From 688c340f6e5bc4a8f278b85f6defe5e5f3686379 Mon Sep 17 00:00:00 2001 From: Gareth Coles Date: Wed, 4 Apr 2018 10:39:09 +0100 Subject: Attempting CSRF fixes --- pysite/route_manager.py | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) (limited to 'pysite/route_manager.py') diff --git a/pysite/route_manager.py b/pysite/route_manager.py index ee86c531..df7cbc36 100644 --- a/pysite/route_manager.py +++ b/pysite/route_manager.py @@ -34,9 +34,13 @@ class RouteManager: self.app.secret_key = os.environ.get("WEBPAGE_SECRET_KEY", "super_secret") self.app.config["SERVER_NAME"] = os.environ.get("SERVER_NAME", "pythondiscord.local:8080") self.app.config["PREFERRED_URL_SCHEME"] = PREFERRED_URL_SCHEME + self.app.config["WTF_CSRF_CHECK_DEFAULT "] = False # We only want to protect specific routes + self.app.before_request(self.db.before_request) self.app.teardown_request(self.db.teardown_request) + CSRF.init_app(self.app) # Set up CSRF protection + # Load the oauth blueprint self.oauth_backend = OauthBackend(self) self.oauth_blueprint = make_discord_blueprint( @@ -69,9 +73,6 @@ class RouteManager: self.log.debug(f"Loading Blueprint: {sub_blueprint.name}") self.load_views(sub_blueprint, f"pysite/views/{sub}") self.app.register_blueprint(sub_blueprint) - - if sub == "api": - CSRF.exempt(sub_blueprint) # TODO: Gotta make this work properly, this is just a kludge for now except Exception: logging.getLogger(__name__).exception(f"Failed to register blueprint for subdomain: {sub}") @@ -84,9 +85,6 @@ class RouteManager: self.app.before_request(self.https_fixing_hook) # Try to fix HTTPS issues - # CSRF.init_app(self.app) # Set up CSRF protection - self.app.config["WTF_CSRF_CHECK_DEFAULT "] = False # We only want to protect specific routes - def https_fixing_hook(self): """ Attempt to fix HTTPS issues by modifying the request context stack -- cgit v1.2.3