From 9bd2ef102c7d6594e4fa6846be1eae10bb725ecf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Laura=20Kl=C3=BCnder?= <laura@codingcatgirl.de>
Date: Thu, 22 Nov 2018 17:33:52 +0100
Subject: [PATCH] DRF does not check csrf on logged out requests, to let's
 require login

---
 src/c3nav/editor/api.py | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/c3nav/editor/api.py b/src/c3nav/editor/api.py
index 44ebdda8..b5b7b078 100644
--- a/src/c3nav/editor/api.py
+++ b/src/c3nav/editor/api.py
@@ -273,11 +273,19 @@ class EditorViewSet(ViewSet):
         if getattr(self, 'get', None).__name__ in ('list', 'retrieve'):
             if name == 'post' and (self.resolved.url_name.endswith('.create') or
                                    self.resolved.url_name.endswith('.edit')):
-                return self.retrieve
+                return self.post_or_delete
             if name == 'delete' and self.resolved.url_name.endswith('.edit'):
-                return self.retrieve
+                return self.post_or_delete
         raise AttributeError
 
+    def post_or_delete(self, request, *args, **kwargs):
+        # Django REST Framework does only check csrf on logged in requests.
+        # So let's make the entire writable c3nav API require a login.
+        if not request.user.is_authenticated:
+            raise PermissionDenied(_('Login required.'))
+
+        return self.retrieve(request, *args, **kwargs)
+
     def list(self, request, *args, **kwargs):
         return self.retrieve(request, *args, **kwargs)