Merge master

author: Tom Christie 2014-09-11 13:20:44 +0100
committer: Tom Christie 2014-09-11 13:20:44 +0100
commit: de301f3b6647e1c79a506405a88071ef977418d1 (patch)
tree: 407f3497b422f334b47088b0bb35d39a8a3a520a /rest_framework/views.py
parent: 80ba0473473501968154c5cc5dd5922e53d96a70 (diff)
parent: 015a8122c7738dd8913939b42d3f0ec932d88711 (diff)
download: django-rest-framework-de301f3b6647e1c79a506405a88071ef977418d1.tar.bz2
1 files changed, 6 insertions, 4 deletions
diff --git a/rest_framework/views.py b/rest_framework/views.py
index 079e9285..3b7b1c16 100644
--- a/rest_framework/views.py
+++ b/rest_framework/views.py
@@ -108,7 +108,9 @@ class APIView(View):
         """
         view = super(APIView, cls).as_view(**initkwargs)
         view.cls = cls
-        return view
+        # Note: session based authentication is explicitly CSRF validated,
+        # all other authentication is CSRF exempt.
+        return csrf_exempt(view)
 
     @property
     def allowed_methods(self):
@@ -376,9 +378,9 @@ class APIView(View):
         response.exception = True
         return response
 
-    # Note: session based authentication is explicitly CSRF validated,
-    # all other authentication is CSRF exempt.
-    @csrf_exempt
+    # Note: Views are made CSRF exempt from within `as_view` as to prevent
+    # accidental removal of this exemption in cases where `dispatch` needs to
+    # be overridden.
     def dispatch(self, request, *args, **kwargs):
         """
         `.dispatch()` is pretty much the same as Django's regular dispatch,
author	Tom Christie	2014-09-11 13:20:44 +0100
committer	Tom Christie	2014-09-11 13:20:44 +0100
commit	de301f3b6647e1c79a506405a88071ef977418d1 (patch)
tree	407f3497b422f334b47088b0bb35d39a8a3a520a /rest_framework/views.py
parent	80ba0473473501968154c5cc5dd5922e53d96a70 (diff)
parent	015a8122c7738dd8913939b42d3f0ec932d88711 (diff)
download	django-rest-framework-de301f3b6647e1c79a506405a88071ef977418d1.tar.bz2