encode · tomchristie · Mar 16, 2021 · Feb 16, 2021
diff --git a/rest_framework/templates/rest_framework/base.html b/rest_framework/templates/rest_framework/base.html
@@ -290,7 +290,7 @@ <h1>{{ name }}</h1>
       <script>
         window.drf = {
           csrfHeaderName: "{{ csrf_header_name|default:'X-CSRFToken' }}",
-          csrfToken: "{% if request %}{{ csrf_token }}{% endif %}"
+          csrfToken: "{% if request %}{% if post_form or put_form %}{{ csrf_token }}{% endif %}{% endif %}"
         };
       </script>
       <script src="{% static "rest_framework/js/jquery-3.5.1.min.js" %}"></script>

diff --git a/tests/test_templates.py b/tests/test_templates.py
@@ -3,15 +3,23 @@
 from django.shortcuts import render
 
 
-def test_base_template_with_context():
-    context = {'request': True, 'csrf_token': 'TOKEN'}
-    result = render({}, 'rest_framework/base.html', context=context)
-    assert re.search(r'\bcsrfToken: "TOKEN"', result.content.decode())
-
-
 def test_base_template_with_no_context():
     # base.html should be renderable with no context,
     # so it can be easily extended.
     result = render({}, 'rest_framework/base.html')
     # note that this response will not include a valid CSRF token
     assert re.search(r'\bcsrfToken: ""', result.content.decode())
+
+
+def test_base_template_with_simple_context():
+    context = {'request': True, 'csrf_token': 'TOKEN'}
+    result = render({}, 'rest_framework/base.html', context=context)
+    # note that response will STILL not include a CSRF token
+    assert re.search(r'\bcsrfToken: ""', result.content.decode())
+
+
+def test_base_template_with_editing_context():
+    context = {'request': True, 'post_form': object(), 'csrf_token': 'TOKEN'}
+    result = render({}, 'rest_framework/base.html', context=context)
+    # response includes a CSRF token in support of the POST form
+    assert re.search(r'\bcsrfToken: "TOKEN"', result.content.decode())