summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJeremy Kerr <jk@ozlabs.org>2010-08-10 12:11:40 +0800
committerJeremy Kerr <jk@ozlabs.org>2010-08-10 12:11:40 +0800
commit5b984a0262c42ef5ac8f05a687978235a12a6e28 (patch)
treed93cf9e6202ab8ccf826c949d214e467825f7044
parent482ba5ac5e2fb71a8ae26ae9d5c5c72c33c35b23 (diff)
downloadpatchwork-5b984a0262c42ef5ac8f05a687978235a12a6e28.tar.bz2
patchwork-5b984a0262c42ef5ac8f05a687978235a12a6e28.tar.xz
views: implement CSRF protection
Since we've got the csrf token present, we may as well check it for requests. We're using RequestContext already (via PatchworkRequestContext), so we just need to switch it on in the settings, and add an exemption on the xmlrpc interface. Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
-rw-r--r--apps/patchwork/views/xmlrpc.py2
-rw-r--r--apps/settings.py1
2 files changed, 3 insertions, 0 deletions
diff --git a/apps/patchwork/views/xmlrpc.py b/apps/patchwork/views/xmlrpc.py
index 23e58bf..0d3321f 100644
--- a/apps/patchwork/views/xmlrpc.py
+++ b/apps/patchwork/views/xmlrpc.py
@@ -29,6 +29,7 @@ from django.core import urlresolvers
from django.shortcuts import render_to_response
from django.contrib.auth import authenticate
from patchwork.models import Patch, Project, Person, Bundle, State
+from django.views.decorators.csrf import csrf_exempt
import sys
import base64
@@ -120,6 +121,7 @@ class PatchworkXMLRPCDispatcher(SimpleXMLRPCDispatcher):
dispatcher = PatchworkXMLRPCDispatcher()
# XMLRPC view function
+@csrf_exempt
def xmlrpc(request):
if request.method != 'POST':
return HttpResponseRedirect(
diff --git a/apps/settings.py b/apps/settings.py
index 20c8db3..68837b3 100644
--- a/apps/settings.py
+++ b/apps/settings.py
@@ -62,6 +62,7 @@ MIDDLEWARE_CLASSES = (
'django.contrib.sessions.middleware.SessionMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.middleware.doc.XViewMiddleware',
+ 'django.middleware.csrf.CsrfViewMiddleware',
)
ROOT_URLCONF = 'apps.urls'