mozilla
diff --git a/‎README.rst‎
Lines changed: 13 additions & 0 deletions b/‎README.rst‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎session_csrf/__init__.py‎
Lines changed: 10 additions & 0 deletions b/‎session_csrf/__init__.py‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎session_csrf/tests.py‎
Lines changed: 10 additions & 1 deletion b/‎session_csrf/tests.py‎
Lines changed: 10 additions & 1 deletion
@@ -77,6 +77,19 @@ token in the cache. It can be controlled through these settings:
  Default: ``60 * 60 * 2 # 2 hours``
 
 
+If you only want a view to have CSRF protection for logged-in users, you can
+use the ``anonymous_csrf_exempt`` decorator. This could be useful if the
+anonymous view is protected through a CAPTCHA, for example.
+
+::
+
+ from session_csrf import anonymous_csrf_exempt
+
+ @anonymous_csrf_exempt
+ def protected_in_another_way(request):
+ ...
+
+
 Why do I want this?
 -------------------
 
 
@@ -58,6 +58,10 @@ def process_view(self, request, view_func, args, kwargs):
  if getattr(view_func, 'csrf_exempt', False):
  return
 
+ if (getattr(view_func, 'anonymous_csrf_exempt', False)
+ and not request.user.is_authenticated()):
+ return
+
  # Bail if this isn't a POST.
  if request.method != 'POST':
  return self._accept(request)
@@ -110,6 +114,12 @@ def wrapper(request, *args, **kw):
  return wrapper
 
 
+def anonymous_csrf_exempt(f):
+ """Like @csrf_exempt but only for anonymous requests."""
+ f.anonymous_csrf_exempt = True
+ return f
+
+
 # Replace Django's middleware with our own.
 def monkeypatch():
  from django.views.decorators import csrf as csrf_dec
 
@@ -14,12 +14,13 @@
 
 import mock
 
-from session_csrf import CsrfMiddleware, anonymous_csrf
+from session_csrf import CsrfMiddleware, anonymous_csrf, anonymous_csrf_exempt
 
 
 urlpatterns = patterns('',
  ('^$', lambda r: http.HttpResponse()),
  ('^anon$', anonymous_csrf(lambda r: http.HttpResponse())),
+ ('^no-anon-csrf$', anonymous_csrf_exempt(lambda r: http.HttpResponse())),
  ('^logout$', anonymous_csrf(lambda r: logout(r) or http.HttpResponse())),
 )
 
@@ -226,6 +227,14 @@ def test_existing_anon_cookie_not_in_cache(self):
  response = self.client.get('/anon')
  self.assertEqual(len(response._request.csrf_token), 32)
 
+ def test_anonymous_csrf_exempt(self):
+ response = self.client.post('/no-anon-csrf')
+ self.assertEqual(response.status_code, 200)
+
+ self.login()
+ response = self.client.post('/no-anon-csrf')
+ self.assertEqual(response.status_code, 403)
+
 
 class ClientHandler(django.test.client.ClientHandler):
  """