More CSRF fixes. #958
Merged
More CSRF fixes. #958
Commits on Mar 21, 2024
-
For application forms (not Flask-Security forms/views) the CSRF_PROTECT_MECHANISMS didn't stop form level CSRF checks. This PR changes how we communicate to form-based CSRF whether to proceed or not - used to use a FS-specific request attribute - but that only worked with forms instantiated by Flask-Security. Now, use Flask-WTF request attribute `csrf_valid`. This also simplified the unauth_csrf() decorator so that the 'fall_through' parameter is no longer needed (and uses have been removed). Add test for @unauth_csrf decorator raising error. Note that this returns a 400 with 'CSRF token is missing' - unlike the normal form-based CSRF check that returns it as a field error.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.