enforce csrf in editor api and make it usuable offline

2018-11-23 21:22:48 +01:00 · 2018-11-23 21:22:48 +01:00 · e4497797f3
commit e4497797f3
parent c5d8315d97
1 changed files with 3 additions and 4 deletions
--- a/src/c3nav/editor/api.py
+++ b/src/c3nav/editor/api.py
@ -4,6 +4,7 @@ from django.db.models import Prefetch, Q
 from django.urls import Resolver404, resolve
 from django.utils.functional import cached_property
 from django.utils.translation import ugettext_lazy as _
+from rest_framework.authentication import SessionAuthentication
 from rest_framework.decorators import action
 from rest_framework.exceptions import NotFound, PermissionDenied, ValidationError
 from rest_framework.generics import get_object_or_404
@ -279,10 +280,8 @@ class EditorViewSet(ViewSet):
        raise AttributeError

    def post_or_delete(self, request, *args, **kwargs):
-        # Django REST Framework does only check csrf on logged in requests.
-        # So let's make the entire writable c3nav API require a login.
-        if not request.user.is_authenticated:
-            raise PermissionDenied(_('Login required.'))
+        # django-rest-framework doesn't automatically do this for logged out requests
+        SessionAuthentication().enforce_csrf(request)

        return self.retrieve(request, *args, **kwargs)