From b5d564b147807f289e07df4fe32b6f417ce90c98 Mon Sep 17 00:00:00 2001
From: Caio Carrara <ccarrara@thoughtworks.com>
Date: Mon, 27 Jun 2016 16:14:27 -0300
Subject: Csrf not being enforced on GET

---
 service/pixelated/resources/root_resource.py | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'service/pixelated/resources')

diff --git a/service/pixelated/resources/root_resource.py b/service/pixelated/resources/root_resource.py
index 6886dda6..f27138b0 100644
--- a/service/pixelated/resources/root_resource.py
+++ b/service/pixelated/resources/root_resource.py
@@ -66,17 +66,17 @@ class RootResource(BaseResource):
         return UnAuthorizedResource()
 
     def _is_xsrf_valid(self, request):
+        get_request = (request.method == 'GET')
+        if get_request:
+            return True
+
         xsrf_token = request.getCookie('XSRF-TOKEN')
 
         ajax_request = (request.getHeader('x-requested-with') == 'XMLHttpRequest')
         if ajax_request:
-            xsrf_header = xsrf_token or request.getHeader('x-xsrf-token')
+            xsrf_header = request.getHeader('x-xsrf-token')
             return xsrf_header and xsrf_header == xsrf_token
 
-        get_request = (request.method == 'GET')
-        if get_request:
-            return True
-
         csrf_input = request.args.get('csrftoken', [None])[0] or json.loads(request.content.read()).get('csrftoken', [None])[0]
         return csrf_input and csrf_input == xsrf_token
 
-- 
cgit v1.2.3