I was wondering what's up with the CSRF Cookie not set error that Django throws at me all the time. I created a view (see below) that is a callback for a payment. I have no influence of what is being sent to that view. I have checked other posts on StackOverflow, but I don't think any apply to me. Most of them can just implement a csrf protection into their forms, csrf_exempt their views, or they use rest_framework.
class PaymentWebhook(View):
def post(self, request, *args, **kwargs):
# ...
Now, I'm getting this error everytime when I do nothing about this function:
Forbidden (CSRF cookie not set.): /payment/webhook
Since this is about payments, can I just csrf_exempt this, or would that just open a security hole? By the way, I have even tried putting an exempt on this function, but it still throws that error.
Any suggestions?
I finally managed to get a POST through. I'm fairly sure I had already tested it, but it seemed to work now: I put an csrf_exempt in my urls.py.
from django.views.decorators.csrf import csrf_exempt
url(r'^payment/webhook$', csrf_exempt(paymentwebhook), name='payment-webhook')
Any other way it would not work for me for some reason. Thanks nik_m for the help, appreciate it!
You should decorate the dispatch method with the csrf_exempt, like this:
from django.views.decorators.csrf import csrf_exempt
from django.utils.decorators import method_decorator
class PaymentWebhook(View):
#method_decorator(csrf_exempt)
def dispatch(self, request, *args, **kwargs):
return super(PaymentWebhook, self).dispatch(request, *args, **kwargs) # for python 2
return super().dispatch(request, *args, **kwargs) # for python 3
def post(self, request, *args, **kwargs):
# ...
or, based on this, you can clean it to:
from django.views.decorators.csrf import csrf_exempt
from django.utils.decorators import method_decorator
#method_decorator(csrf_exempt, name='dispatch')
class PaymentWebhook(View):
def post(self, request, *args, **kwargs):
# ...
Here is what i did ( import csrf_exempt )
from django.views.decorators.csrf import csrf_exempt
#csrf_exempt
#api_view(['POST'])
def add(request):
Simple. Import csrf_exempt:
from django.views.decorators.csrf import csrf_exempt
and then add the decorator:
#csrf_exempt
def your_function(request):
...
I use this for my payment webhooks and it has not been an issue. If you are particularly worried about security you can get the IP address from the request and only process the webhook if it matches your payment providers IP. Usually obtained from their website/api docs.
Related
I'm trying to write a mixin that will protect views by first checking if someone is logged in and then if they have been onboarded. It seems to work, by blocking views it's attached to, but it the URLjust goes to a 403 forbidden. Any ideas on how to get it to go to the named url?
from django.contrib.auth.mixins import UserPassesTestMixin
from django.http import HttpResponseRedirect
from django.shortcuts import redirect
from django.contrib.auth.mixins import LoginRequiredMixin
class OnboardedMixin(LoginRequiredMixin, UserPassesTestMixin):
"""
a custom mixin that checks to see if the user has been onboarded yet
"""
def test_func(self):
if self.request.user.onboarded and self.request.user.is_active:
return True
def get_login_url(self):
return redirect('onboarding',)
Rather than taking this approach, maybe its best to use a decorator instead. For example:
from django.contrib.auth.decorators import login_required
def my_login_required(function):
def wrapper(obj, request, *args, **kw):
decorated_view_func = login_required(request)
if not decorated_view_func.user.is_authenticated:
return decorated_view_func(request) # restricts without login and sends to signin view
if request.user.onboarded and request.user.is_active:
return function(obj, request, *args, **kw)
return HttpResponseRedirect("/onboarding/")
return wrapper
And use this decorator in desired views:
class SomeView(DetailView):
...
