encode/django-rest-framework
1
1
Fork 0
mirror of https://github.com/encode/django-rest-framework.git synced 2025-01-24 00:04:16 +03:00
Code Issues Packages Projects Releases Wiki Activity

Alter CSRF exemption implementation

Browse Source 
The previous implementation of decorating `APIView.dispach` with the
`csrf_exempt` decorator allowed for an easy-to-make mistake where
someone could override the `dispatch` method on a view and inadvertantly
remove the csrf exemption of their api view.

By moving the decoration of the view into the `as_view` logic, it
becomes much more difficult to make this mistake.
This commit is contained in:
Piper Merriam 2014-07-25 12:09:07 -06:00
parent f08afe162c
commit fc9be55d43
1 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
rest_framework/views.py
View File

@ -103,7 +103,9 @@ class APIView(View):
""" """
view = super(APIView, cls).as_view(**initkwargs) view = super(APIView, cls).as_view(**initkwargs)
view.cls = cls view.cls = cls
return view # Note: session based authentication is explicitly CSRF validated,
# all other authentication is CSRF exempt.
return csrf_exempt(view)
@property @property
def allowed_methods(self): def allowed_methods(self):
@ -371,9 +373,9 @@ class APIView(View):
response.exception = True response.exception = True
return response return response
# Note: session based authentication is explicitly CSRF validated, # Note: Views are made CSRF exempt from within `as_view` as to prevent
# all other authentication is CSRF exempt. # accidental removal of this exemption in cases where `dispatch` needs to
@csrf_exempt # be overridden.
def dispatch(self, request, *args, **kwargs): def dispatch(self, request, *args, **kwargs):
""" """
`.dispatch()` is pretty much the same as Django's regular dispatch, `.dispatch()` is pretty much the same as Django's regular dispatch,