From a1ba77d6b33ea09e7f5c1dd2f69250ac1efb926c Mon Sep 17 00:00:00 2001 From: Clinton Blackburn Date: Sat, 29 Aug 2015 03:02:05 -0400 Subject: [PATCH] Diabled CSRF protection for Credit Course API endpoints CSRF protection needs to be disabled so that requests made using OAuth and other non-session-based authentication mechanisms can be properly processed. If session authentication is used, DRF will enforce CSRF protection. XCOM-524 --- openedx/core/djangoapps/credit/views.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/openedx/core/djangoapps/credit/views.py b/openedx/core/djangoapps/credit/views.py index 22a05b6e12..9ebf90b361 100644 --- a/openedx/core/djangoapps/credit/views.py +++ b/openedx/core/djangoapps/credit/views.py @@ -12,6 +12,7 @@ from django.http import ( HttpResponseForbidden, Http404 ) +from django.utils.decorators import method_decorator from django.views.decorators.csrf import csrf_exempt from django.views.decorators.http import require_POST, require_GET from opaque_keys import InvalidKeyError @@ -379,6 +380,9 @@ class CreditCourseViewSet(mixins.CreateModelMixin, mixins.UpdateModelMixin, view authentication_classes = (authentication.OAuth2Authentication, authentication.SessionAuthentication,) permission_classes = (permissions.IsAuthenticated, permissions.IsAdminUser) + # This CSRF exemption only applies when authenticating without SessionAuthentication. + # SessionAuthentication will enforce CSRF protection. + @method_decorator(csrf_exempt) def dispatch(self, request, *args, **kwargs): # Convert the course ID/key from a string to an actual CourseKey object. course_id = kwargs.get(self.lookup_field, None)