Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

replace pyramid.require_default_csrf setting with config.set_default_csrf_options #2518

Merged
merged 1 commit into from
Apr 20, 2016
Merged

replace pyramid.require_default_csrf setting with config.set_default_csrf_options #2518

merged 1 commit into from
Apr 20, 2016

Conversation

mmerickel
Copy link
Member

@mmerickel mmerickel commented Apr 18, 2016
edited
Loading

I realized that the csrf options should not really change per-environment and were more similar to default permissions. I'm removing the INI setting and adding config.set_default_csrf_options instead. Bonus aspect is that it will allow changing the default header and safe methods if desired.

I don't currently plan to remove the pyramid.csrf_trusted_origins setting but it's also an option. I do expect the origins to be different per-environment (dev vs prod) but people could handle it themselves by passing it to set_default_csrf_options.

Thoughts?

@digitalresistor
Copy link
Member

Leaving pyramid.csrf_trusted_origins makes sense, this way configuration can still be defined with the rest of the configuration.

@mmerickel
Copy link
Member Author

mmerickel commented Apr 18, 2016
edited
Loading

I'm going back and forth on how deep the integration should go. I'd like to have check_csrf_token use these options automatically for every call to it similar to how check_csrf_origin works right now (always checks the setting unless overridden). That way the new defaults are always used unless you explicitly specify them. That's a minor backward-incompatibility but does require opt-in (by calling config.set_default_csrf_options from the user to trigger so it feels like a win to me.

If I went that route then I would set the signature like config.set_default_csrf_options(autocheck=True, token='csrf_token', header='X-CSRF-Token', autocheck_ignore_safe_request_methods=['GET', 'HEAD', 'TRACE', 'OPTIONS']). A user could then set autocheck=False but still influence the token/header being set.

@digitalresistor
Copy link
Member

I like the idea that I as a user can influence the header/token name from a setting. Other than that, I really have no real preference either way.

@mmerickel mmerickel force-pushed the feature/set-default-csrf-options branch from daa6546 to f51d494 Compare April 19, 2016 06:51
@mmerickel mmerickel changed the title [wip] replace pyramid.require_default_csrf setting with config.set_default_csrf_options replace pyramid.require_default_csrf setting with config.set_default_csrf_options Apr 19, 2016
@mmerickel mmerickel force-pushed the feature/set-default-csrf-options branch from f51d494 to 783fb7c Compare April 19, 2016 07:02
@mmerickel
Copy link
Member Author

mmerickel commented Apr 19, 2016
edited
Loading

Alright I've overhauled the automatic csrf api to be simpler.

  • I removed the pyramid.require_default_csrf setting.
  • I removed the ability to specify a token name to add_view(require_csrf=...).
  • add_view(require_csrf=...) may now be True, False, or None.
  • If the value is None then it falls through to the setting used in config.set_default_csrf_options(require_csrf=..).
  • The token name, header and safe methods can only be overridden globally via the new set_default_csrf_options.

Please review!

@mmerickel mmerickel force-pushed the feature/set-default-csrf-options branch 3 times, most recently from 9ab25e8 to b7224ed Compare April 19, 2016 07:10
@mmerickel mmerickel force-pushed the feature/set-default-csrf-options branch from b7224ed to de3d0c7 Compare April 19, 2016 07:16
@digitalresistor digitalresistor added this to the 1.7 milestone Apr 19, 2016
digitalresistor
digitalresistor reviewed Apr 19, 2016
View reviewed changes
pyramid/viewderivers.py
if resolved_val is True:
resolved_val = 'csrf_token'
explicit_val = info.options.get('require_csrf')
defaults = info.registry.queryUtility(IDefaultCSRFOptions)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't it be simpler to always register a default utility, that can be overridden, rather than having to redefine the defaults here?

If we ever decide to change the safe_methods or the header, we need to change it in two places.

Copy link
Member Author

@mmerickel mmerickel Apr 19, 2016
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pyramid tends to be fairly lazy about this stuff. I think no matter what you will have 2 spots unless I move things out of the signature of set_default_csrf_options.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No worries :-)

@digitalresistor
Copy link
Member

Besides a minor nitpick about duplication, this looks great. 👍

@mmerickel mmerickel merged commit fe463dd into Pylons:master Apr 20, 2016
mmerickel added a commit that referenced this pull request Apr 20, 2016
@mmerickel
changelog for #2518
0f850ac
stevepiercy pushed a commit to stevepiercy/pyramid that referenced this pull request May 8, 2016
@mmerickel @stevepiercy
changelog for Pylons#2518
441a26a
@pyup-bot pyup-bot mentioned this pull request Feb 26, 2017
Merged
@pyup-bot pyup-bot mentioned this pull request Apr 30, 2017
Merged
@pyup-bot pyup-bot mentioned this pull request Jun 30, 2017
Merged
This was referenced Sep 29, 2017
Merged
Merged
@pyup-bot pyup-bot mentioned this pull request Dec 12, 2017
Merged
@pyup-bot pyup-bot mentioned this pull request Jun 30, 2020
Closed
@mmerickel mmerickel deleted the feature/set-default-csrf-options branch November 29, 2020 03:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.7
Development

Successfully merging this pull request may close these issues.
2 participants
@mmerickel @digitalresistor