Explicit CSRF failure message. Fixes #60.

3c8f01b9 · Tom Christie · 9c1fba34 · 3c8f01b9 · 3c8f01b9 · 3c8f01b9
Commit 3c8f01b9 authored Oct 15, 2012 by Tom Christie
Show whitespace changes
Inline Side-by-side

Showing with 21 additions and 6 deletions

rest_framework/authentication.py
+15 -3

rest_framework/renderers.py
+3 -0

rest_framework/views.py
+3 -3

No files found.
--- a/rest_framework/authentication.py
+++ b/rest_framework/authentication.py
@@ -4,6 +4,7 @@ Provides a set of pluggable authentication policies.
 from django.contrib.auth import authenticate
 from django.utils.encoding import smart_unicode, DjangoUnicodeDecodeError
+from rest_framework import exceptions
 from rest_framework.compat import CsrfViewMiddleware
 from rest_framework.authtoken.models import Token
 import base64
@@ -71,11 +72,22 @@ class SessionAuthentication(BaseAuthentication):
        http_request = request._request
        user = getattr(http_request, 'user', None)
-        if user and user.is_active:
+        # Unauthenticated, CSRF validation not required
+        if not user or not user.is_active:
+            return
        # Enforce CSRF validation for session based authentication.
-            resp = CsrfViewMiddleware().process_view(http_request, None, (), {})
+        class CSRFCheck(CsrfViewMiddleware):
+            def _reject(self, request, reason):
+                # Return the failure reason instead of an HttpResponse
+                return reason
+        reason = CSRFCheck().process_view(http_request, None, (), {})
+        if reason:
+            # CSRF failed, bail with explicit error message
+            raise exceptions.PermissionDenied('CSRF Failed: %s' % reason)
-            if resp is None:  # csrf passed
+        # CSRF passed with authenticated user
        return (user, None)

--- a/rest_framework/renderers.py
+++ b/rest_framework/renderers.py
@@ -235,8 +235,11 @@ class BrowsableAPIRenderer(BaseRenderer):
            return  # Cannot use form overloading
        request = clone_request(request, method)
+        try:
            if not view.has_permission(request):
                return  # Don't have permission
+        except:
+            return  # Don't have permission and exception explicitly raise
        if method == 'DELETE' or method == 'OPTIONS':
            return True  # Don't actually need to return a form

--- a/rest_framework/views.py
+++ b/rest_framework/views.py
@@ -156,14 +156,14 @@ class APIView(View):
        """
        raise exceptions.Throttled(wait)
-    def get_parser_context(self, request):
+    def get_parser_context(self, http_request):
        """
        Returns a dict that is passed through to Parser.parse_stream(),
        as the `parser_context` keyword argument.
        """
        return {
-            'upload_handlers': request.upload_handlers,
+            'upload_handlers': http_request.upload_handlers,
-            'meta': request.META,
+            'meta': http_request.META,
        }
    def get_renderer_context(self):