From f2314769da8d488fbb305996bb23ca44ddd44338 Mon Sep 17 00:00:00 2001
From: Eric Radman <eradman@starfishstorage.com>
Date: Fri, 14 Feb 2025 08:40:36 -0500
Subject: [PATCH] Partiallly Revert "Remove workaround from check_csrf()
 (#6919)"

This workaround was missing 'if view is not None ' as found in
https://github.com/pallets-eco/flask-wtf/pull/419/files

Tested with MULTI_ORG enabled.
---
 redash/security.py | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/redash/security.py b/redash/security.py
index c123abbf13..f95c839fd6 100644
--- a/redash/security.py
+++ b/redash/security.py
@@ -1,6 +1,6 @@
 import functools
 
-from flask import session
+from flask import request, session
 from flask_login import current_user
 from flask_talisman import talisman
 from flask_wtf.csrf import CSRFProtect, generate_csrf
@@ -35,6 +35,15 @@ def inject_csrf_token(response):
 
         @app.before_request
         def check_csrf():
+            # BEGIN workaround until https://github.com/lepture/flask-wtf/pull/419 is merged
+            if request.blueprint in csrf._exempt_blueprints:
+                return
+
+            view = app.view_functions.get(request.endpoint)
+            if view is not None and f"{view.__module__}.{view.__name__}" in csrf._exempt_views:
+                return
+            # END workaround
+
             if not current_user.is_authenticated or "user_id" in session:
                 csrf.protect()