Kirill Simonov avatar Kirill Simonov committed 3b3b4e5

tweak.csrf: set the token cookie only if it was not passed in.

Comments (0)

Files changed (1)

src/htsql/tweak/csrf/wsgi.py

                 if secret is None or len(secret) != self.csrf_secret_length:
                     token = None
         header = self.environ.get('HTTP_X_HTSQL_CSRF_TOKEN')
-        if token and header and token == header:
-            for chunk in super(CSRFWSGI, self).__call__():
-                yield chunk
-            return
+        env = context.env
+        can_read = env.can_read
+        can_write = env.can_write
+        if not (token and header and token == header):
+            addon = context.app.tweak.csrf
+            can_read = can_read and addon.allow_cs_read
+            can_write = can_write and addon.allow_cs_write
         if not token:
             token = binascii.b2a_hex(os.urandom(self.csrf_secret_length))
-        path = self.environ.get('SCRIPT_NAME', '')
-        if not path.endswith('/'):
-            path += '/'
-        morsel = Cookie.Morsel()
-        morsel.set('htsql-csrf-token', token, Cookie._quote(token))
-        morsel['path'] = path
-        cookie = morsel.OutputString()
-        # FIXME: avoid state changes in the adapter.
-        original_start_response = self.start_response
-        def start_response(status, headers, exc=None):
-            headers = headers+[('Set-Cookie', cookie)]
-            return original_start_response(status, headers, exc)
-        self.start_response = start_response
-        env = context.env
-        addon = context.app.tweak.csrf
-        can_read = env.can_read and addon.allow_cs_read
-        can_write = env.can_write and addon.allow_cs_write
+            path = self.environ.get('SCRIPT_NAME', '')
+            if not path.endswith('/'):
+                path += '/'
+            morsel = Cookie.Morsel()
+            morsel.set('htsql-csrf-token', token, Cookie._quote(token))
+            morsel['path'] = path
+            cookie = morsel.OutputString()
+            # FIXME: avoid state changes in the adapter.
+            original_start_response = self.start_response
+            def start_response(status, headers, exc=None):
+                headers = headers+[('Set-Cookie', cookie)]
+                return original_start_response(status, headers, exc)
+            self.start_response = start_response
         with env(can_read=can_read, can_write=can_write):
             for chunk in super(CSRFWSGI, self).__call__():
                 yield chunk
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.