Menu
I'm using Django 1.7 and django-rest-framework.
I made an API that returns me some JSON data putting this in my settings.py
REST_FRAMEWORK = { 'DEFAULT_PERMISSION_CLASSES': ('rest_framework.permissions.AllowAny',), 'DEFAULT_RENDERER_CLASSES': ( # 'rest_framework.renderers.XMLRenderer', 'rest_framework.renderers.JSONRenderer', # 'rest_framework.renderers.BrowsableAPIRenderer', ) } When I make GET calls, it returns me all the data, but when I try with PUT/PATCH I get:
--------Response Headers--------- Status Code: 403 Date: Wed, 29 Oct 2014 18:51:42 GMT Vary: Cookie Server: WSGIServer/0.1 Python/2.7.8 Allow: GET, POST, PUT, PATCH, HEAD, OPTIONS X-Frame-Options: SAMEORIGIN Content-Type: application/json --------------------------------- --------Response Body----------- {"detail": "CSRF Failed: CSRF token missing or incorrect."} --------------------------------- This only happens when I am logged in, if I am anonymous I can PUT/PATCH correctly.
I have tried with @csrf_exempt and I got errors, I have included the rest_framework.permissions.AllowAny in the setting...
I have no idea what's going on. Does anyone know what the issue is?
430
To fix CSRF token missing or incorrect with Python Django, we can pass the request context into the form when calling render_to_response . to call render_to_response with RequestContext(request) to pass the CSRF token into the fileupload/upload. html template. to add the CSRF token field.
The CSRF token is like an alphanumeric code or random secret value that's peculiar to that particular site. Hence, no other site has the same code. In Django, the token is set by CsrfViewMiddleware in the settings.py file. A hidden form field with a csrfmiddlewaretoken field is present in all outgoing requests.
csrf_exempt (view) This decorator marks a view as being exempt from the protection ensured by the middleware. Example: from django.http import HttpResponse from django.views.decorators.csrf import csrf_exempt @csrf_exempt def my_view(request): return HttpResponse('Hello world')
When you are using SessionAuthentication, you are using Django's authentication which usually requires CSRF to be checked. Django REST Framework enforces this, only for SessionAuthentication, so you must pass the CSRF token in the X-CSRFToken header.
The Django documentation provides more information on retrieving the CSRF token using jQuery and sending it in requests. The CSRF token is saved as a cookie called csrftoken that you can retrieve from a HTTP response, which varies depending on the language that is being used.
If you cannot retrieve the CSRF cookie, this is usually a sign that you should not be using SessionAuthentication. I recommend looking into TokenAuthentication or OAuth 2.0 depending on your needs.
165
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
