I'm using django-allauth and custom login and signup forms in my application. Everything works well until a user submits an error with the login or signup form.
The error shows up but on a different page.
e.g intended login form is at the URI: /payment/e886371a-fa52-4718-b8bc-e53fe8ac2bea/
However, when there is a form error in the above page, it redirects to the default login URI: /accounts/login/ and displays the error there.
Is there a way to make sure the user is returned to the original page incase of a form error and have the error(s) displayed there?
Thanks in advance.
If you have login form on URI /payment/e886371a-fa52-4718-b8bc-e53fe8ac2bea/ and you do not want to redirect to /account/login, do not write as action of form. And create payment view which can handle authorization directly on payment URI.
<form class="login" method="POST" action="/payment/e886371a-fa52-4718-b8bc-e53fe8ac2bea/">
...
</form>
In your payment view you can extends class allautho/accounts/views/LoginView, which handles normal email/password auth.
Related
I am sending a POST request to my server from an android application, but I am getting this error:
The POST looks like:
http://example/my_page_url/1000
Where the 1000 is an ID.
This is my views method:
def inventory(request, cross_id):
text_file = open("test.txt", "w")
text_file.write('POST Received')
text_file.write(cross_id.__str__())
text_file.close()
return render(request, 'Inventory.html', {})
my template code:
<form action='' method="POST">
<button type="submit" id="btn_save" name="btn_save">Save</button>
{% csrf_token %}
</form>
Actually, I don't really need to call a template, because I want to perform something on the server only. But I am calling the template just to prevent any errors for now.
I have read the other answers for the same problem but all of them have missed the CSRF token in the template or something else in the views method, but I believe the case is different here.
You need to add the X-CSRFToken header to all your POST requests.
You can get the appropriate value for this header from the cookie named csrftoken.
To test this in Postman, you need to enable the Interceptor plugin (top right corner).
Once you have it installed, make a GET request to /admin/login/ (make sure you are logged out from the site in the browser). In the cookies section you should see a cookie named csrftoken, copy its value.
Now, set the request type to POST for the same URL (/admin/login), add a header named X-CSRFToken with the value you copied earlier. Set the username and password fields in the Body section and hit send.
If your POST do not require authentication, you can use the csrftoken from an earlier GET request.
I am using Django 1.5 and I want to check if the user has been redirected to my login page because he tried to access another page which required a login without being logged in. Suppose there is this view called 'securityPage' and suppose that view is called when I visit the
/securityInfo/
URL. Assuming this is the securityPage view:
#login_required
def securityPage(request):
#some code
Now when I visit that URL, it redirects me to the login.html page, which is correct (since the user - me - is not logged into any account). This is my login.html:
{% if 'next' in request.GET %}
<p>You must first login into your account before having access to the page you were trying to view.</p>
{% endif %}
for some reason, even though I am being redirected and the URL of the login page I am redirected to is
http://127.0.0.1:8000/login/?next=/securityInfo/
, the line
{% if 'next' in request.GET %}
evaluates to false even when 'next' is in the URL. Any idea why?
i don't think request object is part of the default context values.
check your template_context_processors in your settings and if you add django.core.context_processors.request in that list then the current request will be added to every requestcontext. or just pass the request manually for that view.
https://docs.djangoproject.com/en/1.5/ref/templates/api/#django-core-context-processors-request
I have a login form on every page that's a popup, and it requires the csrf token.
I also have some form views that have a form that doesn't require the csrf token.
What I've found is that even if I have the {% csrf_token %} on the login form, if the view isn't wrapped with csrf_protect() it doesn't generate the token, so when the login form is submitted, it gets a csrf missing error. OTOH, if I do wrap it, then the other form on the page that doesn't need it complains about it missing though the login form works. One form submits to the current page form view, while the form submits to a separate form view.
Is it possible to get the csrf_token to generate even without the csrf_protect being used?
I saw the csrf_exempt function but it doesn't help when wrapping the view either. Is it possible to render two view functions or wrap it within the template? I'm just using a {% include login.html %}
Thanks
All pages are extended from a base template.
There is a form in the base template and the form has the CSRF tag. When submitting the form while on home page, all works fine. However for all other pages (also extended from same base template) the submit fails with the following error:
Forbidden (403)
CSRF verification failed. Request aborted.
Inspecting the page with Firebug, the hidden input field that holds the CSRF token is missing.
You need to do this -
In settings modify - MIDDLEWARE_CLASSES = ('django.middleware.csrf.CsrfViewMiddleware')
Next to any form in your templates, put this - <form method="post" class="login_form" name="frmlogin">{% csrf_token %}
This would solve your problem...
I have a GWT web app working with Django server-side. I recently upgraded Django to 1.2, and am not able to get HTTP posts to work from my GWT app. I am getting this error:
CSRF verification failed. Request
aborted.
Reason given for failure:
CSRF token missing or incorrect.
I have enabled the csrf middlewares ('django.middleware.csrf.CsrfViewMiddleware', 'django.middleware.csrf.CsrfResponseMiddleware') which is working for contrib apps like login, but it seems as though the token is not getting added to posts made through GWT. Any ideas? Thanks in advance.
If you have checked the templates for auth.login you'll notice that a CSRF token is explicitly included inside the <form> tag.
<form method="post" action=".">
{% csrf_token %}
This is expanded into a hidden field when the page is rendered on a GET request. Something like:
<form method="post" action=".">
<div style='display:none'>
<input type='hidden' name='csrfmiddlewaretoken'
value='90064bf0e86edacfdb60595e3e2b8f23' />
</div>
This token is then passed back to the view on POST and validated.
Consequently before you can POST to a CSRF protected view you will have to first get the token from the said view.
Can you verify/ensure that you have the CSRF token handy before making a POST request to the view? Alternately you can disable CSRF protection for the view using the csrf_exempt decorator. This may not be a good idea though.
Update
This is the point of my question: I am not using django templates for my front-end and thus I cannot tag forms with the token. I am using GWT for my front-end, which is rendering the form for the post.
Are you already making a GET request to the Django view before rendering the page? In that case you can get the CSRF token by parsing the contents of the response.
If not you will have to explicitly make a GET request to the view (assuming it supports GET) and parse the response for a CSRF token. For an example see this question.