encode/django-rest-framework
1
1
Fork 0
mirror of https://github.com/encode/django-rest-framework.git synced 2025-02-09 08:00:52 +03:00
Code Issues Packages Projects Releases Wiki Activity

Changed return status for CSRF failures to HTTP 403

Browse Source 
By default, Django returns "HTTP 403 Forbidden" responses when CSRF
validation failed[1]. CSRF is a case of authorization, not of
authentication. Therefore `PermissionDenied` should be raised instead
of `AuthenticationFailed`.

[1] https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#rejected-requests
This commit is contained in:
Danilo Bargen 2014-06-02 00:41:58 +02:00
parent 5d80f7f932
commit b187f53453
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rest_framework/authentication.py
View File

@ -129,7 +129,7 @@ class SessionAuthentication(BaseAuthentication):
reason = CSRFCheck().process_view(request, None, (), {}) reason = CSRFCheck().process_view(request, None, (), {})
if reason: if reason:
# CSRF failed, bail with explicit error message # CSRF failed, bail with explicit error message
raise exceptions.AuthenticationFailed('CSRF Failed: %s' % reason) raise exceptions.PermissionDenied('CSRF Failed: %s' % reason)
class TokenAuthentication(BaseAuthentication): class TokenAuthentication(BaseAuthentication):