2025-summer/team-3
12
Fork 0
Code Issues Pull requests Projects Releases Activity

enforce csrf in editor api and make it usuable offline

Browse source
This commit is contained in:
Laura Klünder 2018-11-23 21:22:48 +01:00
parent c5d8315d97
commit e4497797f3
1 changed files with 3 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

7
src/c3nav/editor/api.py
View file

@ -4,6 +4,7 @@ from django.db.models import Prefetch, Q
from django.urls import Resolver404, resolve from django.urls import Resolver404, resolve
from django.utils.functional import cached_property from django.utils.functional import cached_property
from django.utils.translation import ugettext_lazy as _ from django.utils.translation import ugettext_lazy as _
from rest_framework.authentication import SessionAuthentication
from rest_framework.decorators import action from rest_framework.decorators import action
from rest_framework.exceptions import NotFound, PermissionDenied, ValidationError from rest_framework.exceptions import NotFound, PermissionDenied, ValidationError
from rest_framework.generics import get_object_or_404 from rest_framework.generics import get_object_or_404
@ -279,10 +280,8 @@ class EditorViewSet(ViewSet):
raise AttributeError raise AttributeError
def post_or_delete(self, request, *args, **kwargs): def post_or_delete(self, request, *args, **kwargs):
# Django REST Framework does only check csrf on logged in requests. # django-rest-framework doesn't automatically do this for logged out requests
# So let's make the entire writable c3nav API require a login. SessionAuthentication().enforce_csrf(request)
if not request.user.is_authenticated:
raise PermissionDenied(_('Login required.'))
return self.retrieve(request, *args, **kwargs) return self.retrieve(request, *args, **kwargs)