Csrf not being enforced on GET

author: Caio Carrara <ccarrara@thoughtworks.com> 2016-06-27 16:14:27 -0300
committer: Caio Carrara <ccarrara@thoughtworks.com> 2016-06-27 16:39:55 -0300
commit: b5d564b147807f289e07df4fe32b6f417ce90c98 (patch)
tree: 935122944348f86a03a31990c269009c6abe6a50 /service/pixelated/resources/root_resource.py
parent: 361796f0ff1eb0f450f768749d5c69f5c4f6b1e4 (diff)
1 files changed, 5 insertions, 5 deletions
diff --git a/service/pixelated/resources/root_resource.py b/service/pixelated/resources/root_resource.py
index 6886dda6..f27138b0 100644
--- a/service/pixelated/resources/root_resource.py
+++ b/service/pixelated/resources/root_resource.py
@@ -66,17 +66,17 @@ class RootResource(BaseResource):
         return UnAuthorizedResource()
 
     def _is_xsrf_valid(self, request):
+        get_request = (request.method == 'GET')
+        if get_request:
+            return True
+
         xsrf_token = request.getCookie('XSRF-TOKEN')
 
         ajax_request = (request.getHeader('x-requested-with') == 'XMLHttpRequest')
         if ajax_request:
-            xsrf_header = xsrf_token or request.getHeader('x-xsrf-token')
+            xsrf_header = request.getHeader('x-xsrf-token')
             return xsrf_header and xsrf_header == xsrf_token
 
-        get_request = (request.method == 'GET')
-        if get_request:
-            return True
-
         csrf_input = request.args.get('csrftoken', [None])[0] or json.loads(request.content.read()).get('csrftoken', [None])[0]
         return csrf_input and csrf_input == xsrf_token
author	Caio Carrara <ccarrara@thoughtworks.com>	2016-06-27 16:14:27 -0300
committer	Caio Carrara <ccarrara@thoughtworks.com>	2016-06-27 16:39:55 -0300
commit	b5d564b147807f289e07df4fe32b6f417ce90c98 (patch)
tree	935122944348f86a03a31990c269009c6abe6a50 /service/pixelated/resources/root_resource.py
parent	361796f0ff1eb0f450f768749d5c69f5c4f6b1e4 (diff)