CSRF validation will only be applied to POST requests, so let's only load .RAW_CONTENT in those cases

djangorestframework/authenticators.py

@@ -80,14 +80,18 @@ class BasicAuthenticator(BaseAuthenticator):
                 
 
 class UserLoggedInAuthenticator(BaseAuthenticator):
-    """Use Djagno's built-in request session for authentication."""
+    """Use Django's built-in request session for authentication."""
     def authenticate(self, request):
         if getattr(request, 'user', None) and request.user.is_active:
-            # Temporarily request.POST with .RAW_CONTENT, so that we use our more generic request parsing
+            # If this is a POST request we enforce CSRF validation.
-            request._post = self.mixin.RAW_CONTENT
+            if request.method.upper() == 'POST':
-            resp = CsrfViewMiddleware().process_view(request, None, (), {})
+                # Temporarily replace request.POST with .RAW_CONTENT,
-            del(request._post)
+                # so that we use our more generic request parsing
-            if resp is None:  # csrf passed
+                request._post = self.mixin.RAW_CONTENT
-                return request.user
+                resp = CsrfViewMiddleware().process_view(request, None, (), {})
+                del(request._post)
+                if resp is not None:  # csrf failed
+                    return None
+            return request.user
         return None