Re: 403 error when POSTing to a view with csrf protection

Mon, 25 Jun 2012 06:20:48 -0700 


On Monday, June 25, 2012 3:06:28 PM UTC+2, Melvyn Sopacua wrote:
>
> On 25-6-2012 13:11, Mike wrote: 
>
> > POST:<QueryDict: {u'{"user":"test_user","password":"test_password"}': 
> > [u'']}>, 
>
> Wait a second... 
> Where's your csrfmiddlewaretoken from the {% csrf_token %} field that 
> you put in your form? 
>
> This is the process: 
> - the cookie token is basically a lock 
> - the POST request resembles trying to open the door with that lock 
> - the formfield token is a key 
>
> No key, no open door. 
> Wrong key, no open door. 
> -- 
> Melvyn Sopacua 
>
> Well, thats the thing, there *is* no {% csrf_token %} field in my form 
because I have no form.  The initial GET request is processed with this 
block of code:
    else:
        c = {}
        c.update(csrf(request))
        return render_to_response('empty.html', c)

empty.html is an empty text file. Also, the view function is decorated 
with @ensure_csrf_cookie to make sure that the response contains the csrf 
cookie even though I'm not using  {% csrf_token %} 

In writing all this I just noticed that I have two lines of code aimed at 
making sure the response contains the csrf token:
@ensure_csrf_cookie
and 
c.update(csrf(request))

It seems like I shouldn't need both, so maybe having both is breaking 
something.  I'll check on that.
Mike


On Monday, June 25, 2012 3:06:28 PM UTC+2, Melvyn Sopacua wrote:
>
> On 25-6-2012 13:11, Mike wrote: 
>
> > POST:<QueryDict: {u'{"user":"test_user","password":"test_password"}': 
> > [u'']}>, 
>
> Wait a second... 
> Where's your csrfmiddlewaretoken from the {% csrf_token %} field that 
> you put in your form? 
>
> This is the process: 
> - the cookie token is basically a lock 
> - the POST request resembles trying to open the door with that lock 
> - the formfield token is a key 
>
> No key, no open door. 
> Wrong key, no open door. 
> -- 
> Melvyn Sopacua 
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To view this discussion on the web visit 
https://groups.google.com/d/msg/django-users/-/P77ojG6cfnIJ.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Reply via email to