2025-summer/team-3
12
Fork 0
Code Issues Pull requests Projects Releases Activity

DRF does not check csrf on logged out requests, to let's require login

Browse source
This commit is contained in:
Laura Klünder 2018-11-22 17:33:52 +01:00
parent 8e15e7d0a4
commit 9bd2ef102c
1 changed files with 10 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

12
src/c3nav/editor/api.py
View file

@ -273,11 +273,19 @@ class EditorViewSet(ViewSet):
if getattr(self, 'get', None).__name__ in ('list', 'retrieve'): if getattr(self, 'get', None).__name__ in ('list', 'retrieve'):
if name == 'post' and (self.resolved.url_name.endswith('.create') or if name == 'post' and (self.resolved.url_name.endswith('.create') or
self.resolved.url_name.endswith('.edit')): self.resolved.url_name.endswith('.edit')):
return self.retrieve return self.post_or_delete
if name == 'delete' and self.resolved.url_name.endswith('.edit'): if name == 'delete' and self.resolved.url_name.endswith('.edit'):
return self.retrieve return self.post_or_delete
raise AttributeError raise AttributeError
def post_or_delete(self, request, *args, **kwargs):
# Django REST Framework does only check csrf on logged in requests.
# So let's make the entire writable c3nav API require a login.
if not request.user.is_authenticated:
raise PermissionDenied(_('Login required.'))
return self.retrieve(request, *args, **kwargs)
def list(self, request, *args, **kwargs): def list(self, request, *args, **kwargs):
return self.retrieve(request, *args, **kwargs) return self.retrieve(request, *args, **kwargs)