So, if I follow this line of reasoning, the way to get the same value as in the template is to use :
from pyramid.csrf import get_csrf_token print get_csrf_token(request) and *not* : print request.session.get_csrf_token() Le dim. 2 mai 2021 à 19:11, Laurent Daverio <[email protected]> a écrit : > > OK, I've been able to nail it down on a simple example : depending on > the CSRF storage policy I use, "request.session.get_csrf_token()" > (called from python or a template) and "get_csrf_token()" (called from > a template) return the same value *or not*. > > - no storage policy => ok > - LegacySessionCSRFStoragePolicy => ok > - CookieCSRFStoragePolicy => ko > > I'm attaching my example, I called it "onefile.py", although I needed > two files actually (one python file + one mako template). Sorry ;) > > Le mer. 28 avr. 2021 à 22:32, Laurent Daverio <[email protected]> a écrit : > > > > Thank you Steve. I'll have to think about it, not that the code is > > secret, just a matter of knowing what to post to be relevant. > > > > Le mer. 28 avr. 2021 à 22:10, Steve Piercy > > <[email protected]> a écrit : > > > > > > It's difficult to say without your example. I've been using CSRF as > > > shown in the Deform demo without any issues. > > > > > > --steve > > > > > > > > > On 4/28/21 10:32 AM, Laurent Daverio wrote: > > > > Hello List, > > > > > > > > I'd like to report a problem I've just encountered, occurring betwen > > > > Pyramid's CSRF protection and Deform. > > > > > > > > Basically, I have a Pyramid 2.0 web app configured along the lines of > > > > the "URL dispatch wiki tutorial" > > > > (https://docs.pylonsproject.org/projects/pyramid/en/2.0-branch/tutorials/wiki2/authentication.html), > > > > with some Deform forms in it. > > > > > > > > The Deform Demo > > > > (https://deformdemo.pylonsproject.org/pyramid_csrf_demo/) shows how to > > > > use a deferred value to create hidden field "csrf_token" in the > > > > generated forms. > > > > > > > > But there's a problem: the token generated that way doesn't have the > > > > same value as when I directly call get_csrf_token() in a template. > > > > > > > > As I don't have the time/energy to fully investigate the problem right > > > > now, I think I will just use a workaround: as I'm using Diazo as a > > > > theming engine (awesome tech, btw), I think I will add a rule to > > > > inject the token into every form. Should work. > > > > > > > > Still, I wanted to take the time to report the problem, in case it > > > > could be useful. > > > > > > > > Laurent. > > > > > > > > > > -- > > > You received this message because you are subscribed to the Google Groups > > > "pylons-discuss" group. > > > To unsubscribe from this group and stop receiving emails from it, send an > > > email to [email protected]. > > > To view this discussion on the web visit > > > https://groups.google.com/d/msgid/pylons-discuss/44979a98-12ae-239e-8478-c2323aecfaf1%40gmail.com. -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/CAB7cU6yg58oXZgQZT_ynrqrMhVzpJ80RSQmeZN9MBFT9HVUGjA%40mail.gmail.com.
