Forbidden (CSFR token missions or incorrect): /tz_detect/set
c4n1 opened this issue ยท 6 comments
When running this on a pretty clean django install I cannot get the POST to work.
I have it setup as below:-
djsite/djsite/Settings.py
INSTALLED_APPS = [
'cals.apps.CalsConfig',
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'tz_detect',
]
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'tz_detect.middleware.TimezoneMiddleware',
TEMPLATES = [
{
'BACKEND': 'django.template.backends.django.DjangoTemplates',
'DIRS': [],
'APP_DIRS': True,
'OPTIONS': {
'context_processors': [
'django.template.context_processors.debug',
'django.template.context_processors.request',
'django.contrib.auth.context_processors.auth',
'django.contrib.messages.context_processors.messages',
],
},
},
]
]
djsite/djsite/urls.py
urlpatterns = [
url(r'^cals/', include('cals.urls')),
url(r'^admin/', admin.site.urls),
url(r'^tz_detect/', include('tz_detect.urls')),
]
djsite/cals/views.py
def index(request):
now = datetime.datetime.now()
context = RequestContext(request, {})
context["now"] = now
template = loader.get_template('cals/cals_small.html')
return HttpResponse(template.render(context))
djsite/cals/templates/cals/cals_small.html
<html>
<head></head>
{% load tz_detect %}
<body>
It is {% now "jS F Y H:i" %}
{% tz_detect %}
</body>
</html>
I get the below output from runserver
"GET /cals/ HTTP/1.1" 200 510
"GET /static/tz_detect/js/tzdetect.js HTTP/1.1" 200 2643
Forbidden (CSRF token missing or incorrect.): /tz_detect/set/
"POST /tz_detect/set/ HTTP/1.1" 403 2502
It's been a long day so I am likely doing something wrong but would appreciate it if you could take a look.
Python 3.6.0
Django version 1.10.5
Hi @c4n1,
Thank you for reporting this. I'm not sure I'm going to be able to look at this just yet (perhaps @bashu knows more?). I suspect this is because things need updating for newer Django versions. However, you should be able to get around this my updating your urls.py as follows:
urlpatterns = [
url(r'^cals/', include('cals.urls')),
url(r'^admin/', admin.site.urls),
url(r'^set/$', csrf_exempt(SetOffsetView.as_view()), name="tz_detect__set"),
]@c4n1 fix djsite/cals/views.py to include csrf_token:
import datetime
from django.shortcuts import render
def index(request):
return render(request, 'index.html', {"now": datetime.datetime.now()})https://docs.djangoproject.com/en/dev/topics/http/shortcuts/#render
In tz_detect/templates/tz_detect/detector.html:
<script type="text/javascript">
var csrf_token = "{{ csrf_token }}";Wouldn't it make more sense to use the {% csrf_token %} template tag instead of requiring users to put the {{ csrf_token }} variable into every context with this?
@blag, nope! csrf_token is for forms and by the way it requires csrf_token be available in context aswell, see: https://github.com/django/django/blob/dbfcedb499944f31444d347aa6c389303c6cf22e/django/template/defaulttags.py#L52
In my case the issue was caused by using render_to_response without passing a RequestContext. Since render_to_response is pretty much deprecated I switched to using render (properly) and it works just fine now. ๐
Thanks!