Commits · branch/default · cubicweb / cubes / rqlcontroller

11 Aug, 2021 1 commit

fix: on /rqlio, csrf is activaved only on multipart/form-data · 42202cdd7c57

Laurent Peuch authored Aug 11, 2021

POST for application/json are safe from csrf but not multipart/form-data.
CSRF protection is thus disabled on application/json (no matter the authentications method).

For multipart/form-data, there are 3 usecases:

1. multipart/form-data authenticated by cookies (webrowser), this requires
csrf and this is handled by MultipartRqlIOController.
2. multipart/form-data anon user, this does not require csrf and this in
handled by AnonMultipartRqlIOController
3. multipart/form-data authenticated with authorization, this does not
requires csrf as there is an authentification. This is not handled here
but in signed-request that implements the authentification.

42202cdd7c57

25 Sep, 2020 1 commit
- docs(README): move to .rst extension · 3a453040e51b
  Laurent Peuch authored Sep 25, 2020
  
  3a453040e51b
12 Mar, 2014 3 commits
- Fix typos/inconsistencies in README · 0e7061d80686
  Julien Cristau authored Mar 12, 2014
  
  0e7061d80686
- Version the API · 94f0cbf1c927
  Julien Cristau authored Mar 12, 2014
```
Lets us extend it later without breaking clients.
```
  94f0cbf1c927
- [doc] add some input/ output documentation for the service · df054c34f122
  Florent Cayré authored Mar 12, 2014
```
Related to #3639007.
```
  df054c34f122
13 Dec, 2013 1 commit
- empty cube · 81c7c3341e1a
  Aurelien Campeas authored Dec 13, 2013
  
  81c7c3341e1a