I've started new django project and enabled admin app.
I can login to admin site but when I'm trying to add/change site or user I'm getting
CSRF verification failed. Request aborted.
Reason given for failure:
CSRF token missing or incorrect.
That's what I have in settings.py:
TEMPLATE_LOADERS = (
'django.template.loaders.filesystem.Loader',
'django.template.loaders.app_directories.Loader',
)
MIDDLEWARE_CLASSES = (
'django.middleware.common.CommonMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
# Uncomment the next line for simple clickjacking protection:
# 'django.middleware.clickjacking.XFrameOptionsMiddleware',
)
INSTALLED_APPS = (
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.sites',
'django.contrib.messages',
'django.contrib.staticfiles',
'django.contrib.admin',
# Uncomment the next line to enable admin documentation:
# 'django.contrib.admindocs',
)
When I'm looking at admin page source I see
<input type='hidden' name='csrfmiddlewaretoken' value='T9Mfk1LRXi5jPE2dh5jcvdKwzYM6Iy5I' />
there
I have Django version 1.4.1
Have you overridden the CSRF_COOKIE_DOMAIN setting? If the CSRF token is present in the form, and you haven't modified the source of the admin app, then the most likely scenario is that the cookie is not being set correctly.
Check the response headers of the login page to make sure that the cookie is being set correctly, and check the request headers of your login attempt to ensure that it is also being sent (and matches the value in the form).
Locally, I have one project where the CRSF works fine when browsing http://localhost:8040/my-admin/ but fails at http://127.0.0.1:8040/my-admin/.
I'm not sure why but that might help save someone some time.
Note: I haven't set the CSRF_COOKIE_DOMAIN.
Related
I have Django CORS running with an allowed origin list that looks like this:
CORS_ORIGIN_ALLOW_ALL = False
CORS_ALLOWED_ORIGINS = [
'http://127.0.0.1:8000',
'http://127.0.0.1:3000',
]
Yet if I request this using Python's requests library in my terminal it still allows the request. I've even tried only allowing requests from https://google.com, but it still allows me to use my API.
Why is this? (I'm still new to Django, so sorry if this is a bad question)
Here are some other settings
Installed apps:
INSTALLED_APPS = [
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
# internal
'my_app1',
'my_app2',
'my_app3',
# third party
'rest_framework',
'corsheaders',
'debug_toolbar',
]
Middleware:
MIDDLEWARE = [
'corsheaders.middleware.CorsMiddleware',
'debug_toolbar.middleware.DebugToolbarMiddleware',
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'django_user_agents.middleware.UserAgentMiddleware',
]
From mozilla CORS docs
Cross-Origin Resource Sharing (CORS) is a mechanism that uses
additional HTTP headers to tell browsers to give a web application
running at one origin, access to selected resources from a different
origin.
It is browser mechanism and has nothing to do with API protection in sense you are misinterpreting it
I am setting up django with multitenant architecture. I went through the https://django-tenant-schemas.readthedocs.io/en/latest/install.html
instruction and get to the point that have inital startup screen.
What I want to achieve is to enable admin module for each tenant.
my in settings.py I have following:
#Application definition
SHARED_APPS = (
'tenant_schemas', # mandatory, should always be before any django app
'customers', # you must list the app where your tenant model resides in
'django.contrib.contenttypes',
# everything below here is optional
)
TENANT_APPS = (
'django.contrib.contenttypes',
# your tenant-specific apps
# 'myapp.hotels',
# 'myapp.houses',
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.sessions',
'django.contrib.sites',
'django.contrib.messages',
'django.contrib.staticfiles',
)
INSTALLED_APPS = [
'tenant_schemas',
'customers',
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.sites',
'django.contrib.messages',
'django.contrib.staticfiles',
]
TENANT_MODEL = "customers.Client"
MIDDLEWARE = [
'tenant_schemas.middleware.TenantMiddleware',
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]
ROOT_URLCONF = 'sitemanager.urls'
PUBLIC_SCHEMA_URLCONF = 'sitemanager.urls_public'
when trying to open http://localhost:8000/admin getting error:
DoesNotExist at /admin/login/
Site matching query does not exist.
