No, I haven't configured two session factories, one of them is
commented out, so that I can test either.
If I use LegacySessionCSRFStoragePolicy, get_csrf_token(request) and
request.session.get_csrf_token() do return the same value. A look at
the source code shows they are implemented in the same way.
BUT it I use CookieCSRFStoragePolicy, they no longer return the same
value. That was my point.
As I was using the second policy in my code, as per the Pyramid
tutorial, I was always getting CSRF errors in my Deform forms. I've
solved the problem by using:
@colander.deferred
def deferred_csrf_default(node, kw):
request = kw.get('request')
return get_csrf_token(request)
instead of:
@colander.deferred
def deferred_csrf_default(node, kw):
request = kw.get('request')
return request.session.get_csrf_token()
Laurent.
Le lun. 3 mai 2021 à 00:14, Steve Piercy <[email protected]> a écrit :
>
> They are effectively the same.
>
> https://docs.pylonsproject.org/projects/pyramid/en/latest/_modules/pyramid/csrf.html#LegacySessionCSRFStoragePolicy.get_csrf_token
>
> In your code, you have configured two session factories. I assume you get
> the CSRF unique to each factory. ¯\_(ツ)_/¯
>
> --steve
>
>
> On 5/2/21 10:25 AM, Laurent Daverio wrote:
> > So, if I follow this line of reasoning, the way to get the same value
> > as in the template is to use :
> >
> > from pyramid.csrf import get_csrf_token
> > print get_csrf_token(request)
> >
> > and *not* :
> >
> > print request.session.get_csrf_token()
> >
> > Le dim. 2 mai 2021 à 19:11, Laurent Daverio <[email protected]> a écrit :
> >>
> >> OK, I've been able to nail it down on a simple example : depending on
> >> the CSRF storage policy I use, "request.session.get_csrf_token()"
> >> (called from python or a template) and "get_csrf_token()" (called from
> >> a template) return the same value *or not*.
> >>
> >> - no storage policy => ok
> >> - LegacySessionCSRFStoragePolicy => ok
> >> - CookieCSRFStoragePolicy => ko
> >>
> >> I'm attaching my example, I called it "onefile.py", although I needed
> >> two files actually (one python file + one mako template). Sorry ;)
> >>
> >> Le mer. 28 avr. 2021 à 22:32, Laurent Daverio <[email protected]> a écrit
> >> :
> >>>
> >>> Thank you Steve. I'll have to think about it, not that the code is
> >>> secret, just a matter of knowing what to post to be relevant.
> >>>
> >>> Le mer. 28 avr. 2021 à 22:10, Steve Piercy
> >>> <[email protected]> a écrit :
> >>>>
> >>>> It's difficult to say without your example. I've been using CSRF as
> >>>> shown in the Deform demo without any issues.
> >>>>
> >>>> --steve
> >>>>
> >>>>
> >>>> On 4/28/21 10:32 AM, Laurent Daverio wrote:
> >>>>> Hello List,
> >>>>>
> >>>>> I'd like to report a problem I've just encountered, occurring betwen
> >>>>> Pyramid's CSRF protection and Deform.
> >>>>>
> >>>>> Basically, I have a Pyramid 2.0 web app configured along the lines of
> >>>>> the "URL dispatch wiki tutorial"
> >>>>> (https://docs.pylonsproject.org/projects/pyramid/en/2.0-branch/tutorials/wiki2/authentication.html),
> >>>>> with some Deform forms in it.
> >>>>>
> >>>>> The Deform Demo
> >>>>> (https://deformdemo.pylonsproject.org/pyramid_csrf_demo/) shows how to
> >>>>> use a deferred value to create hidden field "csrf_token" in the
> >>>>> generated forms.
> >>>>>
> >>>>> But there's a problem: the token generated that way doesn't have the
> >>>>> same value as when I directly call get_csrf_token() in a template.
> >>>>>
> >>>>> As I don't have the time/energy to fully investigate the problem right
> >>>>> now, I think I will just use a workaround: as I'm using Diazo as a
> >>>>> theming engine (awesome tech, btw), I think I will add a rule to
> >>>>> inject the token into every form. Should work.
> >>>>>
> >>>>> Still, I wanted to take the time to report the problem, in case it
> >>>>> could be useful.
> >>>>>
> >>>>> Laurent.
> >>>>>
> >>>>
> >>>> --
> >>>> You received this message because you are subscribed to the Google
> >>>> Groups "pylons-discuss" group.
> >>>> To unsubscribe from this group and stop receiving emails from it, send
> >>>> an email to [email protected].
> >>>> To view this discussion on the web visit
> >>>> https://groups.google.com/d/msgid/pylons-discuss/44979a98-12ae-239e-8478-c2323aecfaf1%40gmail.com.
> >
>
--
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/pylons-discuss/CAB7cU6yTwAppxSD1kZ0ZF-3s6Te7pba0AkmL8tW1AS94QdzBXQ%40mail.gmail.com.
