From 770b439c8495c3a0b16550c2f04740f31646d66b Mon Sep 17 00:00:00 2001
From: Roald de Vries <rdevries@thoughtworks.com>
Date: Thu, 1 Dec 2016 10:36:29 +0100
Subject: WIP: add csrf token to every request

---
 service/pixelated/resources/root_resource.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'service/pixelated/resources/root_resource.py')

diff --git a/service/pixelated/resources/root_resource.py b/service/pixelated/resources/root_resource.py
index 7d5b0b0a..1d32935b 100644
--- a/service/pixelated/resources/root_resource.py
+++ b/service/pixelated/resources/root_resource.py
@@ -65,6 +65,7 @@ class RootResource(BaseResource):
         logger.debug('Root in STARTUP mode. %s' % self)
 
     def getChildWithDefault(self, path, request):
+        self._add_csrf_cookie(request)
         if path == '':
             return self._redirect_to_login_resource if self._public else self._inbox_resource
         if self._mode == MODE_STARTUP:
@@ -81,7 +82,6 @@ class RootResource(BaseResource):
         xsrf_token = request.getCookie('XSRF-TOKEN')
         logger.debug('CSRF token: %s' % xsrf_token)
 
-        # TODO: how is comparing the cookie-csrf with the HTTP-header-csrf adding any csrf protection?
         ajax_request = (request.getHeader('x-requested-with') == 'XMLHttpRequest')
         if ajax_request:
             xsrf_header = request.getHeader('x-xsrf-token')
@@ -101,7 +101,7 @@ class RootResource(BaseResource):
         return self.putChildProtected(path, resource)  # to be on the safe side
 
     def initialize(self, provider=None, disclaimer_banner=None, authenticator=None):
-        self.putChildProtected('sandbox', SandboxResource(self._static_folder))
+        self.putChildPublic('sandbox', SandboxResource(self._static_folder))
         self.putChildProtected('keys', KeysResource(self._services_factory))
         self.putChildProtected(AttachmentsResource.BASE_URL, AttachmentsResource(self._services_factory))
         self.putChildProtected('contacts', ContactsResource(self._services_factory))
@@ -114,7 +114,7 @@ class RootResource(BaseResource):
         self.putChildProtected('users', UsersResource(self._services_factory))
         self.putChildPublic(LoginResource.BASE_URL,
                             LoginResource(self._services_factory, provider, disclaimer_banner=disclaimer_banner, authenticator=authenticator))
-        self.putChildProtected(LogoutResource.BASE_URL, LogoutResource(self._services_factory))
+        self.putChildPublic(LogoutResource.BASE_URL, LogoutResource(self._services_factory))
 
         self._inbox_resource.initialize()
         self._mode = MODE_RUNNING
-- 
cgit v1.2.3