Skip to content

CSRF exempt for WebhookView when authenticate via user/pass #5009

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 3 commits into from
Closed

CSRF exempt for WebhookView when authenticate via user/pass #5009

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d803d98
Make Webhook views CSRF exempt
humitos Dec 17, 2018
93673ed
Lint
humitos Dec 17, 2018
6b8a4cc
Upgrade common
humitos Feb 19, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion common
Open in desktop
Submodule common updated from f3c261 to ac9eaf
16 changes: 16 additions & 0 deletions readthedocs/restapi/authentication.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# -*- coding: utf-8 -*-
from rest_framework.authentication import SessionAuthentication


class CsrfExemptSessionAuthentication(SessionAuthentication):

"""
Session authentication class exempt of CSRF.

DRF by default when using a ``SessionAuthentication`` it enforces CSRF.

See: https://github.com/encode/django-rest-framework/blob/3.9.0/rest_framework/authentication.py#L134-L144 # noqa
"""

def enforce_csrf(self, request):
return
11 changes: 8 additions & 3 deletions readthedocs/restapi/views/integrations.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
# -*- coding: utf-8 -*-

"""Endpoints integrating with Github, Bitbucket, and other webhooks."""

import json
Expand All @@ -23,6 +21,8 @@
from readthedocs.integrations.utils import normalize_request_payload
from readthedocs.projects.models import Project

from ..authentication import CsrfExemptSessionAuthentication


log = logging.getLogger(__name__)

Expand Down Expand Up @@ -349,7 +349,7 @@ class IsAuthenticatedOrHasToken(permissions.IsAuthenticated):
"""

def has_permission(self, request, view):
has_perm = (super().has_permission(request, view))
has_perm = super().has_permission(request, view)
return has_perm or 'token' in request.data


Expand Down Expand Up @@ -422,6 +422,11 @@ class WebhookView(APIView):
be.
"""

# We want to avoid CSRF checking when authenticating by user/password on
# this API endpoint so we can make a request like:
# curl -X POST -d "branches=branch" -u user:pass -e URL /api/v2/webhook/test-builds/{pk}/
authentication_classes = [CsrfExemptSessionAuthentication]
Copy link
Member

@ericholscher ericholscher Feb 19, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought we were doing basic auth here, not session auth?

Seems like it should be using https://www.django-rest-framework.org/api-guide/authentication/#basicauthentication


VIEW_MAP = {
Integration.GITHUB_WEBHOOK: GitHubWebhookView,
Integration.GITLAB_WEBHOOK: GitLabWebhookView,
Expand Down