diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/glossary.rst | 9 | ||||
| -rw-r--r-- | docs/narr/introspector.rst | 4 | ||||
| -rw-r--r-- | docs/narr/viewconfig.rst | 31 | ||||
| -rw-r--r-- | docs/whatsnew-1.4.rst | 6 |
4 files changed, 47 insertions, 3 deletions
diff --git a/docs/glossary.rst b/docs/glossary.rst index 2b006da20..96dd826d1 100644 --- a/docs/glossary.rst +++ b/docs/glossary.rst @@ -818,9 +818,12 @@ Glossary application. session factory - A callable, which, when called with a single argument named - ``request`` (a :term:`request` object), returns a - :term:`session` object. + A callable, which, when called with a single argument named ``request`` + (a :term:`request` object), returns a :term:`session` object. See + :ref:`using_the_default_session_factory`, + :ref:`using_alternate_session_factories` and + :meth:`pyramid.config.Configurator.set_session_factory` for more + information. Mako `Mako <http://www.makotemplates.org/>`_ is a template language language diff --git a/docs/narr/introspector.rst b/docs/narr/introspector.rst index 6bfaf11c0..b88f3f0c8 100644 --- a/docs/narr/introspector.rst +++ b/docs/narr/introspector.rst @@ -393,6 +393,10 @@ introspectables in categories not described here. The ``match_param`` argument passed to ``add_view``. + ``csrf_token`` + + The ``csrf_token`` argument passed to ``add_view``. + ``callable`` The (resolved) ``view`` argument passed to ``add_view``. Represents the diff --git a/docs/narr/viewconfig.rst b/docs/narr/viewconfig.rst index 23b4fde68..f65435cc6 100644 --- a/docs/narr/viewconfig.rst +++ b/docs/narr/viewconfig.rst @@ -394,6 +394,28 @@ configured view. consideration when deciding whether or not to invoke the associated view callable. +``check_csrf`` + If specified, this value should be one of ``None``, ``True``, ``False``, or + a string representing the 'check name'. If the value is ``True`` or a + string, CSRF checking will be performed. If the value is ``False`` or + ``None``, CSRF checking will not be performed. + + If the value provided is a string, that string will be used as the 'check + name'. If the value provided is ``True``, ``csrf_token`` will be used as + the check name. + + If CSRF checking is performed, the checked value will be the value of + ``request.params[check_name]``. This value will be compared against the + value of ``request.session.get_csrf_token()``, and the check will pass if + these two values are the same. If the check passes, the associated view + will be permitted to execute. If the check fails, the associated view + will not be permitted to execute. + + Note that using this feature requires a :term:`session factory` to have + been configured. + + .. versionadded:: 1.4a2 + ``custom_predicates`` If ``custom_predicates`` is specified, it must be a sequence of references to custom predicate callables. Use custom predicates when no set of @@ -407,6 +429,15 @@ configured view. If ``custom_predicates`` is not specified, no custom predicates are used. +``predicates`` + Pass a key/value pair here to use a third-party predicate registered via + :meth:`pyramid.config.Configurator.add_view_predicate`. More than one + key/value pair can be used at the same time. See + :ref:`view_and_route_predicates` for more information about third-party + predicates. + + .. versionadded:: 1.4a1 + .. index:: single: view_config decorator diff --git a/docs/whatsnew-1.4.rst b/docs/whatsnew-1.4.rst index 76320f6e6..86bfc7c0a 100644 --- a/docs/whatsnew-1.4.rst +++ b/docs/whatsnew-1.4.rst @@ -156,6 +156,12 @@ Minor Feature Additions - A new :func:`pyramid.session.check_csrf_token` convenience API function was added. +- A ``check_csrf`` view predicate was added. For example, you can now do + ``config.add_view(someview, check_csrf=True)``. When the predicate is + checked, if the ``csrf_token`` value in ``request.params`` matches the csrf + token in the request's session, the view will be permitted to execute. + Otherwise, it will not be permitted to execute. + Backwards Incompatibilities --------------------------- |