diff options
Diffstat (limited to 'djangorestframework')
| -rw-r--r-- | djangorestframework/authenticators.py | 18 |
1 files changed, 11 insertions, 7 deletions
diff --git a/djangorestframework/authenticators.py b/djangorestframework/authenticators.py index 0d267b64..82d19779 100644 --- a/djangorestframework/authenticators.py +++ b/djangorestframework/authenticators.py @@ -80,14 +80,18 @@ class BasicAuthenticator(BaseAuthenticator): class UserLoggedInAuthenticator(BaseAuthenticator): - """Use Djagno's built-in request session for authentication.""" + """Use Django's built-in request session for authentication.""" def authenticate(self, request): if getattr(request, 'user', None) and request.user.is_active: - # Temporarily request.POST with .RAW_CONTENT, so that we use our more generic request parsing - request._post = self.mixin.RAW_CONTENT - resp = CsrfViewMiddleware().process_view(request, None, (), {}) - del(request._post) - if resp is None: # csrf passed - return request.user + # If this is a POST request we enforce CSRF validation. + if request.method.upper() == 'POST': + # Temporarily replace request.POST with .RAW_CONTENT, + # so that we use our more generic request parsing + request._post = self.mixin.RAW_CONTENT + resp = CsrfViewMiddleware().process_view(request, None, (), {}) + del(request._post) + if resp is not None: # csrf failed + return None + return request.user return None |