CSRF validation will only be applied to POST requests, so let's only load .RAW_CONTENT in those cases

2025-02-03 13:14:30 +03:00 · 2011-04-26 21:08:36 +01:00 · 2011-04-26 21:08:36 +01:00 · b508ca38d4
commit b508ca38d4
parent da7d49a384
1 changed files with 11 additions and 7 deletions
--- a/djangorestframework/authenticators.py
+++ b/djangorestframework/authenticators.py
@ -80,14 +80,18 @@ class BasicAuthenticator(BaseAuthenticator):
                

 class UserLoggedInAuthenticator(BaseAuthenticator):
-    """Use Djagno's built-in request session for authentication."""
+    """Use Django's built-in request session for authentication."""
    def authenticate(self, request):
        if getattr(request, 'user', None) and request.user.is_active:
-            # Temporarily request.POST with .RAW_CONTENT, so that we use our more generic request parsing
-            request._post = self.mixin.RAW_CONTENT
-            resp = CsrfViewMiddleware().process_view(request, None, (), {})
-            del(request._post)
-            if resp is None:  # csrf passed
-                return request.user
+            # If this is a POST request we enforce CSRF validation.
+            if request.method.upper() == 'POST':
+                # Temporarily replace request.POST with .RAW_CONTENT,
+                # so that we use our more generic request parsing
+                request._post = self.mixin.RAW_CONTENT
+                resp = CsrfViewMiddleware().process_view(request, None, (), {})
+                del(request._post)
+                if resp is not None:  # csrf failed
+                    return None
+            return request.user
        return None