A ``check_csrf`` view predicate was added. For example, you can now do

``config.add_view(someview, check_csrf=True)``. When the predicate is checked, if the ``csrf_token`` value in ``request.params`` matches the csrf token in the request's session, the view will be permitted to execute. Otherwise, it will not be permitted to execute.
author: Chris McDonough <chrism@plope.com> 2012-09-19 04:46:01 -0400
committer: Chris McDonough <chrism@plope.com> 2012-09-19 04:46:01 -0400
commit: 643a83473a6faabd0ff08547a0cbca09e9cdda1c (patch)
tree: 1825c27d957beff5509940215efbf97931dbe9af /docs
parent: c5680bbd7850c917ba1f1f68134ff4c8d3c37246 (diff)
download: pyramid-643a83473a6faabd0ff08547a0cbca09e9cdda1c.tar.gz
pyramid-643a83473a6faabd0ff08547a0cbca09e9cdda1c.tar.bz2
pyramid-643a83473a6faabd0ff08547a0cbca09e9cdda1c.zip
4 files changed, 47 insertions, 3 deletions
diff --git a/docs/glossary.rst b/docs/glossary.rst
index 2b006da20..96dd826d1 100644
--- a/docs/glossary.rst
+++ b/docs/glossary.rst
@@ -818,9 +818,12 @@ Glossary
       application.
 
    session factory
-      A callable, which, when called with a single argument named
-      ``request`` (a :term:`request` object), returns a
-      :term:`session` object.
+      A callable, which, when called with a single argument named ``request``
+      (a :term:`request` object), returns a :term:`session` object.  See
+      :ref:`using_the_default_session_factory`,
+      :ref:`using_alternate_session_factories` and
+      :meth:`pyramid.config.Configurator.set_session_factory` for more
+      information.
 
    Mako
      `Mako <http://www.makotemplates.org/>`_ is a template language language
diff --git a/docs/narr/introspector.rst b/docs/narr/introspector.rst
index 6bfaf11c0..b88f3f0c8 100644
--- a/docs/narr/introspector.rst
+++ b/docs/narr/introspector.rst
@@ -393,6 +393,10 @@ introspectables in categories not described here.
 
     The ``match_param`` argument passed to ``add_view``.
 
+  ``csrf_token``
+
+    The ``csrf_token`` argument passed to ``add_view``.
+
   ``callable``
 
     The (resolved) ``view`` argument passed to ``add_view``.  Represents the
diff --git a/docs/narr/viewconfig.rst b/docs/narr/viewconfig.rst
index 23b4fde68..f65435cc6 100644
--- a/docs/narr/viewconfig.rst
+++ b/docs/narr/viewconfig.rst
@@ -394,6 +394,28 @@ configured view.
   consideration when deciding whether or not to invoke the associated view
   callable.
 
+``check_csrf``
+  If specified, this value should be one of ``None``, ``True``, ``False``, or
+  a string representing the 'check name'.  If the value is ``True`` or a
+  string, CSRF checking will be performed.  If the value is ``False`` or
+  ``None``, CSRF checking will not be performed.
+
+  If the value provided is a string, that string will be used as the 'check
+  name'.  If the value provided is ``True``, ``csrf_token`` will be used as
+  the check name.
+
+  If CSRF checking is performed, the checked value will be the value of
+  ``request.params[check_name]``.  This value will be compared against the
+  value of ``request.session.get_csrf_token()``, and the check will pass if
+  these two values are the same.  If the check passes, the associated view
+  will be permitted to execute.  If the check fails, the associated view
+  will not be permitted to execute.
+
+  Note that using this feature requires a :term:`session factory` to have
+  been configured.
+
+  .. versionadded:: 1.4a2
+
 ``custom_predicates``
   If ``custom_predicates`` is specified, it must be a sequence of references
   to custom predicate callables.  Use custom predicates when no set of
@@ -407,6 +429,15 @@ configured view.
   If ``custom_predicates`` is not specified, no custom predicates are
   used.
 
+``predicates``
+  Pass a key/value pair here to use a third-party predicate registered via
+  :meth:`pyramid.config.Configurator.add_view_predicate`.  More than one
+  key/value pair can be used at the same time.  See
+  :ref:`view_and_route_predicates` for more information about third-party
+  predicates.
+
+  .. versionadded:: 1.4a1
+
 .. index::
    single: view_config decorator
 
diff --git a/docs/whatsnew-1.4.rst b/docs/whatsnew-1.4.rst
index 76320f6e6..86bfc7c0a 100644
--- a/docs/whatsnew-1.4.rst
+++ b/docs/whatsnew-1.4.rst
@@ -156,6 +156,12 @@ Minor Feature Additions
 - A new :func:`pyramid.session.check_csrf_token` convenience API function was
   added.
 
+- A ``check_csrf`` view predicate was added.  For example, you can now do
+  ``config.add_view(someview, check_csrf=True)``.  When the predicate is
+  checked, if the ``csrf_token`` value in ``request.params`` matches the csrf
+  token in the request's session, the view will be permitted to execute.
+  Otherwise, it will not be permitted to execute.
+
 Backwards Incompatibilities
 ---------------------------
author	Chris McDonough <chrism@plope.com>	2012-09-19 04:46:01 -0400
committer	Chris McDonough <chrism@plope.com>	2012-09-19 04:46:01 -0400
commit	643a83473a6faabd0ff08547a0cbca09e9cdda1c (patch)
tree	1825c27d957beff5509940215efbf97931dbe9af /docs
parent	c5680bbd7850c917ba1f1f68134ff4c8d3c37246 (diff)
download	pyramid-643a83473a6faabd0ff08547a0cbca09e9cdda1c.tar.gz pyramid-643a83473a6faabd0ff08547a0cbca09e9cdda1c.tar.bz2 pyramid-643a83473a6faabd0ff08547a0cbca09e9cdda1c.zip