Permalink
Browse files

Fixed ``SessionAuthentication`` to only check CSRF on data-changing m…

…ethods. Thanks to natmaster for the report!
  • Loading branch information...
1 parent 9479190 commit b22ae8336bb0efa5ccf4e1cecc4c16200d738075 @toastdriven toastdriven committed Aug 13, 2012
Showing with 17 additions and 0 deletions.
  1. +6 −0 tastypie/authentication.py
  2. +11 −0 tests/core/tests/authentication.py
@@ -242,6 +242,12 @@ def is_authenticated(self, request, **kwargs):
# wrong.
# We also can't risk accessing ``request.POST``, which will break with
# the serialized bodies.
+ if request.method in ('GET', 'HEAD', 'OPTIONS', 'TRACE'):
+ return request.user.is_authenticated()
+
+ if getattr(request, '_dont_enforce_csrf_checks', False):
+ return request.user.is_authenticated()
+
csrf_token = _sanitize_token(request.COOKIES.get(settings.CSRF_COOKIE_NAME, ''))
if request.is_secure():
@@ -228,6 +228,7 @@ class SessionAuthenticationTestCase(TestCase):
def test_is_authenticated(self):
auth = SessionAuthentication()
request = HttpRequest()
+ request.method = 'POST'
request.COOKIES = {
settings.CSRF_COOKIE_NAME: 'abcdef1234567890abcdef1234567890'
}
@@ -253,8 +254,18 @@ def test_is_authenticated(self):
request.user = User.objects.get(username='johndoe')
self.assertTrue(auth.is_authenticated(request))
+ # Logged in (with GET & no token).
+ request.method = 'GET'
+ request.META = {}
+ request.user = User.objects.get(username='johndoe')
+ self.assertTrue(auth.is_authenticated(request))
+
# Secure & wrong referrer.
os.environ["HTTPS"] = "on"
+ request.method = 'POST'
+ request.META = {
+ 'HTTP_X_CSRFTOKEN': 'abcdef1234567890abcdef1234567890'
+ }
request.META['HTTP_HOST'] = 'example.com'
request.META['HTTP_REFERER'] = ''
self.assertFalse(auth.is_authenticated(request))

0 comments on commit b22ae83

Please sign in to comment.