From a1d0b8402e36e3f1df9bb2005136ca0426d91d51 Mon Sep 17 00:00:00 2001
From: fr33domlover <fr33domlover@riseup.net>
Date: Sun, 1 Jul 2018 15:04:33 +0000
Subject: [PATCH] Disable CSRF token check for HTTP git pull

Git pull uses a POST request, which is treated as a write request and the CSRF
token is checked. However, no modification to the server is made by git pulls,
as far as I know (actually I'm not sure why it uses a POST). The entire
response is handled by the git command, and the client side is usually the git
command running in the terminal, there's no session and no cookies (as far as I
know). So I'm just disabling CSRF token checking for this route.
---
 src/Vervis/Foundation.hs | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/src/Vervis/Foundation.hs b/src/Vervis/Foundation.hs
index 85063a6..9ad8075 100644
--- a/src/Vervis/Foundation.hs
+++ b/src/Vervis/Foundation.hs
@@ -109,10 +109,21 @@ instance Yesod App where
     --   a) Sets a cookie with a CSRF token in it.
     --   b) Validates that incoming write requests include that token in either a header or POST parameter.
     -- For details, see the CSRF documentation in the Yesod.Core.Handler module of the yesod-core package.
-    yesodMiddleware =
-        defaultCsrfMiddleware .
+    yesodMiddleware
         -- sslOnlyMiddleware 120 .
-        defaultYesodMiddleware
+        = defaultCsrfSetCookieMiddleware
+        . (\ handler ->
+            csrfCheckMiddleware
+                handler
+                (getCurrentRoute >>= \ mr -> case mr of
+                    Nothing                      -> return False
+                    Just (GitUploadRequestR _ _) -> return False
+                    Just r                       -> isWriteRequest r
+                )
+                defaultCsrfHeaderName
+                defaultCsrfParamName
+          )
+        . defaultYesodMiddleware
 
     defaultLayout widget = do
         master <- getYesod