fix!: remove relaxations for Cordova (#18728)
This commit is contained in:
Sagar Vora
GitHub
parent
0175fafde3
commit
f20fa69282
2 changed files with 19 additions and 26 deletions
|
|
@ -12,13 +12,13 @@ from werkzeug.wrappers import Request, Response
|
|||
|
||||
import frappe
|
||||
import frappe.api
|
||||
import frappe.auth
|
||||
import frappe.handler
|
||||
import frappe.monitor
|
||||
import frappe.rate_limiter
|
||||
import frappe.recorder
|
||||
import frappe.utils.response
|
||||
from frappe import _
|
||||
from frappe.auth import SAFE_HTTP_METHODS, UNSAFE_HTTP_METHODS, HTTPRequest
|
||||
from frappe.core.doctype.comment.comment import update_comments_in_parent_after_request
|
||||
from frappe.middlewares import StaticDataMiddleware
|
||||
from frappe.utils import get_site_name, sanitize_html
|
||||
|
|
@ -29,8 +29,6 @@ local_manager = LocalManager(frappe.local)
|
|||
|
||||
_site = None
|
||||
_sites_path = os.environ.get("SITES_PATH", ".")
|
||||
SAFE_HTTP_METHODS = ("GET", "HEAD", "OPTIONS")
|
||||
UNSAFE_HTTP_METHODS = ("POST", "PUT", "DELETE", "PATCH")
|
||||
|
||||
|
||||
@local_manager.middleware
|
||||
|
|
@ -118,7 +116,7 @@ def init_request(request):
|
|||
make_form_dict(request)
|
||||
|
||||
if request.method != "OPTIONS":
|
||||
frappe.local.http_request = frappe.auth.HTTPRequest()
|
||||
frappe.local.http_request = HTTPRequest()
|
||||
|
||||
|
||||
def setup_read_only_mode():
|
||||
|
|
|
|||
|
|
@ -20,6 +20,9 @@ from frappe.utils import cint, date_diff, datetime, get_datetime, today
|
|||
from frappe.utils.password import check_password
|
||||
from frappe.website.utils import get_home_page
|
||||
|
||||
SAFE_HTTP_METHODS = frozenset(("GET", "HEAD", "OPTIONS"))
|
||||
UNSAFE_HTTP_METHODS = frozenset(("POST", "PUT", "DELETE", "PATCH"))
|
||||
|
||||
|
||||
class HTTPRequest:
|
||||
def __init__(self):
|
||||
|
|
@ -67,25 +70,21 @@ class HTTPRequest:
|
|||
frappe.local.login_manager = LoginManager()
|
||||
|
||||
def validate_csrf_token(self):
|
||||
if frappe.local.request and frappe.local.request.method in ("POST", "PUT", "DELETE"):
|
||||
if not frappe.local.session:
|
||||
return
|
||||
if (
|
||||
not frappe.local.session.data.csrf_token
|
||||
or frappe.local.session.data.device == "mobile"
|
||||
or frappe.conf.get("ignore_csrf", None)
|
||||
):
|
||||
# not via boot
|
||||
return
|
||||
if (
|
||||
not frappe.request
|
||||
or frappe.request.method not in UNSAFE_HTTP_METHODS
|
||||
or frappe.conf.ignore_csrf
|
||||
or not frappe.session
|
||||
or not (saved_token := frappe.session.data.csrf_token)
|
||||
or (
|
||||
(frappe.get_request_header("X-Frappe-CSRF-Token") or frappe.form_dict.pop("csrf_token", None))
|
||||
== saved_token
|
||||
)
|
||||
):
|
||||
return
|
||||
|
||||
csrf_token = frappe.get_request_header("X-Frappe-CSRF-Token")
|
||||
if not csrf_token and "csrf_token" in frappe.local.form_dict:
|
||||
csrf_token = frappe.local.form_dict.csrf_token
|
||||
del frappe.local.form_dict["csrf_token"]
|
||||
|
||||
if frappe.local.session.data.csrf_token != csrf_token:
|
||||
frappe.local.flags.disable_traceback = True
|
||||
frappe.throw(_("Invalid Request"), frappe.CSRFTokenError)
|
||||
frappe.flags.disable_traceback = True
|
||||
frappe.throw(_("Invalid Request"), frappe.CSRFTokenError)
|
||||
|
||||
def set_lang(self):
|
||||
frappe.local.lang = get_language()
|
||||
|
|
@ -354,10 +353,6 @@ class CookieManager:
|
|||
if not secure and hasattr(frappe.local, "request"):
|
||||
secure = frappe.local.request.scheme == "https"
|
||||
|
||||
# Cordova does not work with Lax
|
||||
if frappe.local.session.data.device == "mobile":
|
||||
samesite = None
|
||||
|
||||
self.cookies[key] = {
|
||||
"value": value,
|
||||
"expires": expires,
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue