I've got Pyjamas and Django running via Apache2 with mod_wsgi on Windows 7. I do not believe I'm getting issues from the setups of these things, though: the only thing that is not working is trying to POST information from Pyjamas-generated forms. Trying to use Pyjamas-generated forms in my application produces 403s (the "CSRF verification failed" error page).
I have spent hours on this and read all of the answers I could find on here related to CSRF and Pyjamas, and done a lot of external research just on CSRF and Django, Django and Ajax, etc. If this question isn't reaching anyone who has knows just what to do in this situation, I think I've whittled down the essence of the question.
How would one get the {% csrf_token %} into the Pyjamas-generated form? It seems like it might be impossible, because from what I understand CSRF tokens are not persistent, which a Pyjamas-generated page is ... My Pyjamas page is generated from a Pyjamas .py file, resulting in a folder full of hard-coded stuff. How is it that I would integrate the current CSRF token into that already-coded form?
Please don't hesitate to ask for more details, this issue has been incredibly hard to navigate. None of the published information on integrating Pyjamas & Django regards this; and the only solutions I've found that seem aware of CSRF in Django say you should probably just disable CSRF protection (which I could do, but what protection could I put in place of it? My own cookie system? Is it a terrible idea to disable CSRF protection in any case?).
Thank you!
You'll need to write some JavaScript to get the CSRF token from the cookie (part of the HTTP request), then add it to the form on submit.
Look at this answer for a starting point: Django CSRF check failing with an Ajax POST request
The key here is that the JavaScript can be as persistent as your Pyjamas-generated files, because they defer handling the token until the form is submitted.
Related
Have developed a pretty decent API utilizing Django and Django Rest Framework to make my data available for consumption. Decided to build a React JS front end to be a little more dynamic than the standard Django templates. I have numerous views within DRF which work fine, I'm able to make calls against them and get or post to them no problem. Currently I'm working on implementing a login capability for the React frontend so that users will be given access to a couple protected views and will be presented with information relevant to them.
Maybe I'm not understanding what is supposed to be happening, web development isn't exactly my area of expertise. Have referenced the Django documentation a bunch trying to understand sessions and session authentication. I have a 'login' view which is taking a username and password provided to it, searching for a related 'User' record based off of the username and attempting to leverage the django.contrib.auth login method; this all seems to be working, the user is getting authenticated. After this step, I'm pretty much completely lost as to what is supposed to happen.
In my React component, I've attempted sending the username as a 'session' attribute in the header, I've tried including the csrftoken in the headers, I've tried to just enable 'withCredentials' in the callout. Really not sure what I'm supposed to be doing here. Is my login view supposed to be returning some attribute that I would then store in the react components to include in calls to protected views?
Been stuck on this for a while and am getting lost in reading documentation.
Thanks
I'm having a hard time understanding the Django System of views and templates. All I want to do is inform the user of the status of his request- he pushes a button and gets an infobox with a message. The button in the Dashboard is at the root of the URL and sends a POST request to the Django Web App at book/.
In the view bound to this URL, I check if the booking is valid and want to inform the user (without the use of javascript) about the result. I wanted to send back a HTTP redirect to /?response=success or /?response=failed.
I've tried to give the view of the dashboard arguments and changed the URL regex but this did not lead where I want it to go. Currently, it's just
return redirect('dashboard')
and the URL conf is:
...
url(r'^$', app.views.dashboard, name='dashboard'),
url(r'^book/$', app.views.book, name='book'),
...
I really like Django - it's really easy to use. But in simple cases like this, it just drives me crazy. I would appreciate any kind of help.
Kind regards
Eric
You could just use the messages framework - that's what it's for.
Oh and yes: if that's just for displaying informations (no side effect on the server), you should use a GET request - POST is for submitting data for processing by the server.
I am developing a Android application, use django1.6 in server side,
I want to POST some data to the server. But its shows error 403.
What I have to do to overcome the error(CSRF token missing or incorrect)?
Is it a good idea to remove csrf middleware
(removing django.middleware.csrf.CsrfViewMiddleware from setting file)?
If not, what is an alternate solution=
This problem is not django specific. If you search CSRF Restful you will find many questions and answers about this. for e.g. this one
At the basic level, I would say that CSRF is a mechanism to plug security issues affecting people who use browsers. As such, people who use mobile applications are not likely to be affected by this.
You should keep the CSRF layer for people who access your application from web browsers and create a different scheme to access your api from other types of clients.
Yep, it's good idea, 'cose you just don't need it for mobile backend,
but just removing
'django.middleware.csrf.CsrfViewMiddleware'
won't be enough, you need add you own middleware, that will disable CSRF.
Here solution http://www.soyoucode.com/2011/really-disable-csrf-django
I have a Python program that needs to be able to send data to my website (built with Django). This data will then be taken and displayed on a certain part of the website. The problem I'm having is that the CSRF protection built into Django blocks my POST request. From what I understand, this is usually avoided by adding {%csrf_token} to whatever form the POST request is being sent to. My problem is that I'm trying to send the POST request to a .cgi script rather than a form. Does anybody know how I could bypass the CSRF protection (preferably without removing it completely although this is an option.)
You should use the csrf_exempt decorator to avoid csrf protection in certains view.
You can read the docs for more information
In case you are using class based views, I'd recommend django-braces which uses a mixin to achieve this, as well as providing other extremely useful mixins.
i have been on this for the last 2 days with no result.
i am running my facebook app on my localhost with port-forwarding method.
i know my server setup is working fine as i can see the logs on the django runserver and dyndns log as well.
django is properly responding to calls as well.
the problem is as soon as the app authorizes with my user account, it straight follows to the page that says this:
Errors while loading page from application
The URL http://amitverma.dyndns.org/facebook_sample/?auth_token=817f8fbe99eff10582b634589de17b84 is not valid.
Please try again later. We appreciate your patience as the developers of app_test and Facebook resolve this issue. Thanks!
I am making a test app learning from facebook + django tutorial from here and here.
I am still getting this error and I have no idea what i am doing wrong...
Please help me out.
This often happens with a failed authentication. I'm not sure what the Python client libraries might look like, but with the PHP ones you generally make an authorization call against the library, something like $facebook->require_login().
With the PHP library, if this call fails to verify the user's Facebook session, then it automatically outputs HTML that will redirect the browser and try to re-establish the session, hence the auth_token parameter.
I suspect you're running into something similar. Try to isolate any authentication calls you're making, and use a Firefox extension like LiveHTTPHeaders to see if you are undergoing any redirects during the requests.
When you get that error, presuming you have debug=True in the Django settings and that your application is in development mode in Facebook, you can do View Source and see the entire Django error page that would normally display, including traceback. Facebook comment it out in the HTML so it doesn't show on the front end, but you can copy and paste it into a separate HTML file and view that in your browser to see the nice friendly Django error page which will definitely give you a clue as to what's going wrong.