diff options
| author | Jeremy Kerr <jk@ozlabs.org> | 2010-08-10 12:11:40 +0800 |
|---|---|---|
| committer | Jeremy Kerr <jk@ozlabs.org> | 2010-08-10 12:11:40 +0800 |
| commit | 5b984a0262c42ef5ac8f05a687978235a12a6e28 (patch) | |
| tree | d93cf9e6202ab8ccf826c949d214e467825f7044 | |
| parent | 482ba5ac5e2fb71a8ae26ae9d5c5c72c33c35b23 (diff) | |
| download | patchwork-5b984a0262c42ef5ac8f05a687978235a12a6e28.tar patchwork-5b984a0262c42ef5ac8f05a687978235a12a6e28.tar.gz | |
views: implement CSRF protection
Since we've got the csrf token present, we may as well check it for
requests.
We're using RequestContext already (via PatchworkRequestContext), so we
just need to switch it on in the settings, and add an exemption on the
xmlrpc interface.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
| -rw-r--r-- | apps/patchwork/views/xmlrpc.py | 2 | ||||
| -rw-r--r-- | apps/settings.py | 1 |
2 files changed, 3 insertions, 0 deletions
diff --git a/apps/patchwork/views/xmlrpc.py b/apps/patchwork/views/xmlrpc.py index 23e58bf..0d3321f 100644 --- a/apps/patchwork/views/xmlrpc.py +++ b/apps/patchwork/views/xmlrpc.py @@ -29,6 +29,7 @@ from django.core import urlresolvers from django.shortcuts import render_to_response from django.contrib.auth import authenticate from patchwork.models import Patch, Project, Person, Bundle, State +from django.views.decorators.csrf import csrf_exempt import sys import base64 @@ -120,6 +121,7 @@ class PatchworkXMLRPCDispatcher(SimpleXMLRPCDispatcher): dispatcher = PatchworkXMLRPCDispatcher() # XMLRPC view function +@csrf_exempt def xmlrpc(request): if request.method != 'POST': return HttpResponseRedirect( diff --git a/apps/settings.py b/apps/settings.py index 20c8db3..68837b3 100644 --- a/apps/settings.py +++ b/apps/settings.py @@ -62,6 +62,7 @@ MIDDLEWARE_CLASSES = ( 'django.contrib.sessions.middleware.SessionMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.middleware.doc.XViewMiddleware', + 'django.middleware.csrf.CsrfViewMiddleware', ) ROOT_URLCONF = 'apps.urls' |