Changed return status for CSRF failures to HTTP 403

By default, Django returns "HTTP 403 Forbidden" responses when CSRF validation failed[1]. CSRF is a case of authorization, not of authentication. Therefore `PermissionDenied` should be raised instead of `AuthenticationFailed`. [1] https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#rejected-requests

Changed return status for CSRF failures to HTTP 403
By default, Django returns "HTTP 403 Forbidden" responses when CSRF validation failed[1]. CSRF is a case of authorization, not of authentication. Therefore `PermissionDenied` should be raised instead of `AuthenticationFailed`. [1] https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#rejected-requests
b187f534 · Danilo Bargen · 5d80f7f9 · b187f534
Commit b187f534 authored Jun 02, 2014 by Danilo Bargen
Hide whitespace changes
Inline Side-by-side

Showing with 1 additions and 1 deletions

rest_framework/authentication.py
+1 -1

No files found.
--- a/rest_framework/authentication.py
+++ b/rest_framework/authentication.py
@@ -129,7 +129,7 @@ class SessionAuthentication(BaseAuthentication):
        reason = CSRFCheck().process_view(request, None, (), {})
        if reason:
            # CSRF failed, bail with explicit error message
-            raise exceptions.AuthenticationFailed('CSRF Failed: %s' % reason)
+            raise exceptions.PermissionDenied('CSRF Failed: %s' % reason)
 class TokenAuthentication(BaseAuthentication):