问题
I'm using uploadify in my django admin but I'm getting a 403 error. When I use @csrf_exempt the error is gone but this is very risky.
Is there a better way to fix this problem without compromising the admin page by using @csrf_exempt decorator?
Thanks in advance
回答1:
It sounds like either you or the original author of that package need to update it to work with the changes that have come through in the CSRF framework. Sorry that's not the easy answer... :/
You'll need to make sure the ajax requests are sending cookies properly, and more importantly, that you're sending the CSRF token as part of the posted data. Prior to the CSRF security patch, ajax requests weren't required to be CSRF protected because we believed they couldn't be forged cross domain. Unfortunately, this isn't true, and so we had to require the CSRF tokens for those as well.
In particular, see this relevant portion of the docs:
http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax
Edit:
It looks like the flash portion of uploadify doesn't send the cookies for whatever reason. It probably worked before because it was sending an AJAX header. Now it needs to send that cookie regardless, so the correct solution here is to modify the flash to send the cookie.
回答2:
@Paul McMillan I faced the same problem with csrf protection of a view and made a small & ugly workaround to provide basic csrf validation, here is the code
from django.views.decorators.csrf import csrf_exempt
from django.middleware.csrf import CsrfViewMiddleware
def check_uploadify_csrf(request):
return CsrfViewMiddleware().process_view(request, check_uploadify_csrf, None, None) == None
@csrf_exempt
def some_view(request):
if check_uploadify_csrf(request):
# do some actions
@ginad I used uploadify option formData to send csrf token to backend
formData: {csrfmiddlewaretoken: '{{ csrf_token }}'},
Thanks,
Sultan
回答3:
Thanks to http://blog.fogtunes.com/2009/11/howto-integrate-swfupload-with-django/ I was able to solve my problem.
Javascript:
function getCookie(cname)
{
var i,x,y,ARRcookies=document.cookie.split(";");
for (i=0;i<ARRcookies.length;i++)
{
x=ARRcookies[i].substr(0,ARRcookies[i].indexOf("="));
y=ARRcookies[i].substr(ARRcookies[i].indexOf("=")+1);
x=x.replace(/^\s+|\s+$/g,"");
if(x == cname){
return unescape(y);
}
}
return false;}
data = { sessionid: getCookie('sessionid'), csrfmiddlewaretoken: csrf_token } $('#file_upload').uploadify({ // pass the cookie and the csrftoken scriptData : data, .... // other codes });
Middleware:
#insert after: 'django.middleware.common.CommonMiddleware'
def process_request(self, request):
if (request.method == 'POST'):
if request.POST.has_key('csrfmiddlewaretoken'):
request.COOKIES["csrftoken"] = request.POST['csrfmiddlewaretoken']
if request.POST.has_key('sessionid'):
request.COOKIES['sessionid'] = request.POST['sessionid']
because uploadify is not passing the cookie I need to pass it using POST, then before processing the view the middleware will set the cookie.
来源:https://stackoverflow.com/questions/5658120/fixing-django-csrf-error-when-using-uploadify