updates

2025-11-29 14:49:53 +02:00
parent 041890f32e
commit 4c15d90a6a
3 changed files with 47 additions and 0 deletions
--- a/backEnd/contact/views.py
+++ b/backEnd/contact/views.py
@@ -62,6 +62,15 @@ class ContactSubmissionViewSet(viewsets.ModelViewSet):
            permission_classes = [IsAuthenticated]
        return [permission() for permission in permission_classes]
    
+    def get_authenticators(self):
+        """
+        Override authentication for create action to bypass CSRF.
+        By returning an empty list, DRF won't enforce CSRF for this action.
+        """
+        if hasattr(self, 'action') and self.action == 'create':
+            return []
+        return super().get_authenticators()
+    
    def create(self, request, *args, **kwargs):
        """
        Create a new contact submission.
--- a/backEnd/gnx/middleware/csrf_exempt.py
+++ b/backEnd/gnx/middleware/csrf_exempt.py
@@ -0,0 +1,37 @@
+"""
+CSRF Exemption Middleware
+Exempts CSRF checks for specific public API endpoints that don't require authentication.
+"""
+
+from django.utils.deprecation import MiddlewareMixin
+import re
+
+
+class CSRFExemptMiddleware(MiddlewareMixin):
+    """
+    Middleware to exempt CSRF for public API endpoints.
+    Runs before CSRF middleware to set the exemption flag.
+    """
+    
+    # Paths that should be exempt from CSRF (public endpoints)
+    # Patterns match both with and without trailing slashes
+    EXEMPT_PATHS = [
+        r'^/api/contact/submissions/?$',  # Contact form submission
+        r'^/api/career/applications/?$',  # Job application submission (if needed)
+        r'^/api/support/tickets/?$',      # Support ticket creation (if needed)
+    ]
+    
+    def process_request(self, request):
+        """
+        Set CSRF exemption flag for matching paths.
+        """
+        if request.method == 'POST':
+            path = request.path
+            for pattern in self.EXEMPT_PATHS:
+                if re.match(pattern, path):
+                    # Set flag to bypass CSRF check
+                    setattr(request, '_dont_enforce_csrf_checks', True)
+                    break
+        
+        return None
+
--- a/backEnd/gnx/settings.py
+++ b/backEnd/gnx/settings.py
@@ -68,6 +68,7 @@ MIDDLEWARE = [
    'gnx.middleware.api_security.FrontendAPIProxyMiddleware',  # Validate requests from frontend/nginx
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
+    'gnx.middleware.csrf_exempt.CSRFExemptMiddleware',  # Exempt CSRF for public API endpoints
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',