* authenticate_form allows for GET. Patch by iElectric.

--HG--
branch : trunk

CHANGELOG

@@ -2,6 +2,7 @@ Pylons Changelog
 ================
 
 1.1 (**tip**)
+* authenticate_form allows for GET. Patch by iElectric.
 * jsonify now properly sets charset to utf-8.
 * Add ability for jsonify to handle objects with a __json__ attribute using
   custom JSONEncoder class similar to TG2. Patch by Bob Farrell.

pylons/decorators/secure.py

@@ -40,8 +40,11 @@ def authenticate_form(func, *args, **kwargs):
 
     """
     request = get_pylons(args).request
-    if authenticated_form(request.POST):
-        del request.POST[secure_form.token_key]
+    if authenticated_form(request.params):
+        try:
+            del request.POST[secure_form.token_key]
+        except KeyError:
+            del request.GET[secure_form.token_key]
         return func(*args, **kwargs)
     else:
         log.warn('Cross-site request forgery detected, request denied: %r '

tests/test_units/test_decorator_authenticate_form.py

@@ -87,3 +87,16 @@ def test_authenticated(self):
                                 extra_environ=self.environ,
                                 expect_errors=True)
         assert 'Authenticated' in response
+
+        # GET with token_key in query string
+        response = self.app.get('/protected',
+                                 params={secure_form.token_key: token},
+                                 extra_environ=self.environ,
+                                 expect_errors=True)
+        assert 'Authenticated' in response
+
+        # POST with token_key in query string
+        response = self.app.post('/protected?' + secure_form.token_key + '=' + token,
+                                 extra_environ=self.environ,
+                                 expect_errors=True)
+        assert 'Authenticated' in response