From b508ca38d44f458e3eabaa4ffd3500d80a71eb9e Mon Sep 17 00:00:00 2001
From: "tom christie tom@tomchristie.com" <none@none>
Date: Tue, 26 Apr 2011 21:08:36 +0100
Subject: [PATCH] CSRF validation will only be applied to POST requests, so
 let's only load .RAW_CONTENT in those cases

---
 djangorestframework/authenticators.py | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/djangorestframework/authenticators.py b/djangorestframework/authenticators.py
index 0d267b648..82d19779d 100644
--- a/djangorestframework/authenticators.py
+++ b/djangorestframework/authenticators.py
@@ -80,14 +80,18 @@ class BasicAuthenticator(BaseAuthenticator):
                 
 
 class UserLoggedInAuthenticator(BaseAuthenticator):
-    """Use Djagno's built-in request session for authentication."""
+    """Use Django's built-in request session for authentication."""
     def authenticate(self, request):
         if getattr(request, 'user', None) and request.user.is_active:
-            # Temporarily request.POST with .RAW_CONTENT, so that we use our more generic request parsing
-            request._post = self.mixin.RAW_CONTENT
-            resp = CsrfViewMiddleware().process_view(request, None, (), {})
-            del(request._post)
-            if resp is None:  # csrf passed
-                return request.user
+            # If this is a POST request we enforce CSRF validation.
+            if request.method.upper() == 'POST':
+                # Temporarily replace request.POST with .RAW_CONTENT,
+                # so that we use our more generic request parsing
+                request._post = self.mixin.RAW_CONTENT
+                resp = CsrfViewMiddleware().process_view(request, None, (), {})
+                del(request._post)
+                if resp is not None:  # csrf failed
+                    return None
+            return request.user
         return None