I have multiple models on a Django-powered webpage that have a django.contrib.comments form rendered for each. On this page, a post from one of these forms to /comments/post/ always results in:
Forbidden (403)
CSRF verification failed. Request aborted.
If I include the same comment form code on another page where there is just one such form, it posts just fine.
Also fyi, I have included 'django.middleware.csrf.CsrfViewMiddleware' in the MIDDLEWARE_CLASSES and the {% csrf_token %} inside the comment form.
Any thoughts on this error or getting multiple django-comments forms on a page submitting correctly?
Related
I have a login form on every page that's a popup, and it requires the csrf token.
I also have some form views that have a form that doesn't require the csrf token.
What I've found is that even if I have the {% csrf_token %} on the login form, if the view isn't wrapped with csrf_protect() it doesn't generate the token, so when the login form is submitted, it gets a csrf missing error. OTOH, if I do wrap it, then the other form on the page that doesn't need it complains about it missing though the login form works. One form submits to the current page form view, while the form submits to a separate form view.
Is it possible to get the csrf_token to generate even without the csrf_protect being used?
I saw the csrf_exempt function but it doesn't help when wrapping the view either. Is it possible to render two view functions or wrap it within the template? I'm just using a {% include login.html %}
Thanks
I my recent Django-project I use mako templates.
About Cross Site Request Forgery CSRF.
In django templates there is the tag {% csrf_token %} to protect from hackers.
What about mako templates? Is there any analog of csrf_token or there is another protection mechanism???
Thanks!
I ran into the same problem just today (that's why I ended up here). I found a solution, at least, for what I wanted to do, which is pass some POST data to another view through an HTML form. Here it is:
From your first view, get a CSRF Token and add it to your (Mako) context:
from djangomako.shortcuts import render_to_response as render
from django.core.context_processors import csrf
def first_view(request):
"""This view generates a form whose action is 'second_view'."""
context = { "csrftoken": csrf(request)["csrf_token"] }
return render("path/to/yourtemplate.html", context)
yourtemplate.html's form must have a field named “csrfmiddlewaretoken” whose value is the CSRF Token, which we placed in the context as “csrftoken”. As in:
<input type="hidden" name="csrfmiddlewaretoken" value="${ csrftoken }" />
Source: Cross Site Request Forgery protection (Django 1.5 Docs)
There's some sample code at Django Snippets that looks to do this, although judging by the comments, you may need to fiddle a bit. If you have trouble, you basically want to make sure that you're duplicating the Django stock CSRF tag (click the link, start on line 87).
All pages are extended from a base template.
There is a form in the base template and the form has the CSRF tag. When submitting the form while on home page, all works fine. However for all other pages (also extended from same base template) the submit fails with the following error:
Forbidden (403)
CSRF verification failed. Request aborted.
Inspecting the page with Firebug, the hidden input field that holds the CSRF token is missing.
You need to do this -
In settings modify - MIDDLEWARE_CLASSES = ('django.middleware.csrf.CsrfViewMiddleware')
Next to any form in your templates, put this - <form method="post" class="login_form" name="frmlogin">{% csrf_token %}
This would solve your problem...
Im using https://bitbucket.org/ubernostrum/django-registration/ for login and registration in Django.
But now im trying to add an login-form in my base.html, with a simple form
{% csrf_token %}... etc
The thing is when i login it says CSRF verification fails, i guess this is because the data isnt sent from templates/registration/login.html ?
Any idea how I should solve this in an easy way, will I have to write my own login-view?
Refresh the page of "http://*/accounts/register/" that contains your form not Forbidden after you add {% csrf_token %}.
I have a GWT web app working with Django server-side. I recently upgraded Django to 1.2, and am not able to get HTTP posts to work from my GWT app. I am getting this error:
CSRF verification failed. Request
aborted.
Reason given for failure:
CSRF token missing or incorrect.
I have enabled the csrf middlewares ('django.middleware.csrf.CsrfViewMiddleware', 'django.middleware.csrf.CsrfResponseMiddleware') which is working for contrib apps like login, but it seems as though the token is not getting added to posts made through GWT. Any ideas? Thanks in advance.
If you have checked the templates for auth.login you'll notice that a CSRF token is explicitly included inside the <form> tag.
<form method="post" action=".">
{% csrf_token %}
This is expanded into a hidden field when the page is rendered on a GET request. Something like:
<form method="post" action=".">
<div style='display:none'>
<input type='hidden' name='csrfmiddlewaretoken'
value='90064bf0e86edacfdb60595e3e2b8f23' />
</div>
This token is then passed back to the view on POST and validated.
Consequently before you can POST to a CSRF protected view you will have to first get the token from the said view.
Can you verify/ensure that you have the CSRF token handy before making a POST request to the view? Alternately you can disable CSRF protection for the view using the csrf_exempt decorator. This may not be a good idea though.
Update
This is the point of my question: I am not using django templates for my front-end and thus I cannot tag forms with the token. I am using GWT for my front-end, which is rendering the form for the post.
Are you already making a GET request to the Django view before rendering the page? In that case you can get the CSRF token by parsing the contents of the response.
If not you will have to explicitly make a GET request to the view (assuming it supports GET) and parse the response for a CSRF token. For an example see this question.