CSRF validation will only be applied to POST requests, so let's only load…

CSRF validation will only be applied to POST requests, so let's only load .RAW_CONTENT in those cases

CSRF validation will only be applied to POST requests, so let's only load…
CSRF validation will only be applied to POST requests, so let's only load .RAW_CONTENT in those cases
b508ca38 · tom christie tom@tomchristie.com · da7d49a3 · b508ca38
Commit b508ca38 authored Apr 26, 2011 by tom christie tom@tomchristie.com
Show whitespace changes
Inline Side-by-side

Showing with 7 additions and 3 deletions

djangorestframework/authenticators.py
+7 -3

No files found.
--- a/djangorestframework/authenticators.py
+++ b/djangorestframework/authenticators.py
@@ -80,14 +80,18 @@ class BasicAuthenticator(BaseAuthenticator):
                

 class UserLoggedInAuthenticator(BaseAuthenticator):
-    """Use Djagno's built-in request session for authentication."""
+    """Use Django's built-in request session for authentication."""
    def authenticate(self, request):
        if getattr(request, 'user', None) and request.user.is_active:
-            # Temporarily request.POST with .RAW_CONTENT, so that we use our more generic request parsing
+            # If this is a POST request we enforce CSRF validation.
+            if request.method.upper() == 'POST':
+                # Temporarily replace request.POST with .RAW_CONTENT,
+                # so that we use our more generic request parsing
                request._post = self.mixin.RAW_CONTENT
                resp = CsrfViewMiddleware().process_view(request, None, (), {})
                del(request._post)
-            if resp is None:  # csrf passed
+                if resp is not None:  # csrf failed
+                    return None
            return request.user
        return None