Comments (3)
Seriously thanks so much for this one. The API stuff I have at the moment is un-authenticated so I woulda never have had the same hiccup with that. Yup totally right about referencing the AJAX CSRF docs. The error message stuff is a little more involved that in might seem at first sight seeing as there might be 0, 1 or many authenticators, and an authentication on one, many or all of the authenticators may not mean that the user doesn't have permission, plus the failed authentication responses might be either 401's or 403's, including the WWW-Authenticate header in the case of the 401's. Anyhoo, some of this has been in the (far) back of my head for a while, so I might try to pick up a bit of it this weekend.
from django-rest-framework.
Question is - what behavior do we expect here. Other authentication classes may also be present on the resource, and just because a request isn't CSRF validated it doesn't mean one of those other class might authenticate the request.
I guess the right thing to do is probably to check if request.user
is authenticated, and throw a "CSRF failed!" response if it is.
from django-rest-framework.
I'm not sure about the inner workings of the CSRF validation and your code, but as long as a CSRF validation error (and only such an error) results in the correct error message, that would be OK for me :)
from django-rest-framework.
Related Issues (20)
- TokenAuthentication reference in docs HOT 2
- serializer.JSONField dose not save the decoded data when doing the to_internal_value HOT 6
- ImportError: cannot import name 'ugettext_lazy' in Django 4.2 (LTS) with drf_secure_token HOT 2
- Django IntegerField Enumeration does not correctly convert the __empty__ value in a ChoiceField HOT 1
- Handling PUT & PATCH request in Class based Testing HOT 4
- More Concise way to Update Instances!! HOT 30
- `default` value for field gets deepcopied causing sentinels to get copied HOT 1
- ViewSet called on detail delete handler on an action matched url with no delete allowed HOT 2
- can't upload a .m4a file in post method HOT 1
- Breaking change: DateTimeField validation parsing HOT 5
- list in ListModelMixin could overwrite the builtins list method of python and causes error HOT 4
- Not possible to override serializer_field_mappings with a field that has choices (for example a from ChoiceField derived field) HOT 3
- Long rendering of ForeignKey fields HOT 3
- input type="date" validation message incorrect HOT 2
- Release the new version 3.15 HOT 1
- rest_framework.urls doesn't work with LogoutView in Django 5.0 HOT 11
- Decorator method @permission_classes is usable in python 3.10.12 HOT 1
- StaticHTMLRenderer cannot handle ValidationError HOT 2
- from django.utils.translation import ugettext_lazy as _ HOT 5
- Update method ignoring partial flag on serializer (updates all fields) HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from django-rest-framework.