Yowzers. Final big bunch of refactoring for 0.1 release. Now support Django 1.3's views, admin style api is all polished off, loads of tests, new test project for running the test. All sorts of goodness. Getting ready to push this out now.

1 files changed, 32 insertions, 6 deletions

diff --git a/djangorestframework/authenticators.py b/djangorestframework/authenticators.py
index 24addb22..85ba9f11 100644
--- a/djangorestframework/authenticators.py
+++ b/djangorestframework/authenticators.py
@@ -1,17 +1,41 @@
 from django.contrib.auth import authenticate
+from django.middleware.csrf import CsrfViewMiddleware
+from djangorestframework.utils import as_tuple
 import base64
 
+
+class AuthenticatorMixin(object):
+    authenticators = None
+
+    def authenticate(self, request):
+        """Attempt to authenticate the request, returning an authentication context or None.
+        An authentication context may be any object, although in many cases it will be a User instance."""
+        
+        # Attempt authentication against each authenticator in turn,
+        # and return None if no authenticators succeed in authenticating the request.
+        for authenticator in as_tuple(self.authenticators):
+            auth_context = authenticator(self).authenticate(request)
+            if auth_context:
+                return auth_context
+
+        return None
+
+
 class BaseAuthenticator(object):
     """All authenticators should extend BaseAuthenticator."""
 
-    def __init__(self, resource):
-        """Initialise the authenticator with the Resource instance as state,
-        in case the authenticator needs to access any metadata on the Resource object."""
-        self.resource = resource
+    def __init__(self, mixin):
+        """Initialise the authenticator with the mixin instance as state,
+        in case the authenticator needs to access any metadata on the mixin object."""
+        self.mixin = mixin
 
     def authenticate(self, request):
         """Authenticate the request and return the authentication context or None.
 
+        An authentication context might be something as simple as a User object, or it might
+        be some more complicated token, for example authentication tokens which are signed
+        against a particular set of permissions for a given user, over a given timeframe.
+
         The default permission checking on Resource will use the allowed_methods attribute
         for permissions if the authentication context is not None, and use anon_allowed_methods otherwise.
 
@@ -38,7 +62,9 @@ class BasicAuthenticator(BaseAuthenticator):
 class UserLoggedInAuthenticator(BaseAuthenticator):
     """Use Djagno's built-in request session for authentication."""
     def authenticate(self, request):
-        if getattr(request, 'user', None) and request.user.is_active:
-            return request.user
+        if getattr(request, 'user', None) and request.user.is_active:                
+            resp = CsrfViewMiddleware().process_view(request, None, (), {})
+            if resp is None:  # csrf passed
+                return request.user
         return None