restless icon indicating copy to clipboard operation
restless copied to clipboard
verified publisher icon toastdriven

Call csrf_exempt on DjangoResource.as_view.

Open selectnull opened this issue 11 years ago • 3 comments

For any custom endpoints that are not HTTP GET, csrf exemption is needed or the call will fail with HTTP 403.

One might argue that this fix smells like someone wanting to implement rpc-like endpoints and one would not be necessarily wrong :) Nevertheless, API endpoints should not be protected with CSRF and this fix is consistent with as_list and as_detail methods.

I haven't written a test because FakeHTTPRequest does not trigger CSRF so it wasnt just a case of writing another test; if you find this pull request valid I would like to implement proper tests.

selectnull avatar Jul 06 '14 17:07 selectnull

wouldn't this be better if its configurable?

schmitch avatar Jul 21 '14 20:07 schmitch

@c-schmitt I don't think so for following reasons:

  • CSRF protection is not needed for restfull APIs
  • as_list and as_detail methods are not CSRF protected; this change is similar to those methods
  • restless has no special configurable settings. why introduce this one?

selectnull avatar Jul 21 '14 22:07 selectnull

I'm fine with this change. It'd be nice to have a test added that demonstrates the issue (fails without the patch, works post-patch) to ensure that Restless doesn't regress in the future. Once we've got that, I'd be happy to merge this.

toastdriven avatar Aug 20 '14 23:08 toastdriven