diff options
| author | Danilo Bargen | 2014-06-02 00:41:58 +0200 |
|---|---|---|
| committer | Danilo Bargen | 2014-09-23 14:16:08 +0200 |
| commit | b187f53453d3885cd918f5f9f4490bcc8e3e2410 (patch) | |
| tree | e7c44584ebbd6e39736a8e782df5730cb6052422 /rest_framework/authentication.py | |
| parent | 5d80f7f932bfcc0630ac0fdbf07072a53197b98f (diff) | |
| download | django-rest-framework-b187f53453d3885cd918f5f9f4490bcc8e3e2410.tar.bz2 | |
Changed return status for CSRF failures to HTTP 403
By default, Django returns "HTTP 403 Forbidden" responses when CSRF
validation failed[1]. CSRF is a case of authorization, not of
authentication. Therefore `PermissionDenied` should be raised instead
of `AuthenticationFailed`.
[1] https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#rejected-requests
Diffstat (limited to 'rest_framework/authentication.py')
| -rw-r--r-- | rest_framework/authentication.py | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/rest_framework/authentication.py b/rest_framework/authentication.py index f3fec05e..36d74dd9 100644 --- a/rest_framework/authentication.py +++ b/rest_framework/authentication.py @@ -129,7 +129,7 @@ class SessionAuthentication(BaseAuthentication): reason = CSRFCheck().process_view(request, None, (), {}) if reason: # CSRF failed, bail with explicit error message - raise exceptions.AuthenticationFailed('CSRF Failed: %s' % reason) + raise exceptions.PermissionDenied('CSRF Failed: %s' % reason) class TokenAuthentication(BaseAuthentication): |