Skip to content

Loading…

add __delattr__ for ObjectDict, no_xsrf check #470

Closed
wants to merge 3 commits into from

1 participant

@lepture

add delattr for ObjectDict

add no_xsrf check, so that we can specify a single handler without xsrf check

@lepture lepture closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Feb 26, 2012
  1. add __delattr__ for tornado.util.ObjectDict

    lepture committed
Commits on Mar 12, 2012
Showing with 11 additions and 0 deletions.
  1. +6 −0 tornado/util.py
  2. +5 −0 tornado/web.py
View
6 tornado/util.py
@@ -14,6 +14,12 @@ def __getattr__(self, name):
def __setattr__(self, name, value):
self[name] = value
+ def __delattr__(self, name):
+ try:
+ del self[name]
+ except KeyError:
+ raise AttributeError(name)
+
def import_object(name):
"""Imports an object by name.
View
5 tornado/web.py
@@ -874,6 +874,11 @@ def check_xsrf_cookie(self):
http://www.djangoproject.com/weblog/2011/feb/08/security/
http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails
"""
+ if hasattr(self, 'no_xsrf') and self.no_xsrf:
+ # when handler.no_xsrf = True, we will not check xsrf cookie
+ # this is very useful when exposing handlers to HTTP clients
+ # other than browsers
+ return
token = (self.get_argument("_xsrf", None) or
self.request.headers.get("X-Xsrftoken") or
self.request.headers.get("X-Csrftoken"))
Something went wrong with that request. Please try again.