11👍
You probably need to send along the CSRF token with your request. Check out https://docs.djangoproject.com/en/1.7/ref/contrib/csrf/#csrf-ajax
Update: Because you’ve already tried exempting CSRF, maybe this could help (depending on which version of Django you’re using): https://stackoverflow.com/a/14379073/977931
40👍
CSRF is exempted by default in Django REST Framework. Therefore, curl POST request works fine. POSTMAN request call returned CSRF incorrect because POSTMAN included csrf token if it is found in Cookies. You can solve this by cleaning up Cookies.
- [Django]-Determine variable type within django template
- [Django]-Django admin: How to display the field marked as "editable=False" in the model?
- [Django]-Internal Server Error with Django and uWSGI
25👍
It’s from your REST Framework settings. in your settings.py
file, your REST_FRAMEWORK
should have the following.
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework.authentication.TokenAuthentication',
),
'DEFAULT_PERMISSION_CLASSES': (
'rest_framework.permissions.AllowAny',
),
}
This will set your REST Framework to use token authentication instead of csrf authentication. And by setting the permission to AllowAny
, you can authenticate only where you want to.
- [Django]-How to get the ID of a just created record in Django?
- [Django]-In the Django admin site, how do I change the display format of time fields?
- [Django]-What’s the difference between a project and an app in Django world?
11👍
OK, well now of course I take back what I said. CSRF does work as intended.
I was making a POST request using a chrome plugin called POSTMAN.
My POST request fails with CSRF enabled.
But a curl POST request using
curl -X POST -H "Content-Type: application/json" -d '
{
"name": "Manager",
"description": "someone who manages"
}' http://127.0.0.1:8000/lakeshoreProperties/roles/
works fine…
I had to take off the braces, i.e., [], and make sure there is a slash after the ‘s’ in roles, i.e., roles/, and csrf enabled did not throw any errors.
I’m not sure what the difference between calling using POSTMAN is vs using curl, but POSTMAN is run in the web browser which is the biggest difference. That said, I disabled csrf for the entire class RoleList but one identical request works with Curl, but fails with POSTMAN.
- [Django]-Django Rest Framework, passing parameters with GET request, classed based views
- [Django]-How to set the default of a JSONField to empty list in Django and django-jsonfield?
- [Django]-Giving email account a name when sending emails with Django through Google Apps
4👍
To give an update on current status, and sum up a few answers:
AJAX requests that are made within the same context as the API they are interacting with will typically use
SessionAuthentication
. This ensures that once a user has logged in, any AJAX requests made can be authenticated using the same session-based authentication that is used for the rest of the website.AJAX requests that are made on a different site from the API they are communicating with will typically need to use a non-session-based authentication scheme, such as
TokenAuthentication
.
Therefore, answers recommending to replace SessionAuthentication
with TokenAuthentication
may solve the issue, but are not necessarily totally correct.
To guard against these type of attacks, you need to do two things:
Ensure that the ‘safe’ HTTP operations, such as
GET
,HEAD
andOPTIONS
cannot be used to alter any server-side state.Ensure that any ‘unsafe’ HTTP operations, such as
POST
,PUT
,PATCH
andDELETE
, always require a valid CSRF token.
If you’re usingSessionAuthentication
you’ll need to include valid CSRF tokens for anyPOST
,PUT
,PATCH
orDELETE
operations.In order to make AJAX requests, you need to include CSRF token in the HTTP header, as described in the Django documentation.
Therefore, it is important that csrf is included in header, as for instance this answer suggests.
Reference: Working with AJAX, CSRF & CORS, Django REST framework documentation.
- [Django]-Generate unique id in django from a model field
- [Django]-Dynamically adding a form to a Django formset
- [Django]-Iterating through two lists in Django templates
3👍
As you said your URL was
http://localhost:8000/lakesShoreProperties/roles
Postman has some issues with localhost.
Sending the POST to 127.0.0.1:8000/your-api/endpoint
instead did the trick for me.
- [Django]-Is it safe to rename Django migrations file?
- [Django]-Chained method calls indentation style in Python
- [Django]-Django "xxxxxx Object" display customization in admin action sidebar
1👍
- [Django]-Should I avoid multi-table (concrete) inheritance in Django by any means?
- [Django]-Any thoughts on A/B testing in Django based project?
- [Django]-Django Admin: Using a custom widget for only one model field
0👍
if you have set AllowAny
permission and you facing with csrf issue
REST_FRAMEWORK = {
'DEFAULT_PERMISSION_CLASSES': [
'rest_framework.permissions.AllowAny'
]
}
then placing following in the settings.py
will resolve the issue
REST_SESSION_LOGIN = False
- [Django]-Django – Render the <label> of a single form field
- [Django]-Querying django migrations table
- [Django]-Django Generic Views using decorator login_required