Disable CSRF check on predicate fallback view (fixes #458)

Cornices · Oct 19, 2017 · 1b7161a · 1b7161a
1 parent 76b0390
commit 1b7161a
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 3 deletions.
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -6,7 +6,9 @@ CHANGELOG
 2.5.0 (unreleased)
 ==================
 
-- Nothing changed yet.
+**Bug fixes**
+
+- Disable CSRF check on predicate fallback view (fixes #458)
 
 
 2.4.0 (2017-01-19)

diff --git a/cornice/pyramidhook.py b/cornice/pyramidhook.py
@@ -274,7 +274,8 @@ def register_service_views(config, service):
         # Add the fallback view last
         config.add_view(view=get_fallback_view(service),
                         route_name=route_name,
-                        permission=NO_PERMISSION_REQUIRED)
+                        permission=NO_PERMISSION_REQUIRED,
+                        require_csrf=False)
         config.commit()
 
 

diff --git a/tests/test_pyramidhook.py b/tests/test_pyramidhook.py
@@ -13,6 +13,7 @@
 from pyramid.httpexceptions import (
     HTTPOk, HTTPForbidden, HTTPNotFound, HTTPMethodNotAllowed
 )
+from pyramid.csrf import CookieCSRFStoragePolicy
 from pyramid.response import Response
 from pyramid.security import Allow, Deny, NO_PERMISSION_REQUIRED
 from pyramid.authentication import AuthTktAuthenticationPolicy
@@ -22,7 +23,7 @@
 
 from cornice import Service
 from cornice.pyramidhook import register_service_views
-from cornice.util import func_name
+from cornice.util import func_name, ContentTypePredicate
 
 from .support import CatchErrors, dummy_factory
 
@@ -275,6 +276,9 @@ def test(self):
 class TestFallbackRegistration(TestCase):
     def setUp(self):
         self.config = testing.setUp()
+        self.config.add_view_predicate('content_type', ContentTypePredicate)
+        self.config.set_csrf_storage_policy(CookieCSRFStoragePolicy(domain='localhost'))
+        self.config.set_default_csrf_options(require_csrf=True)
         self.config.registry.cornice_services = {}
 
     def tearDown(self):
@@ -310,3 +314,12 @@ def test_fallback_no_predicate(self):
         testapp = TestApp(app)
         testapp.get('/', status=404)
         #self.assertRaises(PredicateMismatch, testapp.get, '/')
+
+    def test_fallback_no_required_csrf(self):
+        service = Service(name='fallback-csrf', path='/', content_type='application/json')
+        service.add_view('POST', lambda _:'', require_csrf=False)
+        register_service_views(self.config, service)
+        self.config.include('cornice')
+        app = self.config.make_wsgi_app()
+        testapp = TestApp(app)
+        testapp.post('/', status=415, headers={'Content-Type': 'application/xml'})