1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
diff --git a/remarkbox/views/authentication.py b/remarkbox/views/authentication.py
index 7216fdb..90b9464 100644
--- a/remarkbox/views/authentication.py
+++ b/remarkbox/views/authentication.py
@@ -17,7 +17,10 @@ def log_out(request):
     return HTTPFound(uri)
 
 
-@view_config(route_name="embed-join-or-log-in", renderer="join-or-log-in.j2")
+# disable CSRF checking for iframe embedded version of this view.
+# If a client has 3rd party cookies disabled this security feature causes
+# more trouble then it helps, essentially blocking unauthenticated users.
+@view_config(route_name="embed-join-or-log-in", renderer="join-or-log-in.j2", require_csrf=False)
 @view_config(route_name="basic-join-or-log-in", renderer="join-or-log-in.j2")
 def join_or_log_in(request):
     """
diff --git a/remarkbox/views/reply_node.py b/remarkbox/views/reply_node.py
index 90b5163..0c1af34 100644
--- a/remarkbox/views/reply_node.py
+++ b/remarkbox/views/reply_node.py
@@ -1,5 +1,7 @@
 from pyramid.view import view_config
 
+from pyramid.csrf import check_csrf_token
+
 from pyramid.httpexceptions import HTTPFound
 
 from . import (
@@ -12,10 +14,11 @@ from . import (
 from remarkbox.lib.notify import schedule_notifications
 
 
-@view_config(route_name="embed-reply")
-@view_config(route_name="embed-reply2")
-@view_config(route_name="basic-reply")
-@view_config(route_name="basic-reply2")
+# check CSRF only if user is authenticated.
+@view_config(route_name="embed-reply", require_csrf=False)
+@view_config(route_name="embed-reply2", require_csrf=False)
+@view_config(route_name="basic-reply", require_csrf=False)
+@view_config(route_name="basic-reply2", require_csrf=False)
 def reply_node(request):
     """handle posting of reply form from show-node pages."""
     thread_data = request.params.get("thread_data", "")
@@ -42,6 +45,10 @@ def reply_node(request):
         )
         return HTTPFound(get_referer_or_home(request))
 
+    # check CSRF only if user is authenticated.
+    if request.user.authenticated:
+        check_csrf_token(request)
+
     # flash error and return early if data is empty.
     if thread_data == "":
         request.session.flash(("Your message was empty", "error"))