| Age | Commit message (Collapse) | Author |
|---|
|
- Renamed `SessionCSRFStoragePolicy` to `LegacySessionCSRFStoragePolicy` for
the version that uses the legacy `ISession.get_csrf_token` and
`ISession.new_csrf_token` apis and set that as the default.
- Added new `SessionCSRFStoragePolicy` that stores data in the session
similar to how the `SessionAuthenticationPolicy` works.
- `CookieCSRFStoragePolicy` did not properly return the newly generated
token from `get_csrf_token` after calling `new_csrf_token`. It needed
to cache the new value since the response callback does not affect
the current request.
- `CookieCSRFStoragePolicy` was not forwarding the `domain` value to the
`CookieProfile` causing that setting to be ignored.
- Removed `check_csrf_token` from the `ICSRFStoragePolicy` interface
to simplify implementations of storage policies.
- Added an introspectable item for the configured storage policy so that
it appears on the debugtoolbar.
- Added a change note on `ISession` that it no longer required the csrf methods.
- Leave deprecated shims in ``pyramid.session`` for
``check_csrf_origin`` and ``check_csrf_token``.
|
|
implemenations based on feedback, split CSRF implementation and option configuration and make the csrf token function exposed as a system default rather than a renderer event.
|
|
regarding naming of variables and code cleanup.
|
|
the session machinery.
Adds configuration of this to the csrf_options configurator commands. Make the default implementation a fallback to the old one. Documentation patches for new best practices given updates CSRF implementation.
|
