Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Django API Post method returns 403 error

I am trying to setup the Django API (a POST API endpoint). I want to have the same URL path pointing to the same function that handle differently due to if it is POST or GET. Thus, I used the method like this

def handle_post(request):

    dict = {}
    dict['email'] = "test"

    if request.method == "POST":
        return HttpResponse(json.dumps(dict), content_type="application/json")

In the url.py, I have the following code

router = routers.DefaultRouter()
router.register(r'notes', UsernotesViewSet)
urlpatterns = patterns('',
url(r'^', include(router.urls)),
url(r'^admin/', include(admin_site.urls)),
url(r'^api-auth/', include('rest_framework.urls', namespace='rest_framework')),
url(r'^docs/', include('rest_framework_swagger.urls')),
url(r'^example/postrequest', handle_post),
)

But I can not get this work when I perform POST onto the URL http://127.0.0.1:8000/example/postrequest?requestid=abc&starthour=10. I did not post anything, but just change the method to POST from GET on httpclient to try this API. Is it ok if I did not post any content to URL ?

I am getting the 403 error, as below :

Forbidden (403)
CSRF verification failed. Request aborted.
You are seeing this message because this site requires a CSRF cookie when submitting forms. This cookie is required for security reasons, to ensure that your browser is not being hijacked by third parties. If you have configured your browser to disable cookies, please re-enable them, at least for this site, or for 'same-origin' requests.

Appreciated any help.

like image 483
Terry Avatar asked Oct 06 '15 17:10

Terry


People also ask

How do I fix 403 Forbidden in Django?

For POST forms, you need to ensure: Your browser is accepting cookies. The view function passes a request to the template's render method. In the template, there is a {% csrf_token%} template tag inside each POST form that targets an internal URL.


2 Answers

I could not understand your question correctly, but CSRF verification failure is caused when "requests via ‘unsafe’ methods, such as POST, PUT and DELETE" are performed without using recommended defense settings against CSRF (Cross Site Request Forgeries).

You can read more on this link.

There is a quick work-around to problem. You can use csrf_exempt decorator to mark a view as being exempt from the protection ensured by the CSRF View Middleware (django.middleware.csrf.CsrfViewMiddleware). Example:

from django.views.decorators.csrf import csrf_exempt
from django.http import HttpResponse

@csrf_exempt
def my_view(request):
    return HttpResponse('Hello world')

You can read more about is here.

like image 92
Sushant Kafle Avatar answered Sep 27 '22 23:09

Sushant Kafle


Have a read of the Django docs on CSRF protection. If your api is going to be accessed by javascript in the browser, then there are instructions for how to include the token in an ajax request.

If the API is accessed in a different way e.g. from a mobile client that doesn't use cookies, then it might be appropriate to turn off the CSRF protection for that view, using the csrf_exempt decorator.

like image 24
Alasdair Avatar answered Sep 27 '22 23:09

Alasdair