diff options
| -rw-r--r-- | djangorestframework/authentication.py | 17 | ||||
| -rw-r--r-- | djangorestframework/status.py | 1 | ||||
| -rw-r--r-- | djangorestframework/templatetags/add_query_param.py | 2 | ||||
| -rw-r--r-- | djangorestframework/tests/authentication.py | 18 | ||||
| -rw-r--r-- | examples/permissionsexample/views.py | 23 |
5 files changed, 33 insertions, 28 deletions
diff --git a/djangorestframework/authentication.py b/djangorestframework/authentication.py index b61af32a..f46a9c46 100644 --- a/djangorestframework/authentication.py +++ b/djangorestframework/authentication.py @@ -87,25 +87,12 @@ class UserLoggedInAuthentication(BaseAuthentication): Returns a :obj:`User` if the request session currently has a logged in user. Otherwise returns :const:`None`. """ - # TODO: Might be cleaner to switch this back to using request.POST, - # and let FormParser/MultiPartParser deal with the consequences. + self.view.DATA # Make sure our generic parsing runs first + if getattr(request, 'user', None) and request.user.is_active: # Enforce CSRF validation for session based authentication. - - # Temporarily replace request.POST with .DATA, to use our generic parsing. - # If DATA is not dict-like, use an empty dict. - if request.method.upper() == 'POST': - if hasattr(self.view.DATA, 'get'): - request._post = self.view.DATA - else: - request._post = {} - resp = CsrfViewMiddleware().process_view(request, None, (), {}) - # Replace request.POST - if request.method.upper() == 'POST': - del(request._post) - if resp is None: # csrf passed return request.user return None diff --git a/djangorestframework/status.py b/djangorestframework/status.py index 9e2ef54c..684c9b38 100644 --- a/djangorestframework/status.py +++ b/djangorestframework/status.py @@ -5,7 +5,6 @@ See RFC 2616 - Sec 10: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html Also see django.core.handlers.wsgi.STATUS_CODE_TEXT """ -# Verbose format HTTP_100_CONTINUE = 100 HTTP_101_SWITCHING_PROTOCOLS = 101 HTTP_200_OK = 200 diff --git a/djangorestframework/templatetags/add_query_param.py b/djangorestframework/templatetags/add_query_param.py index ce175b81..11709730 100644 --- a/djangorestframework/templatetags/add_query_param.py +++ b/djangorestframework/templatetags/add_query_param.py @@ -5,7 +5,7 @@ register = Library() def add_query_param(url, param): (key, sep, val) = param.partition('=') - return unicode(URLObject(url) & (key, val)) + return unicode(URLObject.parse(url) & (key, val)) register.filter('add_query_param', add_query_param) diff --git a/djangorestframework/tests/authentication.py b/djangorestframework/tests/authentication.py index 1835c523..303bf96b 100644 --- a/djangorestframework/tests/authentication.py +++ b/djangorestframework/tests/authentication.py @@ -11,7 +11,7 @@ import base64 class MockView(View): - permissions = ( permissions.IsAuthenticated, ) + permissions = (permissions.IsAuthenticated,) def post(self, request): return {'a': 1, 'b': 2, 'c': 3} @@ -74,24 +74,32 @@ class SessionAuthTests(TestCase): self.csrf_client.logout() def test_post_form_session_auth_failing_csrf(self): - """Ensure POSTing form over session authentication without CSRF token fails.""" + """ + Ensure POSTing form over session authentication without CSRF token fails. + """ self.csrf_client.login(username=self.username, password=self.password) response = self.csrf_client.post('/', {'example': 'example'}) self.assertEqual(response.status_code, 403) def test_post_form_session_auth_passing(self): - """Ensure POSTing form over session authentication with logged in user and CSRF token passes.""" + """ + Ensure POSTing form over session authentication with logged in user and CSRF token passes. + """ self.non_csrf_client.login(username=self.username, password=self.password) response = self.non_csrf_client.post('/', {'example': 'example'}) self.assertEqual(response.status_code, 200) def test_put_form_session_auth_passing(self): - """Ensure PUTting form over session authentication with logged in user and CSRF token passes.""" + """ + Ensure PUTting form over session authentication with logged in user and CSRF token passes. + """ self.non_csrf_client.login(username=self.username, password=self.password) response = self.non_csrf_client.put('/', {'example': 'example'}) self.assertEqual(response.status_code, 200) def test_post_form_session_auth_failing(self): - """Ensure POSTing form over session authentication without logged in user fails.""" + """ + Ensure POSTing form over session authentication without logged in user fails. + """ response = self.csrf_client.post('/', {'example': 'example'}) self.assertEqual(response.status_code, 403) diff --git a/examples/permissionsexample/views.py b/examples/permissionsexample/views.py index 3f71e67b..86f458f8 100644 --- a/examples/permissionsexample/views.py +++ b/examples/permissionsexample/views.py @@ -2,14 +2,23 @@ from djangorestframework.views import View from djangorestframework.permissions import PerUserThrottling, IsAuthenticated from django.core.urlresolvers import reverse + class PermissionsExampleView(View): """ A container view for permissions examples. """ def get(self, request): - return [{'name': 'Throttling Example', 'url': reverse('throttled-resource')}, - {'name': 'Logged in example', 'url': reverse('loggedin-resource')},] + return [ + { + 'name': 'Throttling Example', + 'url': reverse('throttled-resource') + }, + { + 'name': 'Logged in example', + 'url': reverse('loggedin-resource') + }, + ] class ThrottlingExampleView(View): @@ -20,7 +29,7 @@ class ThrottlingExampleView(View): throttle will be applied until 60 seconds have passed since the first request. """ - permissions = ( PerUserThrottling, ) + permissions = (PerUserThrottling,) throttle = '10/min' def get(self, request): @@ -29,13 +38,15 @@ class ThrottlingExampleView(View): """ return "Successful response to GET request because throttle is not yet active." + class LoggedInExampleView(View): """ You can login with **'test', 'test'.** or use curl: - + `curl -X GET -H 'Accept: application/json' -u test:test http://localhost:8000/permissions-example` - """ + """ permissions = (IsAuthenticated, ) + def get(self, request): - return 'Logged in or not?' + return 'You have permission to view this resource' |