search

maxcountryman / flask-seasurf

SeaSurf is a Flask extension for preventing cross-site request forgery (CSRF).
http://readthedocs.org/docs/flask-seasurf/
Other
190 stars 49 forks source link

Document testing? #30

Closed shuhaowu closed 7 years ago

shuhaowu commented 11 years ago

The fact that you can disable testing with app.config["TESTING"] = True is amazing.

I'm not sure about the security implementations but please document this in the official documentations.

alanhamlett commented 11 years ago

@shuhaowu the TESTING config disables Flask-SeaSurf in your app. It's the same as the CSRF_DISABLE config, which is in the docs.

See this comment: https://github.com/maxcountryman/flask-seasurf/blob/6469f0c941813b32d6960ef3579c6979a458470f/flask_seasurf.py#L204

And this code which skips checking the csrf token if TESTING is True: https://github.com/maxcountryman/flask-seasurf/blob/6469f0c941813b32d6960ef3579c6979a458470f/flask_seasurf.py#L208

shuhaowu commented 11 years ago

One thing about that code: it's not checking CSRF_DISABLE on the fly. It sets it in init_app. This means if I set that flag during my unittests' setUp function, it won't notice that.

Dagur commented 9 years ago

Has this changed at all since this was posted? Can I set CSRF_DISABLE during testing?

maxcountryman commented 9 years ago

@Dagur the relevant code hasn't changed. We probably should be checking these values directly, rather than setting up only in init_app.

Dagur commented 9 years ago

Thanks! Until then I have found a way around this by setting _csrf_disable directly.