| docs/api/session.rst | ●●●●● patch | view | raw | blame | history | |
| docs/whatsnew-1.4.rst | ●●●●● patch | view | raw | blame | history | |
| pyramid/session.py | ●●●●● patch | view | raw | blame | history | |
| pyramid/tests/test_session.py | ●●●●● patch | view | raw | blame | history |
docs/api/session.rst
@@ -11,4 +11,6 @@ .. autofunction:: signed_deserialize .. autofunction:: check_csrf_token
@@ -94,10 +94,10 @@ - :meth:`pyramid.config.Configurator.add_request_method` has been introduced to support extending request objects with arbitrary callables. This method expands on the previous expands on the now documentation-deprecated :meth:`pyramid.config.Configurator.set_request_property` by supporting methods as well as properties. This method causes less code to be executed at request construction time than methods as well as properties. This method also causes less code to be executed at request construction time than :meth:`~pyramid.config.Configurator.set_request_property`. - The static view machinery now raises rather than returns @@ -133,13 +133,13 @@ ``pyramid.util.InstancePropertyMixin`` class such as ``set_property``. - Request properties and methods added via :meth:`pyramid.config.Configurator.set_request_property` or :meth:`pyramid.config.Configurator.add_request_method` are now available to :meth:`pyramid.config.Configurator.add_request_method` or :meth:`pyramid.config.Configurator.set_request_property` are now available to tweens. - Request properties and methods added via :meth:`pyramid.config.Configurator.set_request_property` or :meth:`pyramid.config.Configurator.add_request_method` are now available :meth:`pyramid.config.Configurator.add_request_method` or :meth:`pyramid.config.Configurator.set_request_property` are now available in the request object returned from :func:`pyramid.paster.bootstrap`. - ``request.context`` of environment request during @@ -153,6 +153,9 @@ used to generate a configurator in a test, e.g. ``with testing.testConfig(...):``. - A new :func:`pyramid.session.check_csrf_token` convenience API function was added. Backwards Incompatibilities ---------------------------
@@ -15,6 +15,7 @@ native_, ) from pyramid.httpexceptions import HTTPBadRequest from pyramid.interfaces import ISession from pyramid.util import strings_differ @@ -80,6 +81,21 @@ return pickle.loads(pickled) def check_csrf_token(request, token='csrf_token'): """ Check the CSRF token in the request's session against the value in ``request.params.get(token)``. If ``token`` is not supplied, the string value ``csrf_token`` will be used as the token value. If the value in ``request.params.get(token)`` doesn't match the value supplied by ``request.session.get_csrf_token()``, this function will raise an :exc:`pyramid.httpexceptions.HTTPBadRequest` exception. If the CSRF check is successful, this function will return ``True``. .. versionadded:: 1.4a2 """ if request.params.get(token) != request.session.get_csrf_token(): raise HTTPBadRequest('incorrect CSRF token') return True def UnencryptedCookieSessionFactoryConfig( secret, timeout=1200, pyramid/tests/test_session.py
@@ -355,6 +355,26 @@ serialized = 'bad' + serialize('123', 'secret') self.assertRaises(ValueError, self._callFUT, serialized, 'secret') class Test_check_csrf_token(unittest.TestCase): def _callFUT(self, request, token): from ..session import check_csrf_token return check_csrf_token(request, token) def test_success(self): request = testing.DummyRequest() request.params['csrf_token'] = request.session.get_csrf_token() self.assertEqual(self._callFUT(request, 'csrf_token'), True) def test_success_default_token(self): from ..session import check_csrf_token request = testing.DummyRequest() request.params['csrf_token'] = request.session.get_csrf_token() self.assertEqual(check_csrf_token(request), True) def test_failure(self): from pyramid.httpexceptions import HTTPBadRequest request = testing.DummyRequest() self.assertRaises(HTTPBadRequest, self._callFUT, request, 'csrf_token') class DummySessionFactory(dict): _dirty = False
