Merge f284dd8c80 into 9c9525b130

2025-08-04 20:40:14 +03:00 · 2017-05-30 14:35:43 +00:00 · 2017-05-30 14:35:43 +00:00 · 8dfdd946be
commit 8dfdd946be
parent 9c9525b130 f284dd8c80
3 changed files with 17 additions and 4 deletions
--- a/rest_framework/authentication.py
+++ b/rest_framework/authentication.py
@ -125,7 +125,8 @@ class SessionAuthentication(BaseAuthentication):
        if not user or not user.is_active:
            return None

-        self.enforce_csrf(request)
+        if not request.csrf_exempt:
+            self.enforce_csrf(request)

        # CSRF passed with authenticated user
        return (user, None)
--- a/rest_framework/request.py
+++ b/rest_framework/request.py
@ -82,7 +82,8 @@ def clone_request(request, method):
                  parsers=request.parsers,
                  authenticators=request.authenticators,
                  negotiator=request.negotiator,
-                  parser_context=request.parser_context)
+                  parser_context=request.parser_context,
+                  csrf_exempt=request.csrf_exempt)
    ret._data = request._data
    ret._files = request._files
    ret._full_data = request._full_data
@ -133,7 +134,7 @@ class Request(object):
    """

    def __init__(self, request, parsers=None, authenticators=None,
-                 negotiator=None, parser_context=None):
+                 negotiator=None, parser_context=None, csrf_exempt=False):
        self._request = request
        self.parsers = parsers or ()
        self.authenticators = authenticators or ()
@ -144,6 +145,7 @@ class Request(object):
        self._full_data = Empty
        self._content_type = Empty
        self._stream = Empty
+        self._csrf_exempt = csrf_exempt

        if self.parser_context is None:
            self.parser_context = {}
@ -238,6 +240,13 @@ class Request(object):
            self._authenticate()
        return self._authenticator

+    @property
+    def csrf_exempt(self):
+        """
+        Return the _csrf_exempt attribute
+        """
+        return self._csrf_exempt
+
    def _load_data_and_files(self):
        """
        Parses the request content into `self.data`.
--- a/rest_framework/views.py
+++ b/rest_framework/views.py
@ -368,12 +368,15 @@ class APIView(View):
        """
        parser_context = self.get_parser_context(request)

+        csrf_exempt = getattr(self, 'csrf_exempt', False)
+
        return Request(
            request,
            parsers=self.get_parsers(),
            authenticators=self.get_authenticators(),
            negotiator=self.get_content_negotiator(),
-            parser_context=parser_context
+            parser_context=parser_context,
+            csrf_exempt=csrf_exempt
        )

    def initial(self, request, *args, **kwargs):