Mercurial > libervia-web
comparison libervia/server/pages.py @ 1479:095e94ca6728
pages: disable CSRF token check when service profile is used:
CSRF token check doesn't make sense when no user is logged in, and it causes trouble for
caching.
fix 400
| author | Goffi <goffi@goffi.org> |
|---|---|
| date | Fri, 22 Oct 2021 16:04:23 +0200 |
| parents | c669b5bfb8a0 |
| children | 774a81a6e8b5 |
comparison
equal
deleted
inserted
replaced
| 1478:10ccad665d57 | 1479:095e94ca6728 |
|---|---|
| 544 log.info(_("{page} created").format(page=resource)) | 544 log.info(_("{page} created").format(page=resource)) |
| 545 else: | 545 else: |
| 546 log.info(_("{page} reloaded").format(page=resource)) | 546 log.info(_("{page} reloaded").format(page=resource)) |
| 547 | 547 |
| 548 def checkCSRF(self, request): | 548 def checkCSRF(self, request): |
| 549 csrf_token = self.host.getSessionData( | 549 session = self.host.getSessionData( |
| 550 request, session_iface.ISATSession | 550 request, session_iface.ISATSession |
| 551 ).csrf_token | 551 ) |
| 552 if session.profile is None: | |
| 553 # CSRF doesn't make sense when no user is logged | |
| 554 log.debug("disabling CSRF check because service profile is used") | |
| 555 return | |
| 556 csrf_token = session.csrf_token | |
| 552 given_csrf = request.getHeader("X-Csrf-Token") | 557 given_csrf = request.getHeader("X-Csrf-Token") |
| 553 if given_csrf is None: | 558 if given_csrf is None: |
| 554 try: | 559 try: |
| 555 given_csrf = self.getPostedData(request, "csrf_token") | 560 given_csrf = self.getPostedData(request, "csrf_token") |
| 556 except KeyError: | 561 except KeyError: |
| 1807 # template_data are the variables passed to template | 1812 # template_data are the variables passed to template |
| 1808 if not hasattr(request, "template_data"): | 1813 if not hasattr(request, "template_data"): |
| 1809 # if template_data doesn't exist, it's the beginning of the request workflow | 1814 # if template_data doesn't exist, it's the beginning of the request workflow |
| 1810 # so we fill essential data | 1815 # so we fill essential data |
| 1811 session_data = self.host.getSessionData(request, session_iface.ISATSession) | 1816 session_data = self.host.getSessionData(request, session_iface.ISATSession) |
| 1817 profile = session_data.profile | |
| 1812 request.template_data = { | 1818 request.template_data = { |
| 1813 "profile": session_data.profile, | 1819 "profile": profile, |
| 1814 "csrf_token": session_data.csrf_token, | 1820 # it's important to not add CSRF token and session uuid if service profile |
| 1815 "session_uuid": session_data.uuid, | 1821 # is used because the page may be cached, and the token then leaked |
| 1822 "csrf_token": "" if profile is None else session_data.csrf_token, | |
| 1823 "session_uuid": "public" if profile is None else session_data.uuid, | |
| 1816 "breadcrumbs": [] | 1824 "breadcrumbs": [] |
| 1817 } | 1825 } |
| 1818 | 1826 |
| 1819 # XXX: here is the code which need to be executed once | 1827 # XXX: here is the code which need to be executed once |
| 1820 # at the beginning of the request hanling | 1828 # at the beginning of the request hanling |