diff options
| author | Chris McDonough <chrism@plope.com> | 2012-09-19 04:46:01 -0400 |
|---|---|---|
| committer | Chris McDonough <chrism@plope.com> | 2012-09-19 04:46:01 -0400 |
| commit | 643a83473a6faabd0ff08547a0cbca09e9cdda1c (patch) | |
| tree | 1825c27d957beff5509940215efbf97931dbe9af /docs/narr | |
| parent | c5680bbd7850c917ba1f1f68134ff4c8d3c37246 (diff) | |
| download | pyramid-643a83473a6faabd0ff08547a0cbca09e9cdda1c.tar.gz pyramid-643a83473a6faabd0ff08547a0cbca09e9cdda1c.tar.bz2 pyramid-643a83473a6faabd0ff08547a0cbca09e9cdda1c.zip | |
A ``check_csrf`` view predicate was added. For example, you can now do
``config.add_view(someview, check_csrf=True)``. When the predicate is
checked, if the ``csrf_token`` value in ``request.params`` matches the csrf
token in the request's session, the view will be permitted to execute.
Otherwise, it will not be permitted to execute.
Diffstat (limited to 'docs/narr')
| -rw-r--r-- | docs/narr/introspector.rst | 4 | ||||
| -rw-r--r-- | docs/narr/viewconfig.rst | 31 |
2 files changed, 35 insertions, 0 deletions
diff --git a/docs/narr/introspector.rst b/docs/narr/introspector.rst index 6bfaf11c0..b88f3f0c8 100644 --- a/docs/narr/introspector.rst +++ b/docs/narr/introspector.rst @@ -393,6 +393,10 @@ introspectables in categories not described here. The ``match_param`` argument passed to ``add_view``. + ``csrf_token`` + + The ``csrf_token`` argument passed to ``add_view``. + ``callable`` The (resolved) ``view`` argument passed to ``add_view``. Represents the diff --git a/docs/narr/viewconfig.rst b/docs/narr/viewconfig.rst index 23b4fde68..f65435cc6 100644 --- a/docs/narr/viewconfig.rst +++ b/docs/narr/viewconfig.rst @@ -394,6 +394,28 @@ configured view. consideration when deciding whether or not to invoke the associated view callable. +``check_csrf`` + If specified, this value should be one of ``None``, ``True``, ``False``, or + a string representing the 'check name'. If the value is ``True`` or a + string, CSRF checking will be performed. If the value is ``False`` or + ``None``, CSRF checking will not be performed. + + If the value provided is a string, that string will be used as the 'check + name'. If the value provided is ``True``, ``csrf_token`` will be used as + the check name. + + If CSRF checking is performed, the checked value will be the value of + ``request.params[check_name]``. This value will be compared against the + value of ``request.session.get_csrf_token()``, and the check will pass if + these two values are the same. If the check passes, the associated view + will be permitted to execute. If the check fails, the associated view + will not be permitted to execute. + + Note that using this feature requires a :term:`session factory` to have + been configured. + + .. versionadded:: 1.4a2 + ``custom_predicates`` If ``custom_predicates`` is specified, it must be a sequence of references to custom predicate callables. Use custom predicates when no set of @@ -407,6 +429,15 @@ configured view. If ``custom_predicates`` is not specified, no custom predicates are used. +``predicates`` + Pass a key/value pair here to use a third-party predicate registered via + :meth:`pyramid.config.Configurator.add_view_predicate`. More than one + key/value pair can be used at the same time. See + :ref:`view_and_route_predicates` for more information about third-party + predicates. + + .. versionadded:: 1.4a1 + .. index:: single: view_config decorator |