- ``pyramid.interfaces.ISession.get_csrf_token`` now mandates that an
implementation should return a *new* token if one doesn't already exist in
the session (previously it would return None). The internal sessioning
implementation has been changed.
| | |
| | | when the global function named ``pyramid.security.unauthenticated_userid`` |
| | | is invoked, so if you're not invoking that, you will not notice any issues. |
| | | |
| | | - ``pyramid.interfaces.ISession.get_csrf_token`` now mandates that an |
| | | implementation should return a *new* token if one doesn't already exist in |
| | | the session (previously it would return None). The internal sessioning |
| | | implementation has been changed. |
| | | |
| | | Documentation |
| | | ------------- |
| | | |
| | |
| | | - Use a commit veto when configuring repoze.tm2 in paster templates for |
| | | non-1X, 2X, or 3X responses. |
| | | |
| | | - Make ``get_csrf_token`` call ``new_csrf_token`` (session timeout is |
| | | probably fine for the token). |
| | | |
| | | - Consider passing two callables to CallbackAuthenticationPolicy: one for |
| | | validating/obtaining the userid, the other for returning groups. |
| | | |
| | |
| | | forgery protection token. Return the token. It will be a string.""" |
| | | |
| | | def get_csrf_token(): |
| | | """ Get the CSRF token previously added to the session via |
| | | ``new_csrf_token``, and return the token. If no CSRF token exists, |
| | | the value returned will be ``None``. |
| | | """ Return a random cross-site request forgery protection token. It |
| | | will be a string. If a token was previously added to the session via |
| | | ``new_csrf_token``, that token will be returned. If no CSRF token |
| | | was previously set into the session, ``new_csrf_token`` will be |
| | | called, which will create and set a token, and this token will be |
| | | returned. |
| | | """ |
| | | |
| | | # mapping methods |
| | |
| | | |
| | | @manage_accessed |
| | | def get_csrf_token(self): |
| | | return self.get('_csrft_', None) |
| | | token = self.get('_csrft_', None) |
| | | if token is None: |
| | | token = self.new_csrf_token() |
| | | return token |
| | | |
| | | # non-API methods |
| | | def _set_cookie(self, response): |
| | |
| | | self.assertEqual(token, 'token') |
| | | self.failUnless('_csrft_' in session) |
| | | |
| | | def test_get_csrf_token_new(self): |
| | | request = testing.DummyRequest() |
| | | session = self._makeOne(request) |
| | | token = session.get_csrf_token() |
| | | self.failUnless(token) |
| | | self.failUnless('_csrft_' in session) |
| | | |
| | | class Test_manage_accessed(unittest.TestCase): |
| | | def _makeOne(self, wrapped): |
| | | from pyramid.session import manage_accessed |