From e4497797f37c7043e113f7a48ac33f2659eb57e0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Laura=20Kl=C3=BCnder?= <laura@codingcatgirl.de>
Date: Fri, 23 Nov 2018 21:22:48 +0100
Subject: [PATCH] enforce csrf in editor api and make it usuable offline

---
 src/c3nav/editor/api.py | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/c3nav/editor/api.py b/src/c3nav/editor/api.py
index 4283397d..b254d108 100644
--- a/src/c3nav/editor/api.py
+++ b/src/c3nav/editor/api.py
@@ -4,6 +4,7 @@ from django.db.models import Prefetch, Q
 from django.urls import Resolver404, resolve
 from django.utils.functional import cached_property
 from django.utils.translation import ugettext_lazy as _
+from rest_framework.authentication import SessionAuthentication
 from rest_framework.decorators import action
 from rest_framework.exceptions import NotFound, PermissionDenied, ValidationError
 from rest_framework.generics import get_object_or_404
@@ -279,10 +280,8 @@ class EditorViewSet(ViewSet):
         raise AttributeError
 
     def post_or_delete(self, request, *args, **kwargs):
-        # Django REST Framework does only check csrf on logged in requests.
-        # So let's make the entire writable c3nav API require a login.
-        if not request.user.is_authenticated:
-            raise PermissionDenied(_('Login required.'))
+        # django-rest-framework doesn't automatically do this for logged out requests
+        SessionAuthentication().enforce_csrf(request)
 
         return self.retrieve(request, *args, **kwargs)