Also handle CSRF token provided by header

ome · Dec 12, 2022 · c61e6aa · c61e6aa
1 parent 6e2a45b
commit c61e6aa
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/omeroweb/webgateway/views.py b/omeroweb/webgateway/views.py
@@ -3397,12 +3397,16 @@ def post(self, request, api_version=None):
                     )
                 else:
                     error = settings.LOGIN_INCORRECT_CREDENTIALS_TEXT
-        elif "connector" in request.session and len(form.data) == 1:
+        elif "connector" in request.session and (
+            len(form.data) == 0
+            or ("csrfmiddlewaretoken" in form.data and len(form.data) == 1)
+        ):
             # If we appear to already be logged in and the form we've been
             # provided is empty repeat the "logged in" behaviour so a user
             # can get their event context.  A form with length 1 is considered
             # empty as a valid CSRF token is required to even get into this
-            # method.
+            # method.  The CSRF token may also have been provided via HTTP
+            # header in which case the form length will be 0.
             connector = request.session["connector"]
             # Do not allow retrieval of the event context of the public user
             if not connector.is_public: