From b187f53453d3885cd918f5f9f4490bcc8e3e2410 Mon Sep 17 00:00:00 2001
From: Danilo Bargen <mail@dbrgn.ch>
Date: Mon, 2 Jun 2014 00:41:58 +0200
Subject: [PATCH] Changed return status for CSRF failures to HTTP 403

By default, Django returns "HTTP 403 Forbidden" responses when CSRF
validation failed[1]. CSRF is a case of authorization, not of
authentication. Therefore `PermissionDenied` should be raised instead
of `AuthenticationFailed`.

[1] https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#rejected-requests
---
 rest_framework/authentication.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rest_framework/authentication.py b/rest_framework/authentication.py
index f3fec05ec..36d74dd9b 100644
--- a/rest_framework/authentication.py
+++ b/rest_framework/authentication.py
@@ -129,7 +129,7 @@ class SessionAuthentication(BaseAuthentication):
         reason = CSRFCheck().process_view(request, None, (), {})
         if reason:
             # CSRF failed, bail with explicit error message
-            raise exceptions.AuthenticationFailed('CSRF Failed: %s' % reason)
+            raise exceptions.PermissionDenied('CSRF Failed: %s' % reason)
 
 
 class TokenAuthentication(BaseAuthentication):