- op = getattr(self, 'root', None)
- if callable(op):
- return op(*args, **kwargs)
+ if self._is_form_page:
+ self._debug("method: %s" % cherrypy.request.method)
+ op = getattr(self, cherrypy.request.method, None)
+ if callable(op):
+ # Basic CSRF protection
+ if cherrypy.request.method != 'GET':
+ url = cherrypy.url(relative=False)
+ if 'referer' not in cherrypy.request.headers:
+ self._debug("Missing referer in %s request to %s"
+ % (cherrypy.request.method, url))
+ raise cherrypy.HTTPError(403)
+ referer = cherrypy.request.headers['referer']
+ if not self._compare_urls(referer, url):
+ self._debug("Wrong referer %s in request to %s"
+ % (referer, url))
+ raise cherrypy.HTTPError(403)
+ return op(*args, **kwargs)
+ else:
+ op = getattr(self, 'root', None)
+ if callable(op):
+ return op(*args, **kwargs)