Monday, June 25, 2012

Re: 403 error when POSTing to a view with csrf protection



On Monday, June 25, 2012 3:06:28 PM UTC+2, Melvyn Sopacua wrote:
On 25-6-2012 13:11, Mike wrote:

> POST:<QueryDict: {u'{"user":"test_user","password":"test_password"}':
> [u'']}>,

Wait a second...
Where's your csrfmiddlewaretoken from the {% csrf_token %} field that
you put in your form?

This is the process:
- the cookie token is basically a lock
- the POST request resembles trying to open the door with that lock
- the formfield token is a key

No key, no open door.
Wrong key, no open door.
--
Melvyn Sopacua

Well, thats the thing, there is no {% csrf_token %} field in my form because I have no form.  The initial GET request is processed with this block of code:
    else:
        c = {}
        c.update(csrf(request))
        return render_to_response('empty.html', c)

empty.html is an empty text file. Also, the view function is decorated with @ensure_csrf_cookie to make sure that the response contains the csrf cookie even though I'm not using  {% csrf_token %} 

In writing all this I just noticed that I have two lines of code aimed at making sure the response contains the csrf token:
@ensure_csrf_cookie
and 
c.update(csrf(request))

It seems like I shouldn't need both, so maybe having both is breaking something.  I'll check on that.
Mike


On Monday, June 25, 2012 3:06:28 PM UTC+2, Melvyn Sopacua wrote:
On 25-6-2012 13:11, Mike wrote:

> POST:<QueryDict: {u'{"user":"test_user","password":"test_password"}':
> [u'']}>,

Wait a second...
Where's your csrfmiddlewaretoken from the {% csrf_token %} field that
you put in your form?

This is the process:
- the cookie token is basically a lock
- the POST request resembles trying to open the door with that lock
- the formfield token is a key

No key, no open door.
Wrong key, no open door.
--
Melvyn Sopacua


--
You received this message because you are subscribed to the Google Groups "Django users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/P77ojG6cfnIJ.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)