jprdonnelly/redash
1
0
Fork 0
mirror of https://github.com/getredash/redash.git synced 2025-12-19 17:37:19 -05:00
Code Issues Projects Releases Wiki Activity

Partiallly Revert "Remove workaround from check_csrf() (#6919)" (#7327)

Browse Source 
This workaround was missing 'if view is not None ' as found in
https://github.com/pallets-eco/flask-wtf/pull/419/files

Tested with MULTI_ORG enabled.
This commit is contained in:
Eric Radman
2025-04-10 18:25:49 -04:00
committed by GitHub
parent eced377ae4
commit 2375f0b05f
1 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
redash/security.py
View File

@@ -1,6 +1,6 @@
import functools import functools
from flask import session from flask import request, session
from flask_login import current_user from flask_login import current_user
from flask_talisman import talisman from flask_talisman import talisman
from flask_wtf.csrf import CSRFProtect, generate_csrf from flask_wtf.csrf import CSRFProtect, generate_csrf
@@ -35,6 +35,15 @@ def init_app(app):
@app.before_request @app.before_request
def check_csrf(): def check_csrf():
# BEGIN workaround until https://github.com/lepture/flask-wtf/pull/419 is merged
if request.blueprint in csrf._exempt_blueprints:
return
view = app.view_functions.get(request.endpoint)
if view is not None and f"{view.__module__}.{view.__name__}" in csrf._exempt_views:
return
# END workaround
if not current_user.is_authenticated or "user_id" in session: if not current_user.is_authenticated or "user_id" in session:
csrf.protect() csrf.protect()