In my Django template I have a POST form. It includes the tag {% csrf_token %}. If I submit this form normally then everything works fine. However, I need to change a form input value via Javascript/Jquery:
$('input').val(id);
If I do this then I get the "CSRF verification failed" error message when I submit the form. I do submit the form via Javascript, but this has not been a problem so long as I don't dynamically change any values.
I have been "solving" this by writing #csrf_exempt above my Python functions. However, this skips the security. Is there another way?
Command $('input').val(id); overwrites all input entries, which can be found, so hidden csrf_token input loses its value. Try to make more specific selector. For example:
$('input[name=change-me]').val(id);
Related
I've seen this question a few times and can't find an option that works in my situation.
I have a webpage that you can get to via a POST. It requires an 'example_id' be sent to the server.
The webpage has a form for the user to fill out. When they submit the form, I need the user to return to same page.
I need to prevent user 'refresh' from resubmitting the form. Most common solution I have found is:
return HttpResponseRedirect('/<web_page/')
I have tried this and adding kargs to the function parameters, but it doesn't seem to work.
Update:
I got my scenario to work by using the csrf token ({% csrf_token %}) . If the user refreshes the page, then the csrf token will be the same. So I check for this in my view and handle this scenario differently.
The solution I found.
I got my scenario to work by using the csrf token: {% csrf_token %}
If the user refreshes the page, then the csrf token will be the same. So I check for this in my view and handle this scenario differently than I would normally.
I'm unable to save my form (a ModelForm) properly, since django displays checkboxes without a value (I would expect value="true" on every fields, both checked than unchecked... but that's not the case).
When I submit the form, no data is received in the POST!
The following is a piece o my template:
<div>
{{form.displayAge.label_tag}}
{{form.displayAge}}
{{form.displayAge.errors}}
</div>
{{form.displayAge}} is rendered in this way:
<input checked="checked" type="checkbox" name="displayAge" id="id_displayAge">
BUT... since it has no value, checking/unchecking the checkbox is helpless! What should I do?
I would like to avoid typing form fields by hand!
No, there is no need for a value field. If the checkbox is checked, the browser will submit "on" as the value by default if none is supplied.
If you're not getting this value in your view, something else is wrong. Note that since you're using Django forms, you shouldn't be checking request.POST manually anyway: use form.cleaned_data.
First Quesiton:
This form submits to demo_form?name=ABC
<form action="demo_form" method="get">
name: <input type="text" name="name"><br>
<input type="submit" value="Submit">
</form>
Is there a way to make it submit to demo_form/ABC/?
Second Question:
Even if users don't use my form, if they use a web crawler to simply visit demo_form?name=ABC or demo_form/ABC/, it would yield the same result. I want to prevent that. What's the best way of making those two URLs only valid if the user submit the name via my form? I am learning django so hopefully the solution would work with django framework.
Thanks in advance!
Is there a way to make it submit to demo_form/ABC/?
You could intercept the submission in JavaScript, construct the URL manually, then set location. That would break if JS wasn't available.
More sanely, you could send an HTTP 301 redirect response when you get the request for demo_form?name=ABC
What's the best way of making those two URLs only valid if the user submit the name via my form?
Generally speaking, visiting a form should not be a pre-requisite for anything involving a GET request. A large portion of the point of GET is that the results are bookmarkable, linkable, etc.
It would be more understandable if it was a POST request, as those are intended to change data on the server and you will want to protect against CSFR. The standard protection against CSRF is a token stored in the form and in a cookie
First time I render a form I don't want the required error message to show up. Although if the field is left empty, it should prompt when submitting.
I know I can set an specific message and set it empty. But this way it never shows up:
error_messages = {'required':''}
I'm using a decorator to change label_tag behavior in BoundField, that makes an "*" show up next to the field label. But I need the error message to show up, only if field is empty.
I know I can check if field is required using:
{% if field.field.required %}
But I would need a way to know if the site is being rendered for the first time. For this I would like not to use an extra variable passed from the view or javascript. I have noticed that formsets actually work this way, but I don't want to put the form in a formset of one form
Error messages don't show up the first time anyway, if you're following the correct pattern in your view.
I suspect the error is showing because you're instantiating the form with a data parameter. You shouldn't do this when you're displaying it on the first GET. The proper way to do it is shown in the documentation.
In a form submission scenario, form is post to "/submit". I want to redirect user to "/sucess" on success and pass render some message to a template at new url. How to do this in Django? render_to_response doesn't do redirect and HttpResponseRedirect doesn't do template rendering.
The response from Daniel Roseman is potentially dangerous, opening your site to XSS vulnerabilities.
Make sure you strip html tags from whatever message is passed if you must do it this way.
A better way would be to redirect to /success/?msg=ok, and have in your view a dictionary:
{ 'ok': 'Your success message' }
If your success page needs a dynamic message, you need to pass it there somehow. You can either do this via GET parameters in the URL you are redirecting to - eg return HttpResponseRedirect('/success/?msg=My+success+message+here') - or by setting some values in the session, which the success view can pick up.
The best way to do what you want is:
In your view set the success message (or error message) as a dict. And use the render_to_response to display any template.
In your template you can verify if there is a message and if the message is an error message or a success message.
Some like this:
In your view:
if anyError:
dict = {"message" : {"error" : "The error message"}}
else:
dict = {"message" : {"success" :"The success message"}}
in your template:
{% if message %}
{% if message.error %}
{{ message.error }}
{% else %}
{{ message.success }}
{% endif %}
{% endif %}
Hope i've helped
There is no good way to do what you want. The browser submits the form, which will take the user to /submit. Once you decide whether it's "successful", it's too late; the browser has already decided on it's destination. All you can do is redirect. But, as you're finding out, it's going to be hard to keep your POST state when you redirect.
I would give up on this. It's not how websites are supposed to work.
I think Django does this already if you extend the generic view. On create there's an optional argument "post_save_redirect". This functionality is used in the automatically generated Django admin system. For example if you want a new resource, say user, you go to the url "/user/add". After you submit it redirects you to "/user/1" with a success message "you just saved user #1". So this is possible, but I'm still researching how to do it without extending the generic view. I'm still very new to Django and python, so looking through Django core to find how they did it is not so easy for me.
I would recommend to use Django message framework which is used for one-time notification messages.
https://docs.djangoproject.com/en/1.8/ref/contrib/messages/