Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Return a nice JSON error when CSRF errors happen in JSON views. 

(imported from commit 916166c115f9b3ba0fdc93f8d917ff37ae22c2ae)
This commit is contained in:
Tim Abbott 2013-12-17 16:18:13 -05:00
parent 014b5e8a91
commit b30afe432e
2 changed files with 18 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
zerver/middleware.py
View File

@ -9,6 +9,7 @@ from zerver.lib.cache import get_memcached_time, get_memcached_requests
from zerver.lib.bugdown import get_bugdown_time, get_bugdown_requests from zerver.lib.bugdown import get_bugdown_time, get_bugdown_requests
from zerver.models import flush_per_request_caches from zerver.models import flush_per_request_caches
from zerver.exceptions import RateLimited from zerver.exceptions import RateLimited
from django.views.csrf import csrf_failure as html_csrf_failure
import logging import logging
import time import time
@ -219,6 +220,21 @@ class JsonErrorHandler(object):
return json_error(exception.to_json_error_msg()) return json_error(exception.to_json_error_msg())
return None return None
class TagRequests(object):
def process_view(self, request, view_func, args, kwargs):
self.process_request(request)
def process_request(self, request):
if request.path.startswith("/api/") or request.path.startswith("/json/"):
request.error_format = "JSON"
else:
request.error_format = "HTML"
def csrf_failure(request, reason=""):
if request.error_format == "JSON":
return json_error("CSRF Error: %s" % (reason,), status=403)
else:
return html_csrf_failure(request, reason)
# Monkeypatch in time tracking to the Django non-debug cursor # Monkeypatch in time tracking to the Django non-debug cursor
# Code comes from CursorDebugWrapper # Code comes from CursorDebugWrapper
def wrapper_execute(self, action, sql, params=()): def wrapper_execute(self, action, sql, params=()):

2
zproject/settings.py
View File

@ -131,6 +131,7 @@ if DEPLOYED:
# the token from the DOM, which means malicious code could too. But hiding the # the token from the DOM, which means malicious code could too. But hiding the
# cookie will slow down some attackers. # cookie will slow down some attackers.
CSRF_COOKIE_PATH = '/;HttpOnly' CSRF_COOKIE_PATH = '/;HttpOnly'
CSRF_FAILURE_VIEW = 'zerver.middleware.csrf_failure'
# Base URL of the Tornado server # Base URL of the Tornado server
# We set it to None when running backend tests or populate_db. # We set it to None when running backend tests or populate_db.
@ -154,6 +155,7 @@ if DEPLOYED:
MIDDLEWARE_CLASSES = ( MIDDLEWARE_CLASSES = (
# Our logging middleware should be the first middleware item. # Our logging middleware should be the first middleware item.
'zerver.middleware.TagRequests',
'zerver.middleware.LogRequests', 'zerver.middleware.LogRequests',
'zerver.middleware.JsonErrorHandler', 'zerver.middleware.JsonErrorHandler',
'zerver.middleware.RateLimitMiddleware', 'zerver.middleware.RateLimitMiddleware',