#my_login_requried
def dispatch(self, *args, **kwargs):
return super(SomeView, self).dispatch(*args, **kwargs)
I want to have a TemplateView Class that uses LoginRequiredMixin and UserPassesTestMixin at the same time. Something like this:
from django.views.generic import TemplateView
from django.contrib.auth.mixins import LoginRequiredMixin, UserPassesTestMixin
class FinanceOverview(LoginRequiredMixin, UserPassesTestMixin, TemplateMixin):
login_url = '/login'
redirect_field_name = 'next'
def test_func(self):
return self.request.user.groups.filter(name="FinanceGrp").exists()
def get(self, request, *args, **kwargs):
DO SOMETHING IF USER IS AUTHENTICATED AND ALSO MEMBER OF GROUP FinanceGrp
Basically as you can see above, what I want to achieve is the following:
If user is not authenticated, to redirect user to:
https://website/login?next=financeoverview
However what I can't figure out is how to redirect users who are authenticated but do not belong to group FinanceGrp to another page. For example:
https://website.com/access_denied?previous_page=financeoverview
In my case users are always redirected to /login page when they fail the group test. How can I achieve two mixins used at the same time but at the same time both of them are clashing around variable login_url. Unfortunately UserPassesTestMixin is using the same login_url so it makes this trouble for me.
Thanks in advance
Milos
I think you're better off subclassing AccessMixin and then performing these checks yourself. Something like this:
from django.contrib.auth.mixins import AccessMixin
from django.http import HttpResponseRedirect
class FinanceOverview(AccessMixin, TemplateMixin):
def dispatch(self, request, *args, **kwargs):
if not request.user.is_authenticated:
# This will redirect to the login view
return self.handle_no_permission()
if not self.request.user.groups.filter(name="FinanceGrp").exists():
# Redirect the user to somewhere else - add your URL here
return HttpResponseRedirect(...)
# Checks pass, let http method handlers process the request
return super().dispatch(request, *args, **kwargs)
You should override get_login_url:
class FinanceOverview(LoginRequiredMixin, UserPassesTestMixin, TemplateMixin):
login_url = '/login'
redirect_field_name = 'next'
def test_func(self):
return self.request.user.groups.filter(name="FinanceGrp").exists()
def get_login_url(self):
if self.request.user.is_authenticated:
return URL_FOR_AUTHENTICATED_USERS
return super().get_login_url()
def get(self, request, *args, **kwargs):
DO SOMETHING IF USER IS AUTHENTICATED AND ALSO MEMBER OF GROUP FinanceGrp
Django 1.9.6.
I want to absolutely disable the whole website from viewing by anonymous users. Anonymous users will always be redirected to login page.
I have created a general view. The problem is that subclasses of GeneralView may not just render a template but perform some calculations or just be of different kinds: DetailView, ListView etc.
class GeneralView(View):
def get(self, request, template):
if not request.user.is_authenticated() and request.user.is_active:
return redirect("auth_login")
else:
return render(request, template)
If I try to inherit, the code gets clumsy:
class HomePageView(GeneralView):
def get(self, request, template):
super().get(self, request)
Well, what can I do here? I get error message that my get method doesn't return HttpResponse.
I can rewrite get method of the superclass to return status code. Then check it in the subclass. But this seems to be garbage.
In other words I'm lost in clouds of inheritance. Could you give me a kick here how always to redirect anonymous users to login page, whereas let logged in users see everything.
Thank you in advance.
You could use the UserPassesTestMixin for this.
from django.core.urlresolvers import reverse_lazy
class GeneralView(UserPassesTestMixin, View):
def test_func(self):
# I assume you missed out the brackets in your question and actually wanted 'if not (request.user.is_authenticated() and request.user.is_active)'
return request.user.is_authenticated() and request.user.is_active
login_url = reverse_lazy('auth_login')
The mixin overrides dispatch, so you won't have to call super() when you override get() in your view.
class HomePageView(GeneralView):
def get(self, request):
...
I think your error for get method not returning belongs to not putting a return statement. in fact, in get method of the child class you should do:
class HomePageView(GeneralView):
def get(self, request, template):
return super().get(self, request)
That should solve the error
If you have lots of views and you do not want to touch any one you can just use Middleware for this issue. Try code below:
import traceback
from django.contrib.auth.decorators import login_required
class RejectAnonymousUsersMiddleware(object):
def process_view(self, request, view_func, view_args, view_kwargs):
current_route_name = resolve(request.path_info).url_name
if current_route_name in settings.AUTH_EXEMPT_ROUTES:
return
if request.user.is_authenticated:
return
return login_required(view_func)(request, *view_args, **view_kwargs)
Cautions:
You must add this middleware to the bottommost of middleware section
of settings.py
You should put this variable in settings.py
AUTH_EXEMPT_ROUTES = ('register', 'login', 'forgot-password')
New versions of Django provides the #login_required decorator. If an anonymous user tries to access the view, the system redirects to the login page.
from django.contrib.auth.decorators import login_required
#login_required
def my_view(request):
...
