Call csrf_exempt on DjangoResource.as_view.

[selectnull]

For any custom endpoints that are not HTTP GET, csrf exemption
is needed or the call will fail with HTTP 403.

One might argue that this fix smells like someone wanting to implement rpc-like endpoints and one would not be necessarily wrong :) Nevertheless, API endpoints should not be protected with CSRF and this fix is consistent with as_list and as_detail methods.

I haven't written a test because FakeHTTPRequest does not trigger CSRF so it wasnt just a case of writing another test; if you find this pull request valid I would like to implement proper tests.

[schmitch]

wouldn't this be better if its configurable?

[selectnull]

@c-schmitt I don't think so for following reasons:

• CSRF protection is not needed for restfull APIs
• as_list and as_detail methods are not CSRF protected; this change is similar to those methods
• restless has no special configurable settings. why introduce this one?

[toastdriven]

I'm fine with this change. It'd be nice to have a test added that demonstrates the issue (fails without the patch, works post-patch) to ensure that Restless doesn't regress in the future. Once we've got that, I'd be happy to merge this.