diff --git a/CHANGES.rst b/CHANGES.rst index 7adf24a..fee6bef 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -1,3 +1,8 @@ +1.1.2 +----- +- Login and Logout actions are performed via POST and has protection + against CSRF attacks + 1.1.1 ----- - Fix ``BaseHandler`` obscuring ``AttributeError`` during dispatch diff --git a/README.rst b/README.rst index 103c198..a5bedbc 100644 --- a/README.rst +++ b/README.rst @@ -127,7 +127,11 @@ You can provide custom ``forbidden.jinja2`` template by overriding asset in your See template example in `pyramid_odesk/templates/forbidden.jinja2`_. +The "Logout" action is done also via POST request with CSRF protection, +see example of "Logout" buttion in `pyramid_odesk_example/templates/layout.jinja2`_. + .. _`pyramid_odesk/templates/forbidden.jinja2`: https://github.com/kipanshi/pyramid_odesk/tree/master/pyramid_odesk/templates/forbidden.jinja2 +.. _`pyramid_odesk_example/templates/layout.jinja2`: https://github.com/kipanshi/pyramid_odesk_example/blob/master/pyramid_odesk_example/templates/layout.jinja2 Contacts diff --git a/pyramid_odesk/__init__.py b/pyramid_odesk/__init__.py index 7e0c8a1..a01c7be 100644 --- a/pyramid_odesk/__init__.py +++ b/pyramid_odesk/__init__.py @@ -4,7 +4,7 @@ from pyramid.authorization import ACLAuthorizationPolicy -from .views import login, logout, oauth_callback, forbidden +from .views import Login, Logout, OauthCallback, forbidden def includeme(config): @@ -48,22 +48,22 @@ def includeme(config): config.registry['odesk.login_route'] = login_route login_path = settings.get('odesk.login_path', '/odesk-auth/login') config.add_route(login_route, login_path) - config.add_view(login, route_name=login_route, - permission='login') + config.add_view(Login, route_name=login_route, + permission='login', check_csrf=True) logout_route = settings.get('odesk.logout_route', 'logout') config.registry['odesk.logout_route'] = logout_route logout_path = settings.get('odesk.logout_path', '/odesk-auth/logout') config.add_route(logout_route, logout_path) - config.add_view(logout, route_name=logout_route, - permission=NO_PERMISSION_REQUIRED) + config.add_view(Logout, route_name=logout_route, + permission=NO_PERMISSION_REQUIRED, check_csrf=True) callback_route = settings.get('odesk.callback_route', 'oauth_callback') config.registry['odesk.logout_route'] = callback_route callback_path = settings.get('odesk.callback_path', '/odesk-auth/callback') config.add_route(callback_route, callback_path) - config.add_view(oauth_callback, route_name=callback_route, + config.add_view(OauthCallback, route_name=callback_route, permission='login') # A simple 403 view, with a login button. diff --git a/pyramid_odesk/templates/forbidden.jinja2 b/pyramid_odesk/templates/forbidden.jinja2 index 1c16d74..220d5f3 100644 --- a/pyramid_odesk/templates/forbidden.jinja2 +++ b/pyramid_odesk/templates/forbidden.jinja2 @@ -2,9 +2,15 @@
You are not authorized to access this page.
{% if authenticated %} - + {% else %} -Login with oDesk account here
+ {% endif %}