Exempt the API from CSRF stuff (#129)

api/views/misc.py

@@ -1,6 +1,7 @@
 """Views that don't fit in any of the other view files."""
 from typing import Dict
 
+from django.views.decorators.csrf import csrf_exempt
 from drf_yasg.openapi import Response as DocResponse
 from drf_yasg.openapi import Schema
 from drf_yasg.utils import swagger_auto_schema
@@ -44,6 +45,7 @@ class SummaryView(APIView):
 
     permission_classes = (AdminApiKeyCustomCheck,)
 
+    @csrf_exempt
     @swagger_auto_schema(
         responses={
             200: DocResponse(
@@ -69,6 +71,7 @@ class PingView(APIView):
 
     permission_classes = (AllowAny,)
 
+    @csrf_exempt
     @swagger_auto_schema(
         responses={
             200: DocResponse(

api/views/submission.py

@@ -8,6 +8,7 @@
 from django.shortcuts import get_object_or_404
 from django.utils import timezone
 from django.utils.decorators import method_decorator
+from django.views.decorators.csrf import csrf_exempt
 from django_filters.rest_framework import DjangoFilterBackend
 from drf_yasg.openapi import Parameter
 from drf_yasg.openapi import Response as DocResponse
@@ -55,6 +56,7 @@ class SubmissionViewSet(viewsets.ModelViewSet):
         "redis_id",
     ]
 
+    @csrf_exempt
     @swagger_auto_schema(
         manual_parameters=[
             Parameter("ctq", "query", type="boolean"),
@@ -99,6 +101,7 @@ def expired(self, request: Request, source: str = None) -> Response:
         )
         return Response(self.get_serializer(queryset[:100], many=True).data)
 
+    @csrf_exempt
     @swagger_auto_schema(
         manual_parameters=[Parameter("hours", "query", type="integer")],
         required=["source"],
@@ -136,6 +139,7 @@ def in_progress(self, request: Request, source: str = None) -> Response:
         )
         return Response(self.get_serializer(queryset[:100], many=True).data)
 
+    @csrf_exempt
     @swagger_auto_schema(
         responses={200: DocResponse("Successful operation", schema=serializer_class)},
         required=["source"],
@@ -161,6 +165,7 @@ def unarchived(self, request: Request, source: str = None) -> Response:
         )
         return Response(data=self.get_serializer(queryset[:100], many=True).data)
 
+    @csrf_exempt
     @swagger_auto_schema(
         request_body=Schema(
             type="object", properties={"username": Schema(type="string")}
@@ -206,6 +211,7 @@ def unclaim(self, request: Request, pk: int, username: str = None) -> Response:
             data=self.serializer_class(submission, context={"request": request}).data,
         )
 
+    @csrf_exempt
     @swagger_auto_schema(
         request_body=Schema(
             type="object", properties={"username": Schema(type="string")}
@@ -338,6 +344,7 @@ def _check_for_rank_up(
                 ),
             )
 
+    @csrf_exempt
     @swagger_auto_schema(
         request_body=Schema(
             type="object",
@@ -414,6 +421,7 @@ def done(self, request: Request, pk: int, username: str = None) -> Response:
             data=self.serializer_class(submission, context={"request": request}).data,
         )
 
+    @csrf_exempt
     @swagger_auto_schema(
         request_body=Schema(
             type="object",
@@ -486,6 +494,7 @@ def _get_limit_value(self, request: Request, default: int = 10) -> Union[int, No
             else:
                 return default
 
+    @csrf_exempt
     @swagger_auto_schema(
         responses={
             200: DocResponse("Successful operation", schema=serializer_class),
@@ -533,6 +542,7 @@ def get_transcribot_queue(self, request: Request, source: str = None) -> Respons
             data=self.get_serializer(queryset[:return_limit], many=True).data
         )
 
+    @csrf_exempt
     @swagger_auto_schema(
         request_body=Schema(
             type="object",
@@ -576,6 +586,7 @@ def yeet(self, request: Request, username: str = None) -> Response:
 
         return Response(status=status.HTTP_200_OK, data={"total_yeeted": yeeted})
 
+    @csrf_exempt
     @action(detail=False, methods=["post"])
     def bulkcheck(self, request: Request) -> Response:
         """Start with of a list of IDs, then return which ones are new to us."""

api/views/transcription.py

@@ -4,6 +4,7 @@
 
 from django.shortcuts import get_object_or_404
 from django.utils import timezone
+from django.views.decorators.csrf import csrf_exempt
 from django_filters.rest_framework import DjangoFilterBackend
 from drf_yasg.openapi import Parameter
 from drf_yasg.openapi import Response as DocResponse
@@ -38,6 +39,7 @@ class TranscriptionViewSet(viewsets.ModelViewSet):
         "removed_from_reddit",
     ]
 
+    @csrf_exempt
     @swagger_auto_schema(
         request_body=Schema(
             type="object",
@@ -131,6 +133,7 @@ def create(
             status=status.HTTP_201_CREATED,
         )
 
+    @csrf_exempt
     @swagger_auto_schema(
         manual_parameters=[Parameter("submission_id", "query", type="string")],
         responses={400: 'Query parameter "submission_id" not present'},
@@ -156,6 +159,7 @@ def search(
             ).data
         )
 
+    @csrf_exempt
     @swagger_auto_schema(
         responses={
             200: DocResponse(

api/views/volunteer.py

@@ -3,6 +3,7 @@
 
 from django.shortcuts import get_object_or_404
 from django.utils.decorators import method_decorator
+from django.views.decorators.csrf import csrf_exempt
 from django_filters.rest_framework import DjangoFilterBackend
 from drf_yasg.openapi import Parameter
 from drf_yasg.openapi import Response as DocResponse
@@ -40,6 +41,7 @@ class VolunteerViewSet(viewsets.ModelViewSet):
     filter_backends = [DjangoFilterBackend]
     filterset_fields = ["id", "username", "is_volunteer", "accepted_coc", "blacklisted"]
 
+    @csrf_exempt
     @swagger_auto_schema(
         manual_parameters=[Parameter("username", "query", type="string")],
         responses={
@@ -54,6 +56,7 @@ def summary(self, request: Request, username: str = None) -> Response:
         user = get_object_or_404(BlossomUser, username=username, is_volunteer=True)
         return Response(self.serializer_class(user).data)
 
+    @csrf_exempt
     @swagger_auto_schema(
         request_body=no_body, responses={404: "No volunteer with the specified ID."}
     )
@@ -79,6 +82,7 @@ def gamma_plusone(self, request: Request, pk: int) -> Response:
         )
         return Response(self.serializer_class(user).data)
 
+    @csrf_exempt
     @swagger_auto_schema(
         request_body=Schema(
             type="object", properties={"username": Schema(type="string")}
@@ -104,6 +108,7 @@ def create(
             self.serializer_class(user).data, status=status.HTTP_201_CREATED
         )
 
+    @csrf_exempt
     @swagger_auto_schema(
         request_body=no_body,
         responses={