Skip to content

Commit

Permalink
remove csrf_exempt from uploader views
Browse files Browse the repository at this point in the history 
the variable CSRF_TRUSTED_ORIGINS must be set instead to the appropriate hosts
  • Loading branch information
aspedrosa committed Apr 14, 2022
1 parent 6be8f91 commit 1c37637
Showing 1 changed file with 3 additions and 6 deletions.
9 changes: 3 additions & 6 deletions dashboard_viewer/uploader/decorators.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@
from django.conf import settings
from django.http import HttpResponseForbidden
from django.views.decorators.clickjacking import xframe_options_exempt
from django.views.decorators.csrf import csrf_exempt


def uploader_decorator(view_func):
Expand All @@ -13,16 +12,14 @@ def uploader_decorator(view_func):
If not response with 403
Else don't do any verification
"""
wrapped_view = csrf_exempt(view_func)
wrapped_view = xframe_options_exempt(wrapped_view)

if not settings.SINGLE_APPLICATION_MODE:
wrapped_view = xframe_options_exempt(view_func)

def check_host(request, *args, **kwargs):
if request.get_host() != settings.MAIN_APPLICATION_HOST:
return HttpResponseForbidden()
return view_func(request, *args, **kwargs)

wrapped_view = wraps(wrapped_view)(check_host)
return wraps(wrapped_view)(check_host)

return wrapped_view
return view_func

0 comments on commit 1c37637

Please sign in to comment.