Skip to content

Commit

Permalink
Adding hook for CSRF exempting flask views. (#3435)
Browse files Browse the repository at this point in the history
  • Loading branch information
fabianmenges authored and mistercrunch committed Sep 15, 2017
1 parent 32bd827 commit e22aecb
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 0 deletions.
7 changes: 7 additions & 0 deletions docs/installation.rst
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,8 @@ of the parameters you can copy / paste in that configuration module: ::

# Flask-WTF flag for CSRF
WTF_CSRF_ENABLED = True
# Add endpoints that need to be exempt from CSRF protection
WTF_CSRF_EXEMPT_LIST = []

# Set this API key to enable Mapbox visualizations
MAPBOX_API_KEY = ''
Expand All @@ -172,6 +174,11 @@ Please make sure to change:
* *SQLALCHEMY_DATABASE_URI*, by default it is stored at *~/.superset/superset.db*
* *SECRET_KEY*, to a long random string

In case you need to exempt endpoints from CSRF, e.g. you are running a custom
auth postback endpoint, you can add them to *WTF_CSRF_EXEMPT_LIST*

WTF_CSRF_EXEMPT_LIST = ['']

Database dependencies
---------------------

Expand Down
3 changes: 3 additions & 0 deletions superset/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,9 @@ def get_js_manifest():

if conf.get('WTF_CSRF_ENABLED'):
csrf = CSRFProtect(app)
csrf_exempt_list = conf.get('WTF_CSRF_EXEMPT_LIST', [])
for ex in csrf_exempt_list:
csrf.exempt(ex)

utils.pessimistic_connection_handling(db.engine)

Expand Down
3 changes: 3 additions & 0 deletions superset/config.py
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,9 @@
# Flask-WTF flag for CSRF
WTF_CSRF_ENABLED = True

# Add endpoints that need to be exempt from CSRF protection
WTF_CSRF_EXEMPT_LIST = []

# Whether to run the web server in debug mode or not
DEBUG = False
FLASK_USE_RELOAD = True
Expand Down

0 comments on commit e22aecb

Please sign in to comment.