CSRF for non-dict like .DATA. Fixes #85

author: Tom Christie 2011-12-14 20:19:17 +0000
committer: Tom Christie 2011-12-14 20:19:17 +0000
commit: 8cabab2703be3a2e21e79b945659a7b14df89e71 (patch)
tree: 6ddac818bcbae70d9001f4920bf87d67223fcd68
parent: 67b13bd1bc79590b5dcc3f9e2b99c43be91e00eb (diff)
download: django-rest-framework-8cabab2703be3a2e21e79b945659a7b14df89e71.tar.bz2
1 files changed, 18 insertions, 9 deletions
diff --git a/djangorestframework/authentication.py b/djangorestframework/authentication.py
index 806021fe..0a3c1bd8 100644
--- a/djangorestframework/authentication.py
+++ b/djangorestframework/authentication.py
@@ -88,18 +88,27 @@ class UserLoggedInAuthentication(BaseAuthentication):
         Returns a :obj:`User` if the request session currently has a logged in user.
         Otherwise returns :const:`None`.
         """
-        # TODO: Switch this back to request.POST, and let FormParser/MultiPartParser deal with the consequences.
+        # TODO: Might be cleaner to switch this back to using request.POST,
+        #       and let FormParser/MultiPartParser deal with the consequences.
         if getattr(request, 'user', None) and request.user.is_active:
-            # If this is a POST request we enforce CSRF validation.
+            # Enforce CSRF validation for session based authentication.
+            
+            # Temporarily replace request.POST with .DATA, to use our generic parsing.
+            # If DATA is not dict-like, use an empty dict.
+            if request.method.upper() == 'POST':
+                if hasattr(self.view.DATA, 'get'):
+                    request._post = self.view.DATA
+                else:
+                    request._post = {}
+
+            resp = CsrfViewMiddleware().process_view(request, None, (), {})
+
+            # Replace request.POST
             if request.method.upper() == 'POST':
-                # Temporarily replace request.POST with .DATA,
-                # so that we use our more generic request parsing
-                request._post = self.view.DATA
-                resp = CsrfViewMiddleware().process_view(request, None, (), {})
                 del(request._post)
-                if resp is not None:  # csrf failed
-                    return None
-            return request.user
+
+            if resp is None:  # csrf passed
+                return request.user
         return None
author	Tom Christie	2011-12-14 20:19:17 +0000
committer	Tom Christie	2011-12-14 20:19:17 +0000
commit	8cabab2703be3a2e21e79b945659a7b14df89e71 (patch)
tree	6ddac818bcbae70d9001f4920bf87d67223fcd68
parent	67b13bd1bc79590b5dcc3f9e2b99c43be91e00eb (diff)
download	django-rest-framework-8cabab2703be3a2e21e79b945659a7b14df89e71.tar.bz2