> Further research shows that CSRF is enabled regardless of my
> settings.py if we use Django's built-in auth.
>
> Obviously, we need to still use Django's auth, so we can't just
> disable CSRF site-wide like this hack:
> http://stackoverflow.com/questions/1650941/django-csrf-framework-cannot-be-disabled-and-is-breaking-my-site
> ...or this hack...
> http://djangosnippets.org/snippets/2069/
>
> Obviously also, we have no control over the third-party server sending
> the POST request, so we can't resort to this hack:
> http://stackoverflow.com/questions/2405353/having-a-postable-api-and-djangos-csrf-middleware
>
> The decorator @csrf_exempt does not work as described in the docs as
> our view always returns a 403 when any content is POSTed.
>
> Very confusing!
>
> Kieran
<snip>
I'm not entirely sure but i think i've hit the same problem.
I tried to access a view with urllib & urllib that requires a logged
in user with the appropriate rights.
First i need to login in and post the username and password in order to use
a second call to access the protected function.
This is the test code i used to automatically login:
import urllib2,urllib
o = urllib2.build_opener( urllib2.HTTPCookieProcessor() )
urllib2.install_opener(o)
id='Admin'
pw='xyz'
p=urllib.urlencode({"username" : id, "password" : pw})
f=o.open("http://calltracking:8000/accounts/login/", p)
data=f.read()
f.close()
The login view has the decorator @csrf_exempt and login works fine.
Next, i try the actual view that also has @csrf_exempt specified.
I get this back:
>>> f=o.open("http://calltracking:8000/management/statistics/top/user/yearly/", p)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "c:\python26\lib\urllib2.py", line 397, in open
response = meth(req, response)
File "c:\python26\lib\urllib2.py", line 510, in http_response
'http', request, response, code, msg, hdrs)
File "c:\python26\lib\urllib2.py", line 435, in error
return self._call_chain(*args)
File "c:\python26\lib\urllib2.py", line 369, in _call_chain
result = func(*args)
File "c:\python26\lib\urllib2.py", line 518, in http_error_default
raise HTTPError(req.get_full_url(), code, msg, hdrs, fp)
urllib2.HTTPError: HTTP Error 403: FORBIDDEN
I'm not sure how to proceed as it seems that csrf is getting in the way.
Regards,
Benedict
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
No comments:
Post a Comment