Commits

Ben Bangert  committed fb99abc

* authenticate_form allows for GET. Patch by iElectric.

  • Participants
  • Parent commits 4e9d481

Comments (0)

Files changed (3)

 ================
 
 1.1 (**tip**)
+* authenticate_form allows for GET. Patch by iElectric.
 * jsonify now properly sets charset to utf-8.
 * Add ability for jsonify to handle objects with a __json__ attribute using
   custom JSONEncoder class similar to TG2. Patch by Bob Farrell.

File pylons/decorators/secure.py

 
     """
     request = get_pylons(args).request
-    if authenticated_form(request.POST):
-        del request.POST[secure_form.token_key]
+    if authenticated_form(request.params):
+        try:
+            del request.POST[secure_form.token_key]
+        except KeyError:
+            del request.GET[secure_form.token_key]
         return func(*args, **kwargs)
     else:
         log.warn('Cross-site request forgery detected, request denied: %r '

File tests/test_units/test_decorator_authenticate_form.py

                                 extra_environ=self.environ,
                                 expect_errors=True)
         assert 'Authenticated' in response
+
+        # GET with token_key in query string
+        response = self.app.get('/protected',
+                                 params={secure_form.token_key: token},
+                                 extra_environ=self.environ,
+                                 expect_errors=True)
+        assert 'Authenticated' in response
+
+        # POST with token_key in query string
+        response = self.app.post('/protected?' + secure_form.token_key + '=' + token,
+                                 extra_environ=self.environ,
+                                 expect_errors=True)
+        assert 'Authenticated' in response