Alter CSRF exemption implementation

The previous implementation of decorating `APIView.dispach` with the `csrf_exempt` decorator allowed for an easy-to-make mistake where someone could override the `dispatch` method on a view and inadvertantly remove the csrf exemption of their api view. By moving the decoration of the view into the `as_view` logic, it becomes much more difficult to make this mistake.
2024-09-21 03:19:00 +03:00 · 2014-07-25 12:09:07 -06:00 · 2014-07-25 12:09:07 -06:00 · fc9be55d43
commit fc9be55d43
parent f08afe162c
1 changed files with 6 additions and 4 deletions
--- a/rest_framework/views.py
+++ b/rest_framework/views.py
@ -103,7 +103,9 @@ class APIView(View):
        """
        view = super(APIView, cls).as_view(**initkwargs)
        view.cls = cls
-        return view
+        # Note: session based authentication is explicitly CSRF validated,
+        # all other authentication is CSRF exempt.
+        return csrf_exempt(view)

    @property
    def allowed_methods(self):
@ -371,9 +373,9 @@ class APIView(View):
        response.exception = True
        return response

-    # Note: session based authentication is explicitly CSRF validated,
-    # all other authentication is CSRF exempt.
-    @csrf_exempt
+    # Note: Views are made CSRF exempt from within `as_view` as to prevent
+    # accidental removal of this exemption in cases where `dispatch` needs to
+    # be overridden.
    def dispatch(self, request, *args, **kwargs):
        """
        `.dispatch()` is pretty much the same as Django's regular dispatch,