| Age | Commit message (Collapse) | Author |
|---|
|
Fixes #2770.
|
|
- Closes #2768
|
|
- previously the multiview was shared for both exception and hot-route,
but now that we allow some exception-only views this needed to be
separated
- add ViewDeriverInfo.exception_only to detect exception views
- do not prevent http_cache on exception views
- optimize secured_view and csrf_view derivers to remove themselves from
the view pipeline for exception views
|
|
Add an additional layer of protection against CSRF by verifying the actual
origin of the request in addition to the CSRF token. We only do this check on
sites hosted behind HTTPS because only HTTPS sites have evidence to show that
the Referrer header is not being spuriously removed by random middleware
boxes.
|
|
Instead of only protecting against unsafe POST requests, have the automatic
CSRF protect on all methods which are not defined as "safe" by RFC2616.
|
|
Previously `check_csrf_token` would allow passing in a CSRF token in through a
the URL of a request. However this is a security issue because a CSRF token
must not be allowed to leak, and URLs regularly get copy/pasted or otherwise
end up leaking to the outside world.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The pyramid.security Authorization API function has_permission is made available on the request.
The pyramid.security Authentication API functions are now available as
properties (unauthenticated_userid, authenticated_userid, effective_principals)
and methods (remember_userid, forget_userid) on pyramid.request.Request.
Backwards compatibility:
For each of the APIs moved to request method or property,
the original API in the pyramid.security module proxies to the request.
Reworked tests to check module level b/c wrappers call through to mixins for each API.
Tests that check no reg on request now do the right thing.
Use a response callback to set the request headers for forget_userid and remember_userid.
Update docs.
Attempt to improve a documentation section referencing the pyramid.security.has_permission
function in docs/narr/resources.rst
Ensures backwards compatiblity for `pyramid.security.forget`
and `pyramid.security.remember`.
|
|
|
|
|
|
|
|
Conflicts:
docs/index.rst
docs/latexindex.rst
setup.py
|
|
|
|
|
|
building PDF it does not pause and wait for user to hit RETURN. This is now consistent with other placements of this directive as well.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
improve paragraph
|
|
remove info that was given in the preceding paragraph
|
|
consistency fixes
|
|
miscellaneous doc improvements
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
string or a tuple representing the physical traversal path of the context
found via traversal for this predicate to match as true. For example:
``physical_path='/'`` or ``physical_path='/a/b/c'`` or ``physical_path=('',
'a', 'b', 'c')``. This is not a path prefix match or a regex, it's a
whole-path match. It's useful when you want to always potentially show a
view when some object is traversed to, but you can't be sure about what kind
of object it will be, so you can't use the ``context`` predicate. The
individual path elements inbetween slash characters or in tuple elements
should be the Unicode representation of the name of the resource and should
not be encoded in any way.
|
|
|
|
``config.add_view(someview, check_csrf=True)``. When the predicate is
checked, if the ``csrf_token`` value in ``request.params`` matches the csrf
token in the request's session, the view will be permitted to execute.
Otherwise, it will not be permitted to execute.
|
