1 files changed, 32 insertions, 6 deletions

diff --git a/djangorestframework/authenticators.py b/djangorestframework/authenticators.py
index 24addb22..85ba9f11 100644
--- a/djangorestframework/authenticators.py
+++ b/djangorestframework/authenticators.py
@@ -1,17 +1,41 @@
 from django.contrib.auth import authenticate
+from django.middleware.csrf import CsrfViewMiddleware
+from djangorestframework.utils import as_tuple
 import base64
 
+
+class AuthenticatorMixin(object):
+    authenticators = None
+
+    def authenticate(self, request):
+        """Attempt to authenticate the request, returning an authentication context or None.
+        An authentication context may be any object, although in many cases it will be a User instance."""
+        
+        # Attempt authentication against each authenticator in turn,
+        # and return None if no authenticators succeed in authenticating the request.
+        for authenticator in as_tuple(self.authenticators):
+            auth_context = authenticator(self).authenticate(request)
+            if auth_context:
+                return auth_context
+
+        return None
+
+
 class BaseAuthenticator(object):
     """All authenticators should extend BaseAuthenticator."""
 
-    def __init__(self, resource):
-        """Initialise the authenticator with the Resource instance as state,
-        in case the authenticator needs to access any metadata on the Resource object."""
-        self.resource = resource
+    def __init__(self, mixin):
+        """Initialise the authenticator with the mixin instance as state,
+        in case the authenticator needs to access any metadata on the mixin object."""
+        self.mixin = mixin
 
     def authenticate(self, request):
         """Authenticate the request and return the authentication context or None.
 
+        An authentication context might be something as simple as a User object, or it might
+        be some more complicated token, for example authentication tokens which are signed
+        against a particular set of permissions for a given user, over a given timeframe.
+
         The default permission checking on Resource will use the allowed_methods attribute
         for permissions if the authentication context is not None, and use anon_allowed_methods otherwise.
 
@@ -38,7 +62,9 @@ class BasicAuthenticator(BaseAuthenticator):
 class UserLoggedInAuthenticator(BaseAuthenticator):
     """Use Djagno's built-in request session for authentication."""
     def authenticate(self, request):
-        if getattr(request, 'user', None) and request.user.is_active:
-            return request.user
+        if getattr(request, 'user', None) and request.user.is_active:                
+            resp = CsrfViewMiddleware().process_view(request, None, (), {})
+            if resp is None:  # csrf passed
+                return request.user
         return None