CSRF method uses existing form value over correct session csrf value. #6
Description
I have a schema that defines a single non-empty text field and sets the controls that allow additional fields and filters them. The schema looks like this:
class Message(Schema):
"""Message reply."""
allow_extra_fields = True
filter_extra_fields = True
message = validators.UnicodeString(not_empty=True, max=500)It is then processed in the following view code:
@view_config(request_method='POST', renderer='message.mak')
def claim_update(context, request):
thread = context.data
form = pyramid_simpleform.Form(
request, schema=schemas.Message)
if form.validate():
# ... persist and redirect
return exc.HTTPSeeOther('/message')
return {'thread': thread, 'form': FormRenderer(form)}The form renderer adds a csrf token and then the form is submitted by the user. The view code runs again and after validating (and stripping of attributes not in my schema) the form.data dictionary looks like this:
{'_csrf': u'6921efe037911dfe28991802462034c227173a06',
'message': u'',
'submit': u'Add message'}The attributes that should have been stripped out have not been.
Performing a standalone to_python on my Message schema does work as expected (only the message gets returned, and when empty, Invalid is raised.
This causes me trouble because I'm resetting the csrf token on every successful post, but the old csrf value keeps coming back.