Mercurial > p > roundup > code
diff doc/xmlrpc.txt @ 5220:14d8f61e6ef2
Reimplemented anti-csrf measures by raising exceptions rather than
returning booleans.
Redoing it using exceptions was the easiest way to return proper
xmlrpc fault messages to the clients.
Also this code should now properly make values set in the form
override values from the database. So no lost work under some
circumstances if the csrf requirements are not met.
Also this code does a better job of cleaning up old csrf tokens.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Wed, 05 Apr 2017 20:56:08 -0400 |
| parents | ade4bbc2716d |
| children | 198b6e810c67 |
line wrap: on
line diff
--- a/doc/xmlrpc.txt Mon Mar 27 23:04:30 2017 -0400 +++ b/doc/xmlrpc.txt Wed Apr 05 20:56:08 2017 -0400 @@ -140,8 +140,9 @@ '1' The one below adds Referer and X-Requested-With headers so it can pass -stronger CSRF detection methods. Note if you are using http rather -than https, replace xmlrpclib.SafeTransport with xmlrpclib.Transport:: +stronger CSRF detection methods. It also generates a fault message +from the server and reports it. Note if you are using http rather than +https, replace xmlrpclib.SafeTransport with xmlrpclib.Transport:: import xmlrpclib @@ -169,3 +170,9 @@ print roundup_server.display('user2', 'username') print roundup_server.display('issue1', 'status') print roundup_server.filter('user',['1','2','3'],{'username':'demo'}) + + # this will fail with a fault + try: + print roundup_server.filter('usr',['0','2','3'],{'username':'demo'}) + except Exception, msg: + print msg