mirror of
https://github.com/encode/django-rest-framework.git
synced 2025-01-23 15:54:16 +03:00
Alter CSRF exemption implementation
The previous implementation of decorating `APIView.dispach` with the `csrf_exempt` decorator allowed for an easy-to-make mistake where someone could override the `dispatch` method on a view and inadvertantly remove the csrf exemption of their api view. By moving the decoration of the view into the `as_view` logic, it becomes much more difficult to make this mistake.
This commit is contained in:
parent
f08afe162c
commit
fc9be55d43
|
@ -103,7 +103,9 @@ class APIView(View):
|
||||||
"""
|
"""
|
||||||
view = super(APIView, cls).as_view(**initkwargs)
|
view = super(APIView, cls).as_view(**initkwargs)
|
||||||
view.cls = cls
|
view.cls = cls
|
||||||
return view
|
# Note: session based authentication is explicitly CSRF validated,
|
||||||
|
# all other authentication is CSRF exempt.
|
||||||
|
return csrf_exempt(view)
|
||||||
|
|
||||||
@property
|
@property
|
||||||
def allowed_methods(self):
|
def allowed_methods(self):
|
||||||
|
@ -371,9 +373,9 @@ class APIView(View):
|
||||||
response.exception = True
|
response.exception = True
|
||||||
return response
|
return response
|
||||||
|
|
||||||
# Note: session based authentication is explicitly CSRF validated,
|
# Note: Views are made CSRF exempt from within `as_view` as to prevent
|
||||||
# all other authentication is CSRF exempt.
|
# accidental removal of this exemption in cases where `dispatch` needs to
|
||||||
@csrf_exempt
|
# be overridden.
|
||||||
def dispatch(self, request, *args, **kwargs):
|
def dispatch(self, request, *args, **kwargs):
|
||||||
"""
|
"""
|
||||||
`.dispatch()` is pretty much the same as Django's regular dispatch,
|
`.dispatch()` is pretty much the same as Django's regular dispatch,
|
||||||
|
|
Loading…
Reference in New Issue
Block a user