[Patchew-devel] [PATCH] rest: re-enable CSRF

Paolo Bonzini posted 1 patch 2 years, 7 months ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/patchew-ci tags/patchew/20220225174316.612979-1-pbonzini@redhat.com
patchew/__init__.py | 7 -------
patchew/settings.py | 2 +-
2 files changed, 1 insertion(+), 8 deletions(-)
[Patchew-devel] [PATCH] rest: re-enable CSRF
Posted by Paolo Bonzini 2 years, 7 months ago
Now that the REST API is used throughout patchew-cli, and we have
switched to token authentication, avoid the possibility of forging
cross-site requests.
---
 patchew/__init__.py | 7 -------
 patchew/settings.py | 2 +-
 2 files changed, 1 insertion(+), 8 deletions(-)

diff --git a/patchew/__init__.py b/patchew/__init__.py
index a592854..e69de29 100644
--- a/patchew/__init__.py
+++ b/patchew/__init__.py
@@ -1,7 +0,0 @@
-from rest_framework.authentication import SessionAuthentication
-
-
-class CsrfExemptSessionAuthentication(SessionAuthentication):
-    def enforce_csrf(self, request):
-        # Skip CSRF until patchew-cli can switch to token-based authentication
-        return
diff --git a/patchew/settings.py b/patchew/settings.py
index 189b9f7..8b19d19 100644
--- a/patchew/settings.py
+++ b/patchew/settings.py
@@ -68,7 +68,7 @@ MIDDLEWARE = [
 REST_FRAMEWORK = {
     "DEFAULT_AUTHENTICATION_CLASSES": (
         "rest_framework.authentication.TokenAuthentication",
-        "patchew.CsrfExemptSessionAuthentication",
+        "rest_framework.authentication.SessionAuthentication",
     ),
     "DEFAULT_PAGINATION_CLASS": "rest_framework.pagination.LimitOffsetPagination",
     "URL_FIELD_NAME": "resource_uri",
-- 
2.34.1

_______________________________________________
Patchew-devel mailing list
Patchew-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/patchew-devel

Re: [Patchew-devel] [PATCH] rest: re-enable CSRF
Posted by Paolo Bonzini 2 years, 7 months ago
On 2/25/22 18:43, Paolo Bonzini wrote:
> Now that the REST API is used throughout patchew-cli, and we have
> switched to token authentication, avoid the possibility of forging
> cross-site requests.
> ---
>   patchew/__init__.py | 7 -------
>   patchew/settings.py | 2 +-
>   2 files changed, 1 insertion(+), 8 deletions(-)

This patch shouldn't have been sent. :)

I have pushed the remaining parts of the 2018 summer of code project to 
a "rest-cli" branch and will try re-deploying some of the containers 
from it, when I have some time.  If it works, it can finally be merged, 
only 3.5 years later. :)

Paolo

> diff --git a/patchew/__init__.py b/patchew/__init__.py
> index a592854..e69de29 100644
> --- a/patchew/__init__.py
> +++ b/patchew/__init__.py
> @@ -1,7 +0,0 @@
> -from rest_framework.authentication import SessionAuthentication
> -
> -
> -class CsrfExemptSessionAuthentication(SessionAuthentication):
> -    def enforce_csrf(self, request):
> -        # Skip CSRF until patchew-cli can switch to token-based authentication
> -        return
> diff --git a/patchew/settings.py b/patchew/settings.py
> index 189b9f7..8b19d19 100644
> --- a/patchew/settings.py
> +++ b/patchew/settings.py
> @@ -68,7 +68,7 @@ MIDDLEWARE = [
>   REST_FRAMEWORK = {
>       "DEFAULT_AUTHENTICATION_CLASSES": (
>           "rest_framework.authentication.TokenAuthentication",
> -        "patchew.CsrfExemptSessionAuthentication",
> +        "rest_framework.authentication.SessionAuthentication",
>       ),
>       "DEFAULT_PAGINATION_CLASS": "rest_framework.pagination.LimitOffsetPagination",
>       "URL_FIELD_NAME": "resource_uri",

_______________________________________________
Patchew-devel mailing list
Patchew-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/patchew-devel