[odrs-web] Do not require CSRF for API requests

From: Richard Hughes <rhughes src gnome org>
To: commits-list gnome org
Cc:
Subject: [odrs-web] Do not require CSRF for API requests
Date: Wed, 16 Mar 2022 15:34:35 +0000 (UTC)

commit 9eb83566495972b2320e3740845dd7d42173acce
Author: Richard Hughes <richard hughsie com>
Date:   Wed Mar 16 15:31:26 2022 +0000

    Do not require CSRF for API requests

 app_data/odrs/views_api.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)
---
diff --git a/app_data/odrs/views_api.py b/app_data/odrs/views_api.py
index e64ce39..a6f9ed4 100644
--- a/app_data/odrs/views_api.py
+++ b/app_data/odrs/views_api.py
@@ -18,7 +18,7 @@ from sqlalchemy.exc import IntegrityError
 
 from flask import request, Response
 
-from odrs import app, db
+from odrs import app, db, csrf
 
 from .models import Review, User, Vote, Analytic, Taboo, Component
 from .models import _vote_exists
@@ -75,6 +75,7 @@ def _check_str(val):
     return True
 
 @app.route('/1.0/reviews/api/submit', methods=['POST'])
+@csrf.exempt
 def api_submit():
     """
     Submits a new review.
@@ -193,6 +194,7 @@ def api_show_app(app_id, user_hash=None):
                     mimetype='application/json')
 
 @app.route('/1.0/reviews/api/fetch', methods=['POST'])
+@csrf.exempt
 def api_fetch():
     """
     Return details about an application.
@@ -408,6 +410,7 @@ def _vote(val):
     return json_success('voted #%i %i' % (request_item['review_id'], val))
 
 @app.route('/1.0/reviews/api/upvote', methods=['POST'])
+@csrf.exempt
 def api_upvote():
     """
     Upvote an existing review by one karma point.
@@ -415,6 +418,7 @@ def api_upvote():
     return _vote(1)
 
 @app.route('/1.0/reviews/api/downvote', methods=['POST'])
+@csrf.exempt
 def api_downvote():
     """
     Downvote an existing review by one karma point.
@@ -422,6 +426,7 @@ def api_downvote():
     return _vote(-1)
 
 @app.route('/1.0/reviews/api/dismiss', methods=['POST'])
+@csrf.exempt
 def api_dismiss():
     """
     Dismiss a review without rating it up or down.
@@ -429,6 +434,7 @@ def api_dismiss():
     return _vote(0)
 
 @app.route('/1.0/reviews/api/report', methods=['POST'])
+@csrf.exempt
 def api_report():
     """
     Report a review for abuse.
@@ -436,6 +442,7 @@ def api_report():
     return _vote(-5)
 
 @app.route('/1.0/reviews/api/remove', methods=['POST'])
+@csrf.exempt
 def api_remove():
     """
     Remove a review.

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]