d133c26451.tar.gz pyramid-2153b4b878d77aa0cb5b79805dd185d133c26451.tar.bz2 pyramid-2153b4b878d77aa0cb5b79805dd185d133c26451.zip | |
Merge pull request #3521 from mmerickel/remove-check-csrf-predicate
remove check_csrf view predicate
Diffstat (limited to 'docs/narr')
| -rw-r--r-- | docs/narr/security.rst | 23 | ||||
| -rw-r--r-- | docs/narr/viewconfig.rst | 22 |
2 files changed, 0 insertions, 45 deletions
diff --git a/docs/narr/security.rst b/docs/narr/security.rst index bea331993..9d45dfb6a 100644 --- a/docs/narr/security.rst +++ b/docs/narr/security.rst @@ -892,26 +892,3 @@ If CSRF checks fail then a :class:`pyramid.exceptions.BadCSRFToken` or exception may be caught and handled by an :term:`exception view` but, by default, will result in a ``400 Bad Request`` response being sent to the client. - -Checking CSRF Tokens with a View Predicate -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. deprecated:: 1.7 - Use the ``require_csrf`` option or read :ref:`auto_csrf_checking` instead - to have :class:`pyramid.exceptions.BadCSRFToken` exceptions raised. - -A convenient way to require a valid CSRF token for a particular view is to -include ``check_csrf=True`` as a view predicate. See -:meth:`pyramid.config.Configurator.add_view`. - -.. code-block:: python - - @view_config(request_method='POST', check_csrf=True, ...) - def myview(request): - # ... - -.. note:: - A mismatch of a CSRF token is treated like any other predicate miss, and the - predicate system, when it doesn't find a view, raises ``HTTPNotFound`` - instead of ``HTTPBadRequest``, so ``check_csrf=True`` behavior is different - from calling :func:`pyramid.csrf.check_csrf_token`. diff --git a/docs/narr/viewconfig.rst b/docs/narr/viewconfig.rst index 465477b4d..6a49e02a5 100644 --- a/docs/narr/viewconfig.rst +++ b/docs/narr/viewconfig.rst @@ -479,28 +479,6 @@ configured view. consideration when deciding whether or not to invoke the associated view callable. -``check_csrf`` - If specified, this value should be one of ``None``, ``True``, ``False``, or a - string representing the "check name". If the value is ``True`` or a string, - CSRF checking will be performed. If the value is ``False`` or ``None``, CSRF - checking will not be performed. - - If the value provided is a string, that string will be used as the "check - name". If the value provided is ``True``, ``csrf_token`` will be used as the - check name. - - If CSRF checking is performed, the checked value will be the value of - ``request.POST[check_name]``. This value will be compared against the - value of ``request.session.get_csrf_token()``, and the check will pass if - these two values are the same. If the check passes, the associated view will - be permitted to execute. If the check fails, the associated view will not be - permitted to execute. - - Note that using this feature requires a :term:`session factory` to have been - configured. - - .. versionadded:: 1.4a2 - ``physical_path`` If specified, this value should be a string or a tuple representing the :term:`physical path` of the context found via traversal for this predicate |