Little fix in csrf for use a simple token in all session

2017-03-16 04:42:34 +01:00 · 2017-03-16 04:42:34 +01:00 · 6e05f7a8db
commit 6e05f7a8db
parent aa0ac1d9e7
2 changed files with 17 additions and 8 deletions
--- a/paramecio/citoplasma/httputils.py
+++ b/paramecio/citoplasma/httputils.py
@ -5,19 +5,24 @@ from bottle import request, response
 from paramecio.citoplasma.sessions import get_session
 from paramecio.citoplasma.keyutils import create_key_encrypt

+no_csrf=False
+change_csrf=False
+
 try:

    from settings import config
    
-    no_csrf=False
-    
    if hasattr(config, 'no_csrf'):
        no_csrf=config.no_csrf

+    if hasattr(config, 'change_csrf'):
+        change_csrf=config.change_csrf
+
 except:

    class config:
        no_csrf=False
+        change_csrf=True


 def filter_ajax(data, filter_tags=True):
@ -91,12 +96,14 @@ class GetPostFiles:
                
                self.post['csrf_token']=self.post.get('csrf_token', '')

-                if self.post['csrf_token']!=s['csrf_token'] and self.post['csrf_token'].strip()!="":
+                if self.post['csrf_token']!=s['csrf_token'] or self.post['csrf_token'].strip()=="":
                    
                    raise NameError('Error: you need a valid csrf_token')
                else:
                    #Clean csrf_token
                    
+                    if change_csrf:
+                    
                        del s['csrf_token']
                        
                        s.save()
--- a/paramecio/cromosoma/formsutils.py
+++ b/paramecio/cromosoma/formsutils.py
@ -103,6 +103,8 @@ def csrf_token(token_id='csrf_token'):
 def generate_csrf():
    
    s=get_session()
+    
+    if not 'csrf_token' in s:    
        s['csrf_token']=create_key_encrypt()
        s.save()