Make Webhook views CSRF exempt

This way, these webhook can be called from a command line and
authenticate them via session (user/password)

Author: humitos

readthedocs/restapi/authentication.py

@@ -0,0 +1,15 @@
+# -*- coding: utf-8 -*-
+from rest_framework.authentication import SessionAuthentication
+
+
+class CsrfExemptSessionAuthentication(SessionAuthentication):
+    """
+    Session authentication class exempt of CSRF.
+
+    DRF by default when using a ``SessionAuthentication`` it enforces CSRF.
+
+    See: https://github.com/encode/django-rest-framework/blob/3.9.0/rest_framework/authentication.py#L134-L144
+    """
+
+    def enforce_csrf(self, request):
+        return

readthedocs/restapi/views/integrations.py

@@ -1,5 +1,3 @@
-# -*- coding: utf-8 -*-
-
 """Endpoints integrating with Github, Bitbucket, and other webhooks."""
 
 import json
@@ -23,6 +21,8 @@
 from readthedocs.integrations.utils import normalize_request_payload
 from readthedocs.projects.models import Project
 
+from ..authentication import CsrfExemptSessionAuthentication
+
 
 log = logging.getLogger(__name__)
 
@@ -349,7 +349,7 @@ class IsAuthenticatedOrHasToken(permissions.IsAuthenticated):
     """
 
     def has_permission(self, request, view):
-        has_perm = (super().has_permission(request, view))
+        has_perm = super().has_permission(request, view)
         return has_perm or 'token' in request.data
 
 
@@ -422,6 +422,11 @@ class WebhookView(APIView):
     be.
     """
 
+    # We want to avoid CSRF checking when authenticating by user/password on
+    # this API endpoint so we can make a request like:
+    # curl -X POST -d "branches=branch" -u user:pass -e URL /api/v2/webhook/test-builds/{pk}/
+    authentication_classes = [CsrfExemptSessionAuthentication]
+
     VIEW_MAP = {
         Integration.GITHUB_WEBHOOK: GitHubWebhookView,
         Integration.GITLAB_WEBHOOK: GitLabWebhookView,