Currently I have my production environment set up so that MANAGERS are emailed any time there's a 500 error. I would also like to be emailed anytime someone tries to access something they don't have permission to (i.e., they produce a 403 error).
As far as I can see, you can easily get Django to email you when someone produces a 404 (https://docs.djangoproject.com/en/dev/howto/error-reporting/#errors), but there's nothing like this for a 403.
What's the best way to get Django to send emails when someone produces a 403?
Related
I am using Django REST framework to make user submit their works. I am restricting the user submissions according to their subscribed plan. I am doing that by raising 403 forbidden with a message whenever user tries to add more than his quota.
This is what I wanted and it works perfectly in my local machine, but it shows a weird "OOPs something went wrong" message on my staging. In preview it shows "Failed to load response Data". I don't know why. I used the same staging database on local machine. Even then, it worked.
The code I used for the both places are same.
I have setup a website in django and added csrf middleware. I could see CSRF failures frequently from the website. Currently I display a 500 error page when CSRF failure occurs.
However, I am thinking of loading the same URL as a GET request whenever a CSRF failure occurs, and ask the user to resubmit the form again. Is this method advisable? What will be the security issues that will arise due to this? Any thoughts on this will be helpful.
As any attacker will not have access to the response due to the Same Origin Policy, you may return whatever you like including a 200 OK with a description to help the user.
If you wanted you could include a 500 INTERNAL SERVER ERROR response, but you could also include some HTML content to advise the user that they should resubmit the form.
I am getting the following error ("Error: HTTP status code: 400") now that I have updated to facebook SDK 3.1 as of yesterday, 10/9. But everything is completely functional as far as connecting with facebook, I just see this error message every time I start a facebook session on my app. I have seen a few people commenting on this, but I can't determine from them if this is going to be a real problem or not. Does anyone know definitively if this is going to cause a problem? And if so, how to fix it? Thanks!
The original issue was resolved by Facebook just after the 3.1 SDK was released.
But some are still having issues, if you have this issue you should check the login flow, and look at facebooks examples, after that if you are still having issues this could be a hint to a solution.
I got the 400 error when I do not have authorization to get to my information. The strange thing is that I get an accessToken and even a valid login (this is because I structured my code, with the help according to Scrumptious example and did a valid login when the Session state is open).
The FBSessionState is only opened for like a second and then it changes to closed with an 400 Error.
With iOS6 native login you get the permission alert when you ask for it, and then the phone remember that choice for 24 hours. But if the user logs in to the facebook home-page and then deletes permission for the application the phone will not recognize that the user has deleted the permissions for 24 hours, since it remembers the that the phone has already asked it and approved it (in the 24-hour window), regardless if you re-install the app or not.
I found this out after some hours of debugging, since I allowed the application from the Settings in iOS, but I could not post, and since I deleted the permission from the facebook privacy, and the alert would not show again there was nothing I could do but to manually give me permissions via a debug tool or wait 24 hours so I could accept the facebook-permission alert again.
I'm getting complaints from a user who is constantly getting a CSRF 403 error when he tries to login to my site (using django.contrib.auth.views.login).
I don't get this error myself, and have no other users complaining of the issue. Any idea what it could be? How should I go about debugging this?
Is there a way to log detailed information about CSRF failures so I can try to inspect the user's state when they login. I don't want to turn DEBUG=True for an external user...
Based on your reply to my comment, I am not sure what is causing this issue. I would use CSRF_FAILURE_VIEW to implement a custom view that would give you more information about what is happening.
I recently ran into that and it turned out to be a cookie problem, as in the end user had them disabled.
I am trying to test IPN. Working with django-paypal. What could be wrong.
The URL is working. No errors otherwise...
But when I test this, it says IPN delivery failed and error code is 403,
Same problem on my site. Turns out that when telneting the server, I get the following details concerning the 403:
Forbidden (403)
CSRF verification failed. Request aborted.
Hooray, the csrf validation works ;D Now i gotta figure out how to turn it off for this particular form. Hope this hint helps anyone encountering the 403 when using django-paypal.
Do you have your website password protected? It sounds like paypal is getting a 403 response from your webserver. Make sure paypal can get to your website without requiring basic auth or something like that.