Skip to content

Commit

Permalink
secret links: set csrf token for all requests with secret links
Browse files Browse the repository at this point in the history
  • Loading branch information
anikachurilova authored and kpsherva committed May 31, 2024
1 parent 121aa75 commit cfac803
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions invenio_rdm_records/utils.py
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,9 @@ def verify_token(identity):
data = SecretLink.load_token(token)
if data:
identity.provides.add(LinkNeed(data["id"]))
# In order for anonymous users with secret link to perform vulnerable HTTP requests
# ("POST", "PUT", "PATCH", "DELETE"), CSRF token must be set
request.csrf_cookie_needs_reset = True
session[secret_link_token_arg] = token
has_secret_link_token = True
except SignatureExpired:
Expand Down

0 comments on commit cfac803

Please sign in to comment.