From bca563f56ffa29b52ffa87ad016d5a8344552493 Mon Sep 17 00:00:00 2001 From: Joshua Ma Date: Thu, 31 Jul 2014 19:47:32 -0700 Subject: [PATCH] Fix CsrfProtect exempt for blueprints This fixes two blueprint-related issues: - If you exempt a blueprint but no views, self._exempt_views is be empty and thus blueprint exemption is skipped. - If you have a blueprint defined in my.module.first, import it to my.module.second, and declare a view there with that blueprint, then the blueprint.import_name will be my.module.first and view.__module__ will be my.module.second. The two strings don't match up, and thus the view doesn't get exempt properly. --- flask_wtf/csrf.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flask_wtf/csrf.py b/flask_wtf/csrf.py index 0b383874..dd1a1e59 100644 --- a/flask_wtf/csrf.py +++ b/flask_wtf/csrf.py @@ -154,7 +154,7 @@ def _csrf_protect(): if request.method in ('GET', 'HEAD', 'OPTIONS', 'TRACE'): return - if self._exempt_views: + if self._exempt_views or self._exempt_blueprints: if not request.endpoint: return @@ -165,7 +165,7 @@ def _csrf_protect(): dest = '%s.%s' % (view.__module__, view.__name__) if dest in self._exempt_views: return - if view.__module__ in self._exempt_blueprints: + if request.blueprint in self._exempt_blueprints: return csrf_token = None @@ -211,7 +211,7 @@ def some_view(): return """ if isinstance(view, Blueprint): - self._exempt_blueprints.add(view.import_name) + self._exempt_blueprints.add(view.name) return view if isinstance(view, string_types): view_location = view