Request Method: GET
Request URL: http://localhost:8000/admin/login/?next=/admin/
Django Version: 2.1.2
Exception Type: DoesNotExist
Exception Value:
Site matching query does not exist.
my urls.py:
from django.contrib import admin
from django.urls import path
urlpatterns = [
path('admin/', admin.site.urls),
]
What am I missing in configuration?
Adding PUBLIC_SCHEMA_NAME = 'public' sort the problem.
I think django.contrib.sites should be in SHARED_APPS.
Kudos for using django-tenant-schema +1
Then to create a superuser :./manage.py tenant_command createsuperuser
Might be handy.
I'm trying to retrieve the json from the rest api set up using Django.
This data is currently only hosted on: http://127.0.0.1:8000/xyz
When I try to retrieve it using
$http({
method: 'GET',
url: 'http://127.0.0.1:8000/xyz',
})
I get an error that is:
XMLHttpRequest cannot load http://127.0.0.1:8000/xyz. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://127.0.0.1:8080' is therefore not allowed access.
Can someone tell me a way of dealing with this, please?
Thanks!
Here's my Django settings folder:
INSTALLED_APPS = (
'student',
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'rest_framework',
'corsheaders'
)
MIDDLEWARE_CLASSES = (
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'corsheaders.middleware.CorsMiddleware',
'django.middleware.common.CommonMiddleware'
)
CORS_ALLOW_CREDENTIALS = True
CORS_ORIGIN_ALLOW_ALL = True
CORS_URLS_REGEX = r'^/api.*$'
CORS_ORIGIN_WHITELIST = (
'mydomain',
'localhost:3000',
'http://127.0.0.1:8000/'
)
Look into using django-cors-headers to have Django return the proper headers. You can then create a whitelist for your site (http://127.0.0.1:8080 for development and whatever your final domain for production)
I use the following on my settings for a similar setup:
INSTALLED_APPS += ('corsheaders',)
CORS_ALLOW_CREDENTIALS = True
CORS_ORIGIN_ALLOW_ALL = True
CORS_URLS_REGEX = r'^/api.*$'
CORS_ORIGIN_WHITELIST = (
'mydomain',
'localhost:3000',
)
You may also need to add the following to your Angular project:
$http.defaults.useXDomain = true;
[UPDATE]
See this blog for more details
Apart from the changes in settings.py, please try to add a slash at the end of the url you are calling
$http({
method: 'GET',
- url: 'http://127.0.0.1:8000/xyz',
+ url: 'http://127.0.0.1:8000/xyz/',
})
Ubuntu 14.04
Python 3.4.0
Django 1.7
I just followed the 4 step directions to set up flatpages, but when I ran python3 manage.py migrate, none of the DB tables for the flatpages were created. All the other tables were created, just not the ones needed to flatpages. I'm pretty puzzled by this, 'cause this isn't complicated. I added the right stuff into my settings.py --
SITE_ID = 1 # added for flatpages
# Application definition
INSTALLED_APPS = (
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'django.contrib.sites', # added
'django.contrib.flatpages.urls', # added for flatpages
)
MIDDLEWARE_CLASSES = (
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'django.contrib.flatpages.middleware.FlatpageFallbackMiddleware', #added
)
...and into my urls.py (though I don't think this could affect DB table creation) --
from django.conf.urls import patterns, include, url
from django.views.generic import TemplateView
from django.contrib import admin
urlpatterns = patterns('',
# Examples:
url(r'^$', 'pets.views.home', name='home'),
url(r'^pages/', include('django.contrib.flatpages.urls')),
url(r'^robots\.txt$', TemplateView.as_view(template_name='robots.txt',
content_type='text/plain')),
url(r'^admin/', include(admin.site.urls)),
)
...am I having a brain fart or something? I don't see why this won't work, but it's just not creating the DB tables needed for flatpages. This isn't my 1st time creating something with Django, but it is my 1st time trying out flatpages.
