CSRF in Flask?

[boykoc]

May be more of a question, but it seems the CSRF middleware doesn't get implemented for flask blueprints for this extension. (e.g. all user templates/forms don't get the token added as they are run through flask in current versions of CKAN). Is that the case or am I overlooking something?

In the Requirements, it does have a great link to adding this for pylons but not flask_app.py.

[ThrawnCA]

CSRFMiddleware should be obsolete, actually, if I'm not mistaken. The integration point now is when Jinja renders a template.

If there is another code path being missed, I'd be happy to look into it (I developed the filter for qld-gov-au/ckan-ex-qgov). Can you provide an example for reproducing it?

[boykoc]

@ThrawnCA ah, that makes some sense. This implementation was making me thinking of middleware but i've taken a closer look at yours/qld's. I've got it working (e.g. on a dataset edit form I can see the token if I inspect the page) but on the user profile it's not there and I can update the user profile from outside the site. I'm looking at it more now to see why some pages are "protected" and others aren't. I related it to flask blueprints vs pylons but I don't think that's it anymore.

could even be the form not hitting that match... not sure yet

[boykoc]

Closing as this has shifted to a different implementation and repo (see mention above).

[ThrawnCA]

Well, this issue probably doesn't have to be closed; whenever https://github.com/qld-gov-au/ckan-ex-qgov/issues/28 is resolved, the fix should be applied to ckanext-security too.