diff options
| author | Michael Merickel <michael@merickel.org> | 2019-10-17 01:03:04 -0500 |
|---|---|---|
| committer | Michael Merickel <michael@merickel.org> | 2019-10-17 01:03:04 -0500 |
| commit | c67cc8722e3b26b729c3fed75db51395b56ac8a0 (patch) | |
| tree | d9184484868d10967845e0efb1304b7339360966 /docs/narr | |
| parent | cee110df1b5cd94938379a27000e32b471c3cb38 (diff) | |
| download | pyramid-c67cc8722e3b26b729c3fed75db51395b56ac8a0.tar.gz pyramid-c67cc8722e3b26b729c3fed75db51395b56ac8a0.tar.bz2 pyramid-c67cc8722e3b26b729c3fed75db51395b56ac8a0.zip | |
remove check_csrf view predicate
Diffstat (limited to 'docs/narr')
| -rw-r--r-- | docs/narr/security.rst | 23 | ||||
| -rw-r--r-- | docs/narr/viewconfig.rst | 22 |
2 files changed, 0 insertions, 45 deletions
diff --git a/docs/narr/security.rst b/docs/narr/security.rst index 2a7034a19..62730e7a8 100644 --- a/docs/narr/security.rst +++ b/docs/narr/security.rst @@ -896,26 +896,3 @@ If CSRF checks fail then a :class:`pyramid.exceptions.BadCSRFToken` or exception may be caught and handled by an :term:`exception view` but, by default, will result in a ``400 Bad Request`` response being sent to the client. - -Checking CSRF Tokens with a View Predicate -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. deprecated:: 1.7 - Use the ``require_csrf`` option or read :ref:`auto_csrf_checking` instead - to have :class:`pyramid.exceptions.BadCSRFToken` exceptions raised. - -A convenient way to require a valid CSRF token for a particular view is to -include ``check_csrf=True`` as a view predicate. See -:meth:`pyramid.config.Configurator.add_view`. - -.. code-block:: python - - @view_config(request_method='POST', check_csrf=True, ...) - def myview(request): - # ... - -.. note:: - A mismatch of a CSRF token is treated like any other predicate miss, and the - predicate system, when it doesn't find a view, raises ``HTTPNotFound`` - instead of ``HTTPBadRequest``, so ``check_csrf=True`` behavior is different - from calling :func:`pyramid.csrf.check_csrf_token`. diff --git a/docs/narr/viewconfig.rst b/docs/narr/viewconfig.rst index 465477b4d..6a49e02a5 100644 --- a/docs/narr/viewconfig.rst +++ b/docs/narr/viewconfig.rst @@ -479,28 +479,6 @@ configured view. consideration when deciding whether or not to invoke the associated view callable. -``check_csrf`` - If specified, this value should be one of ``None``, ``True``, ``False``, or a - string representing the "check name". If the value is ``True`` or a string, - CSRF checking will be performed. If the value is ``False`` or ``None``, CSRF - checking will not be performed. - - If the value provided is a string, that string will be used as the "check - name". If the value provided is ``True``, ``csrf_token`` will be used as the - check name. - - If CSRF checking is performed, the checked value will be the value of - ``request.POST[check_name]``. This value will be compared against the - value of ``request.session.get_csrf_token()``, and the check will pass if - these two values are the same. If the check passes, the associated view will - be permitted to execute. If the check fails, the associated view will not be - permitted to execute. - - Note that using this feature requires a :term:`session factory` to have been - configured. - - .. versionadded:: 1.4a2 - ``physical_path`` If specified, this value should be a string or a tuple representing the :term:`physical path` of the context found via traversal for this predicate |