Re: [pylons-discuss] Disable CSRF protection for just one route?

2025-10-18 Thread Eldav 
Thank you everybody,

apparently it's as easy as setting "require_csrf = False" in view_config or 
a Cornice service indeed. For some reason, I had been convinced during all 
these years that once enabled, the protection was inflexible. I feel silly 
for asking such a simple question :|

I stand corrected,
Laurent.

Le vendredi 17 octobre 2025 à 00:45:43 UTC+2, Delta Regeer a écrit :

>
> https://docs.pylonsproject.org/projects/pyramid/en/latest/narr/security.html#auto-csrf-checking
>
>
> On Oct 16, 2025, at 16:44, Delta Regeer  wrote:
>
>
> https://docs.pylonsproject.org/projects/pyramid/en/latest/narr/viewconfig.html#mapping-views-using-a-decorator-section
>
> require_csrf = False on the view?
>
> On Oct 16, 2025, at 16:11, Eldav  wrote:
>
> Hello list, 
>
> just one quick question for confirmation, as I think I know the answer: is 
> it possible to disable CSRF protection for just one route?
>
> In my use case, I don't control the system which will call that route, 
> it's a notification service posting workflow events. HTTP method has to be 
> POST.
>
> If Pyramid can't do it, I'll set up a micro-service, probably with 
> Litestar, writing to the sama database as Pyramid.
>
> Thanks in advance,
>
> Laurent.
>
>
>
> -- 
> You received this message because you are subscribed to the Google Groups 
> "pylons-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to [email protected].
> To view this discussion visit 
> https://groups.google.com/d/msgid/pylons-discuss/2fd1dc91-83e4-4f34-a66b-76dcf1fae00bn%40googlegroups.com
>  
> 
> .
>
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/d/msgid/pylons-discuss/a9cde5b4-6b89-4225-8cce-973134a18fe3n%40googlegroups.com.

Re: [pylons-discuss] Disable CSRF protection for just one route?

2025-10-18 Thread Delta Regeer 
https://docs.pylonsproject.org/projects/pyramid/en/latest/narr/viewconfig.html#mapping-views-using-a-decorator-section

require_csrf = False on the view?

> On Oct 16, 2025, at 16:11, Eldav  wrote:
> 
> Hello list, 
> 
> just one quick question for confirmation, as I think I know the answer: is it 
> possible to disable CSRF protection for just one route?
> 
> In my use case, I don't control the system which will call that route, it's a 
> notification service posting workflow events. HTTP method has to be POST.
> 
> If Pyramid can't do it, I'll set up a micro-service, probably with Litestar, 
> writing to the sama database as Pyramid.
> 
> Thanks in advance,
> 
> Laurent.
> 
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "pylons-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to [email protected] 
> .
> To view this discussion visit 
> https://groups.google.com/d/msgid/pylons-discuss/2fd1dc91-83e4-4f34-a66b-76dcf1fae00bn%40googlegroups.com
>  
> .

-- 
You received this message because you are subscribed to the Google Groups 
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/d/msgid/pylons-discuss/2D1EEF19-DB7B-42A1-8382-FF60956095A5%400x58.com.

Re: [pylons-discuss] Disable CSRF protection for just one route?

2025-10-16 Thread Delta Regeer 
https://docs.pylonsproject.org/projects/pyramid/en/latest/narr/security.html#auto-csrf-checking

> On Oct 16, 2025, at 16:44, Delta Regeer  wrote:
> 
> https://docs.pylonsproject.org/projects/pyramid/en/latest/narr/viewconfig.html#mapping-views-using-a-decorator-section
> 
> require_csrf = False on the view?
> 
>> On Oct 16, 2025, at 16:11, Eldav  wrote:
>> 
>> Hello list, 
>> 
>> just one quick question for confirmation, as I think I know the answer: is 
>> it possible to disable CSRF protection for just one route?
>> 
>> In my use case, I don't control the system which will call that route, it's 
>> a notification service posting workflow events. HTTP method has to be POST.
>> 
>> If Pyramid can't do it, I'll set up a micro-service, probably with Litestar, 
>> writing to the sama database as Pyramid.
>> 
>> Thanks in advance,
>> 
>> Laurent.
>> 
>> 
>> 
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "pylons-discuss" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to [email protected] 
>> .
>> To view this discussion visit 
>> https://groups.google.com/d/msgid/pylons-discuss/2fd1dc91-83e4-4f34-a66b-76dcf1fae00bn%40googlegroups.com
>>  
>> .
> 

-- 
You received this message because you are subscribed to the Google Groups 
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/d/msgid/pylons-discuss/9D6D5EC0-AC9F-413C-A904-5334378FE8CE%400x58.com.

Re: [pylons-discuss] Disable CSRF protection for just one route?

2025-10-16 Thread Mike Orr 
I'd have to look up how I set up CSRF detection, but if I'm
remembering correctly it was on just one page, either a
publicly-accessible form to request an account, or on the login form
(which is no longer used since we switched to OAuth2).

You may be able to do something in one of the view callbacks to
override the default setting, such an early view predicate. Or maybe
in an event callback early in the request cycle.

On Thu, Oct 16, 2025 at 3:11 PM Eldav  wrote:
>
> Hello list,
>
> just one quick question for confirmation, as I think I know the answer: is it 
> possible to disable CSRF protection for just one route?
>
> In my use case, I don't control the system which will call that route, it's a 
> notification service posting workflow events. HTTP method has to be POST.
>
> If Pyramid can't do it, I'll set up a micro-service, probably with Litestar, 
> writing to the sama database as Pyramid.
>
> Thanks in advance,
>
> Laurent.
>
>
> --
> You received this message because you are subscribed to the Google Groups 
> "pylons-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to [email protected].
> To view this discussion visit 
> https://groups.google.com/d/msgid/pylons-discuss/2fd1dc91-83e4-4f34-a66b-76dcf1fae00bn%40googlegroups.com.



-- 
Mike Orr 

-- 
You received this message because you are subscribed to the Google Groups 
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/d/msgid/pylons-discuss/CAH9f%3Dur4s0Qm4jduB_-j%3Dw8%2BdT_aBn4_sH8j-ahe%2BbBVU4kx2w%40mail.gmail.com.