From bdf5017081b6f2017bed812c8276a9b693d8c564 Mon Sep 17 00:00:00 2001
From: Radek Czajka <radoslaw.czajka@nowoczesnapolska.org.pl>
Date: Thu, 26 Apr 2012 16:10:46 +0200
Subject: [PATCH] exempt publishing api from csrf

---
 apps/api/helpers.py |  6 ++++++
 apps/api/urls.py    | 11 ++++++-----
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/apps/api/helpers.py b/apps/api/helpers.py
index aa22465fc..acb491afc 100644
--- a/apps/api/helpers.py
+++ b/apps/api/helpers.py
@@ -1,8 +1,14 @@
 # -*- coding: utf-8 -*-
 
 from time import mktime
+from piston.resource import Resource
 
 def timestamp(dtime):
     "converts a datetime.datetime object to a timestamp int"
     return int(mktime(dtime.timetuple()))
 
+class CsrfExemptResource(Resource):
+    """A Custom Resource that is csrf exempt"""
+    def __init__(self, handler, authentication=None):
+        super(CsrfExemptResource, self).__init__(handler, authentication)
+        self.csrf_exempt = getattr(self.handler, 'csrf_exempt', True)
diff --git a/apps/api/urls.py b/apps/api/urls.py
index a22f3b772..f9f9c2279 100644
--- a/apps/api/urls.py
+++ b/apps/api/urls.py
@@ -1,10 +1,11 @@
 # -*- coding: utf-8 -*-
 from django.conf.urls.defaults import *
-from piston.authentication import OAuthAuthentication
+from django.views.decorators.csrf import csrf_exempt
+from piston.authentication import OAuthAuthentication, oauth_access_token 
 from piston.resource import Resource
 
 from api import handlers
-from catalogue.models import Book
+from api.helpers import CsrfExemptResource
 
 auth = OAuthAuthentication(realm="Wolne Lektury")
 
@@ -12,7 +13,7 @@ book_changes_resource = Resource(handler=handlers.BookChangesHandler)
 tag_changes_resource = Resource(handler=handlers.TagChangesHandler)
 changes_resource = Resource(handler=handlers.ChangesHandler)
 
-book_list_resource = Resource(handler=handlers.BooksHandler, authentication=auth)
+book_list_resource = CsrfExemptResource(handler=handlers.BooksHandler, authentication=auth)
 #book_list_resource = Resource(handler=handlers.BooksHandler)
 book_resource = Resource(handler=handlers.BookDetailHandler)
 
@@ -22,13 +23,13 @@ tag_resource = Resource(handler=handlers.TagDetailHandler)
 fragment_resource = Resource(handler=handlers.FragmentDetailHandler)
 fragment_list_resource = Resource(handler=handlers.FragmentsHandler)
 
-picture_resource = Resource(handler=handlers.PictureHandler, authentication=auth)
+picture_resource = CsrfExemptResource(handler=handlers.PictureHandler, authentication=auth)
 
 urlpatterns = patterns(
     'piston.authentication',
     url(r'^oauth/request_token/$', 'oauth_request_token'),
     url(r'^oauth/authorize/$', 'oauth_user_auth'),
-    url(r'^oauth/access_token/$', 'oauth_access_token'),
+    url(r'^oauth/access_token/$', csrf_exempt(oauth_access_token)),
 
 ) + patterns('',
     url(r'^$', 'django.views.generic.simple.direct_to_template',
-- 
2.20.1