CSRF for non-dict like .DATA. Fixes #85

djangorestframework/authentication.py

@@ -88,18 +88,27 @@ class UserLoggedInAuthentication(BaseAuthentication):
         Returns a :obj:`User` if the request session currently has a logged in user.
         Otherwise returns :const:`None`.
         """
-        # TODO: Switch this back to request.POST, and let FormParser/MultiPartParser deal with the consequences.
+        # TODO: Might be cleaner to switch this back to using request.POST,
+        #       and let FormParser/MultiPartParser deal with the consequences.
         if getattr(request, 'user', None) and request.user.is_active:
-            # If this is a POST request we enforce CSRF validation.
+            # Enforce CSRF validation for session based authentication.
+            
+            # Temporarily replace request.POST with .DATA, to use our generic parsing.
+            # If DATA is not dict-like, use an empty dict.
+            if request.method.upper() == 'POST':
+                if hasattr(self.view.DATA, 'get'):
+                    request._post = self.view.DATA
+                else:
+                    request._post = {}
+
+            resp = CsrfViewMiddleware().process_view(request, None, (), {})
+
+            # Replace request.POST
             if request.method.upper() == 'POST':
-                # Temporarily replace request.POST with .DATA,
-                # so that we use our more generic request parsing
-                request._post = self.view.DATA
-                resp = CsrfViewMiddleware().process_view(request, None, (), {})
                 del(request._post)
-                if resp is not None:  # csrf failed
-                    return None
-            return request.user
+
+            if resp is None:  # csrf passed
+                return request.user
         return None