CSRF validation will only be applied to POST requests, so let's only load…

CSRF validation will only be applied to POST requests, so let's only load .RAW_CONTENT in those cases

CSRF validation will only be applied to POST requests, so let's only load…
CSRF validation will only be applied to POST requests, so let's only load .RAW_CONTENT in those cases
b508ca38 · tom christie tom@tomchristie.com · da7d49a3 · b508ca38
Commit b508ca38 authored Apr 26, 2011 by tom christie tom@tomchristie.com
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 7 deletions

djangorestframework/authenticators.py
+11 -7

No files found.
--- a/djangorestframework/authenticators.py
+++ b/djangorestframework/authenticators.py
@@ -80,14 +80,18 @@ class BasicAuthenticator(BaseAuthenticator):
 class UserLoggedInAuthenticator(BaseAuthenticator):
-    """Use Djagno's built-in request session for authentication."""
+    """Use Django's built-in request session for authentication."""
    def authenticate(self, request):
        if getattr(request, 'user', None) and request.user.is_active:
-            # Temporarily request.POST with .RAW_CONTENT, so that we use our more generic request parsing
+            # If this is a POST request we enforce CSRF validation.
-            request._post = self.mixin.RAW_CONTENT
+            if request.method.upper() == 'POST':
-            resp = CsrfViewMiddleware().process_view(request, None, (), {})
+                # Temporarily replace request.POST with .RAW_CONTENT,
-            del(request._post)
+                # so that we use our more generic request parsing
-            if resp is None:  # csrf passed
+                request._post = self.mixin.RAW_CONTENT
-                return request.user
+                resp = CsrfViewMiddleware().process_view(request, None, (), {})
+                del(request._post)
+                if resp is not None:  # csrf failed
+                    return None
+            return request.user
        return None