It can be used in function views, as shown above, or generic views (using #method_decorator, usually in dispatch method)
from django.contrib.auth.decorators import login_required
from django.utils.decorators import method_decorator
from django.views.generic import TemplateView
#method_decorator(login_required, name='dispatch')
class ProtectedView(TemplateView):
template_name = 'secret.html'
I am using class based views in Django. #login_required decorator is not redirecting to login page. It still shows the profile page.
class ProfileView(TemplateView):
template_name='profile.html'
#login_required(login_url='/accounts/login/')
def dispatch(self, *args, **kwargs):
return super(ProfileView, self).dispatch(*args, **kwargs)
Can anyone help me. I m new to Django and any help would be appreciated.
Thanks in advance
You need to apply a method_decorator first and then pass it the login_required function decorator.
A method on a class isn’t quite the same as a standalone function, so you can’t just apply a function decorator to the method. You need to transform it into a method decorator first.
To make it more clear, Django's view decorators return a function with a signature (request, *args, **kwargs) but for class based-views, the signature should be of the form (self, request, *args, **kwargs). Now, what the method_decorator does is that it transforms the first signature to the second.
From docs on decorating Class-based Views:
The method_decorator decorator transforms a function decorator into
a method decorator so that it can be used on an instance method.
from django.contrib.auth.decorators import login_required
from django.utils.decorators import method_decorator
class ProfileView(TemplateView):
template_name='profile.html'
#method_decorator(login_required(login_url='/accounts/login/'))
def dispatch(self, *args, **kwargs):
return super(ProfileView, self).dispatch(*args, **kwargs)
When using class-based views, it's preferred to use the LoginRequiredMixin rather than the #login_required decorator. It performs essentially the same function.
class ProfileView(LoginRequiredMixin, TemplateView):
template_name='profile.html'
I'm converting some FBVs with signals to CBVs, so I have this decorator:
def ensure_https(view_func):
def _checkssl(request, *args, **kwargs):
print request.is_secure()
if not settings.DEBUG and not request.is_secure():
url_str = request.build_absolute_uri()
url_str = url_str.replace('http://', 'https://')
return HttpResponseRedirect(url_str)
return view_func(request, *args, **kwargs)
return _checkssl
and added it to a function in a class based view, as so:
class ExampleTemplateView(TemplateView):
template_name = 'example.html'
#ensure_https
def dispatch(self, request, *args, **kwargs):
...
return HttpResponseRedirect(/hello/')
But I get the following error:
'ExampleTemplateView' object has no attribute 'is_secure'
However, when I use this decorator on a function-based view, it works just fine. Should I be using a particular CBV?
If you need anymore code or info, please let me know. Thanks for your help!
I think you have signal and decorator confused as the pattern in your code is a decorator. Depending on what you're doing there might be better alternatives to where you put the URL redirection logic. I'm thinking webserver(nginx), HTTP Strict Transport Security HTTP header or middleware. Having said that, from the django docs:
To decorate every instance of a class-based view, you need to decorate
the class definition itself. To do this you apply the decorator to the
dispatch() method of the class.
A method on a class isn’t quite the same as a standalone function, so
you can’t just apply a function decorator to the method – you need to
transform it into a method decorator first. The method_decorator
decorator transforms a function decorator into a method decorator so
that it can be used on an instance method. For example:
from django.contrib.auth.decorators import login_required
from django.utils.decorators import method_decorator
from django.views.generic import TemplateView
class ProtectedView(TemplateView):
template_name = 'secret.html'
#method_decorator(login_required)
def dispatch(self, *args, **kwargs):
return super(ProtectedView, self).dispatch(*args, **kwargs)