Yes, probably a brain fart: you've added the urls module to INSTALLED_APPS, rather than the app itself.
'django.contrib.flatpages', # added for flatpages
I can't figure out why Django is not loading the admin page. It seems like it isn't even reading the urls.py file that I am editing - because even if I comment out the 'urlpatterns' statement, it still loads the local hello page fine once I run the server.
This is the error message:
Page not found (404)
Request Method: GET
Request URL: http://127.0.0.1:8000/admin
Using the URLconf defined in mysite.urls, Django tried these URL patterns, in this order:
^hello/$
^time/$
^time/plus/(\d{1,2})/$
The current URL, admin, didn't match any of these.
This is my urlpatterns code:
from django.conf.urls import patterns, include, url
from mysite.views import *
# Uncomment the next two lines to enable the admin:
from django.contrib import admin
admin.autodiscover()
urlpatterns = patterns('',
('^hello/$', hello, ),
('^time/$', current_datetime, ),
(r'^time/plus/(\d{1,2})/$', hours_ahead, ),
# Examples:
# url(r'^$', 'mysite.views.home', name='home'),
# url(r'^mysite/', include('mysite.foo.urls')),
# Uncomment the admin/doc line below to enable admin documentation:
# url(r'^admin/doc/', include('django.contrib.admindocs.urls')),
# Uncomment the next line to enable the admin:
url(r'^admin/', include(admin.site.urls))
)
And this is a snippet os my settings.py file:
MIDDLEWARE_CLASSES = (
'django.middleware.common.CommonMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
# 'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
# 'django.contrib.messages.middleware.MessageMiddleware'
# Uncomment the next line for simple clickjacking protection:
# 'django.middleware.clickjacking.XFrameOptionsMiddleware',
)
ROOT_URLCONF = 'mysite.urls'
# Python dotted path to the WSGI application used by Django's runserver.
WSGI_APPLICATION = 'mysite.wsgi.application'
TEMPLATE_DIRS = (
'/Users/pavelfage/Desktop/Coding/mysite/Templates',
# Put strings here, like "/home/html/django_templates" or "C:/www/django/templates".
# Always use forward slashes, even on Windows.
# Don't forget to use absolute paths, not relative paths.
)
INSTALLED_APPS = (
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.sites',
# 'django.contrib.messages',
# 'django.contrib.staticfiles',
# Uncomment the next line to enable the admin:
'django.contrib.admin',
# Uncomment the next line to enable admin documentation:
# 'django.contrib.admindocs',
'mysite.books'
)
Any help much appreciated!
I faced same problem. Uncommenting from django.contrib import admin in urls.py solved the problem.
I had the same problem. You may try this:
In your urls.py replace the call include(admin.site.urls) by this: admin.site.urls
In your setting.py if don't have any TEMPLATE_CONTEXT_PROCESSORS property (that was my situation) add this:
TEMPLATE_CONTEXT_PROCESSORS = ("django.contrib.auth.context_processors.auth", "django.core.context_processors.debug", "django.core.context_processors.i18n", "django.core.context_processors.media", "django.core.context_processors.static", "django.core.context_processors.tz", "django.contrib.messages.context_processors.messages")
It seams to be roughly the default property in a normal django 1.4 configuration. Here are the docs talking about it: djangoproject-doc1 djangoproject-doc2
You may also have to uncomment the strings:
# 'django.contrib.messages',
# 'django.contrib.staticfiles',
in your INSTALLED_APPS property of the settings.py but i'm not sure about it.
Sorry about not explaining much better the reasons of those changes but I'm a django-beginner to. I just found your question corresponding to my problem and then a possible awnser.
I hope it may help you.
EDIT: as seen in a comment you may try to remove the url(...) instruction on the line concerning the url of the admin site
ben