diff options
| author | tom christie tom@tomchristie.com | 2011-04-26 21:08:36 +0100 |
|---|---|---|
| committer | tom christie tom@tomchristie.com | 2011-04-26 21:08:36 +0100 |
| commit | b508ca38d44f458e3eabaa4ffd3500d80a71eb9e (patch) | |
| tree | 7f4e5571d6802cb4d2335ebae3ab6ce9b2952a07 | |
| parent | da7d49a3846904b90a320d67135c04e1487d3097 (diff) | |
| download | django-rest-framework-b508ca38d44f458e3eabaa4ffd3500d80a71eb9e.tar.bz2 | |
CSRF validation will only be applied to POST requests, so let's only load .RAW_CONTENT in those cases
| -rw-r--r-- | djangorestframework/authenticators.py | 18 |
1 files changed, 11 insertions, 7 deletions
diff --git a/djangorestframework/authenticators.py b/djangorestframework/authenticators.py index 0d267b64..82d19779 100644 --- a/djangorestframework/authenticators.py +++ b/djangorestframework/authenticators.py @@ -80,14 +80,18 @@ class BasicAuthenticator(BaseAuthenticator): class UserLoggedInAuthenticator(BaseAuthenticator): - """Use Djagno's built-in request session for authentication.""" + """Use Django's built-in request session for authentication.""" def authenticate(self, request): if getattr(request, 'user', None) and request.user.is_active: - # Temporarily request.POST with .RAW_CONTENT, so that we use our more generic request parsing - request._post = self.mixin.RAW_CONTENT - resp = CsrfViewMiddleware().process_view(request, None, (), {}) - del(request._post) - if resp is None: # csrf passed - return request.user + # If this is a POST request we enforce CSRF validation. + if request.method.upper() == 'POST': + # Temporarily replace request.POST with .RAW_CONTENT, + # so that we use our more generic request parsing + request._post = self.mixin.RAW_CONTENT + resp = CsrfViewMiddleware().process_view(request, None, (), {}) + del(request._post) + if resp is not None: # csrf failed + return None + return request.user return None |