pylons.decorators.secure – Secure Decorators

Security related decorators

Module Contents

pylons.decorators.secure.authenticate_form(func)

Decorator for authenticating a form

This decorator uses an authorization token stored in the client’s session for prevention of certain Cross-site request forgery (CSRF) attacks (See http://en.wikipedia.org/wiki/Cross-site_request_forgery for more information).

For use with the webhelpers.html.secure_form helper functions.

pylons.decorators.secure.https(url_or_callable=None)

Decorator to redirect to the SSL version of a page if not currently using HTTPS. Apply this decorator to controller methods (actions).

Takes a url argument: either a string url, or a callable returning a string url. The callable will be called with no arguments when the decorated method is called. The url’s scheme will be rewritten to https if necessary.

Non-HTTPS POST requests are aborted (405 response code) by this decorator.

Example:

# redirect to HTTPS /pylons
@https('/pylons')
def index(self):
    do_secure()

# redirect to HTTPS /auth/login, delaying the url() call until
# later (as the url object may not be functional when the
# decorator/method are defined)
@https(lambda: url(controller='auth', action='login'))
def login(self):
    do_secure()

# redirect to HTTPS version of myself
@https()
def get(self):
    do_secure()