Permalink
Browse files

* authenticate_form allows for GET. Patch by iElectric.

--HG--
branch : trunk
  • Loading branch information...
1 parent b5bf0c6 commit fbb0469ac531a6d9d6c970cdf629763a68cf6f75 @bbangert bbangert committed Dec 18, 2010
Showing with 19 additions and 2 deletions.
  1. +1 −0 CHANGELOG
  2. +5 −2 pylons/decorators/secure.py
  3. +13 −0 tests/test_units/test_decorator_authenticate_form.py
View
@@ -2,6 +2,7 @@ Pylons Changelog
================
1.1 (**tip**)
+* authenticate_form allows for GET. Patch by iElectric.
* jsonify now properly sets charset to utf-8.
* Add ability for jsonify to handle objects with a __json__ attribute using
custom JSONEncoder class similar to TG2. Patch by Bob Farrell.
@@ -40,8 +40,11 @@ def authenticate_form(func, *args, **kwargs):
"""
request = get_pylons(args).request
- if authenticated_form(request.POST):
- del request.POST[secure_form.token_key]
+ if authenticated_form(request.params):
+ try:
+ del request.POST[secure_form.token_key]
+ except KeyError:
+ del request.GET[secure_form.token_key]
return func(*args, **kwargs)
else:
log.warn('Cross-site request forgery detected, request denied: %r '
@@ -87,3 +87,16 @@ def test_authenticated(self):
extra_environ=self.environ,
expect_errors=True)
assert 'Authenticated' in response
+
+ # GET with token_key in query string
+ response = self.app.get('/protected',
+ params={secure_form.token_key: token},
+ extra_environ=self.environ,
+ expect_errors=True)
+ assert 'Authenticated' in response
+
+ # POST with token_key in query string
+ response = self.app.post('/protected?' + secure_form.token_key + '=' + token,
+ extra_environ=self.environ,
+ expect_errors=True)
+ assert 'Authenticated' in response

0 comments on commit fbb0469

Please sign in to comment.