CSRF validation will only be applied to POST requests, so let's only load .RAW_CONTENT in those cases

Author: tom christie [email protected]

djangorestframework/authenticators.py

@@ -80,14 +80,18 @@ def authenticate(self, request):
 
 
 class UserLoggedInAuthenticator(BaseAuthenticator):
-    """Use Djagno's built-in request session for authentication."""
+    """Use Django's built-in request session for authentication."""
     def authenticate(self, request):
         if getattr(request, 'user', None) and request.user.is_active:
-            # Temporarily request.POST with .RAW_CONTENT, so that we use our more generic request parsing
-            request._post = self.mixin.RAW_CONTENT
-            resp = CsrfViewMiddleware().process_view(request, None, (), {})
-            del(request._post)
-            if resp is None:  # csrf passed
-                return request.user
+            # If this is a POST request we enforce CSRF validation.
+            if request.method.upper() == 'POST':
+                # Temporarily replace request.POST with .RAW_CONTENT,
+                # so that we use our more generic request parsing
+                request._post = self.mixin.RAW_CONTENT
+                resp = CsrfViewMiddleware().process_view(request, None, (), {})
+                del(request._post)
+                if resp is not None:  # csrf failed
+                    return None
+            return request.user
         return None