Create new auth backend for rest_framework based on session, but without csrf.

greenmine/base/auth.py

@@ -0,0 +1,24 @@
+# -*- coding: utf-8 -*-
+
+from rest_framework.authentication import BaseAuthentication
+
+
+class SessionAuthentication(BaseAuthentication):
+    """
+    Use Django's session framework for authentication without csrf.
+    """
+
+    def authenticate(self, request):
+        """
+        Returns a `User` if the request session currently has a logged in user.
+        Otherwise returns `None`.
+        """
+
+        http_request = request._request
+        user = getattr(http_request, 'user', None)
+
+        if not user or not user.is_active:
+            return None
+
+        return (user, None)
+

greenmine/settings/common.py

@@ -163,13 +163,13 @@ TEMPLATE_LOADERS = [
 
 MIDDLEWARE_CLASSES = [
     'django.middleware.common.CommonMiddleware',
+    'django.middleware.locale.LocaleMiddleware',
     'greenmine.base.middleware.GreenmineSessionMiddleware',
     'greenmine.base.middleware.CoorsMiddleware',
-    'django.middleware.locale.LocaleMiddleware',
+    #'django.middleware.csrf.CsrfViewMiddleware',
-    'django.middleware.csrf.CsrfViewMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
-    'django.contrib.messages.middleware.MessageMiddleware',
+    #'django.contrib.messages.middleware.MessageMiddleware',
-    'django.middleware.clickjacking.XFrameOptionsMiddleware',
+    #'django.middleware.clickjacking.XFrameOptionsMiddleware',
     'django.middleware.transaction.TransactionMiddleware',
     'reversion.middleware.RevisionMiddleware',
 ]
@@ -320,7 +320,7 @@ HAYSTACK_DEFAULT_OPERATOR = 'AND'
 
 REST_FRAMEWORK = {
     'DEFAULT_AUTHENTICATION_CLASSES': (
-        'rest_framework.authentication.SessionAuthentication',
+        'greenmine.base.auth.SessionAuthentication',
     ),
     'FILTER_BACKEND': 'rest_framework.filters.DjangoFilterBackend',
 }