summaryrefslogtreecommitdiff
path: root/docs/narr/hooks.rst
diff options
context:
space:
mode:
Diffstat (limited to 'docs/narr/hooks.rst')
-rw-r--r--docs/narr/hooks.rst42
1 files changed, 6 insertions, 36 deletions
diff --git a/docs/narr/hooks.rst b/docs/narr/hooks.rst
index 2c3782387..28d1e09d5 100644
--- a/docs/narr/hooks.rst
+++ b/docs/narr/hooks.rst
@@ -1590,6 +1590,12 @@ the user-defined :term:`view callable`:
This element will also output useful debugging information when
``pyramid.debug_authorization`` is enabled.
+``csrf_view``
+
+ Used to check the CSRF token provided in the request. This element is a
+ no-op if both the ``require_csrf`` view option and the
+ ``pyramid.require_default_csrf`` setting are disabled.
+
``owrapped_view``
Invokes the wrapped view defined by the ``wrapper`` option.
@@ -1656,42 +1662,6 @@ View derivers are unique in that they have access to most of the options
passed to :meth:`pyramid.config.Configurator.add_view` in order to decide what
to do, and they have a chance to affect every view in the application.
-Let's look at one more example which will protect views by requiring a CSRF
-token unless ``disable_csrf=True`` is passed to the view:
-
-.. code-block:: python
- :linenos:
-
- from pyramid.response import Response
- from pyramid.session import check_csrf_token
-
- def require_csrf_view(view, info):
- wrapper_view = view
- if not info.options.get('disable_csrf', False):
- def wrapper_view(context, request):
- if request.method == 'POST':
- check_csrf_token(request)
- return view(context, request)
- return wrapper_view
-
- require_csrf_view.options = ('disable_csrf',)
-
- config.add_view_deriver(require_csrf_view)
-
- def protected_view(request):
- return Response('protected')
-
- def unprotected_view(request):
- return Response('unprotected')
-
- config.add_view(protected_view, name='safe')
- config.add_view(unprotected_view, name='unsafe', disable_csrf=True)
-
-Navigating to ``/safe`` with a POST request will then fail when the call to
-:func:`pyramid.session.check_csrf_token` raises a
-:class:`pyramid.exceptions.BadCSRFToken` exception. However, ``/unsafe`` will
-not error.
-
Ordering View Derivers
~~~~~~~~~~~~~~~~~~~~~~
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-11 19:00:48 +0000