Hi,
I’ve been working on an old django site and trying to add an extra view method that I access from a 3rd party application that i’m updating. I’ve tried postman and this doesn’t work either. I don’t know how I can get my remote application get a csrf token when I don’t login to the website. I’m using chilkat activex to build up the http request and I can get the GET to work and the post is now working but I’ve run into the CSRF problem. It’s been 2 weeks for me to get here so I’m feeling a bit deflated.
I guess I’m trying to add a little api to an existing project (django app).
I have an existing view and I’ve added a new method so I can get my remote software to try and POST a request but it keeps failing and I’m afraid I don’t understand the responses given to the same problem that others are having.
I’ve added a decorator added in the line before the method and imported the csrf_exempt into staff.py which is really long so just putting the essential code here.
from django.views.decorators.csrf import csrf_exempt
@csrf_exempt
def supptool(request):
print("request.method= ",request.method)
request_str = "Method: {0}, Path: {1}, GET Params: {2}, POST Params: {3} ".format(request.method, request.path, request.GET, request.POST)
print("request=", request_str)
response['SupportStatus'] = "TEST"
return response
At the top of the py file I have added from ‘django.views.decorators.csrf import csrf_exempt’
I have updated the url.py with the new url and it correctly calls the method in the view as the get works perfectly.
The urls.py has the following in and is working (as the get works):-
urlpatterns += [
url(r'^default/$', #this works
staff.supptool,
name='supptool')
Is there anyone who can help and explain it in simple terms? Many of the answers I have seen assume you’re a seasoned django developer and i’m afraid I’m not.
I’d really appreciate a guiding hand.
Oh, its an old django app 1.8 (I know it should be upgraded but that’s another job for the future along with the whole server. I’m extending django.helpdesk which has been worknig for years and I’m not wanting to kill the website as that’s working.
I’m getting a 403 error
# Forbidden (403)
CSRF verification failed. Request aborted.
Note when I tested this on a copy of the code locally with it works but I think the settings.py hasn’t got csrf turned on for the testing runserver but the live website must have it turned on for the existing application
python manage.py runserver 8000
It’s django working on an apache server that is not.
I’m not using a django tempate view as the client I’m using a 3rd party app that i’m programming to send get and post requests.
my client code goes like this:-
LOCAL loReq as chilkat_9_5_0.HttpRequest
LOCAL loHttp as CHILKAT_9_5_0.Http
LOCAL lcJsonText
LOCAL loResp
SET SAFETY OFF
_screen.Cls()
loGlob = CreateObject('Chilkat_9_5_0.Global')
lnSuccess = loGlob.UnlockBundle("KEY")
loHttp = CreateObject('Chilkat_9_5_0.Http')
loReq = CreateObject('Chilkat_9_5_0.HttpRequest')
lohttp.VerboseLogging=1
loreq.VerboseLogging=1
loReq.HttpVerb = "POST"
*loreq.path="/support/default/"
loreq.SendCharset=1
loreq.charset="windows-1250"
loreq.AddHeader("HTTP_USER_AGENT","Support")
loreq.AddHeader("HTTP_REFERER","https://hostname/en/support/")
loreq.contentType = "application/x-www-form-urlencoded"
loreq.AddParam("action", "checksupported")
loreq.AddParam("user", "Fred")
loreq.AddParam("password", "nopw")
loreq.AddParam("system", "zzz")
loreq.AddParam("shipno", "zzz")
loreq.AddHeader("xSupportTool","xSupportTool")
?"header", loreq.EntireHeader
?"params=",loreq.NumParams
loresp = lohttp.PostUrlEncoded("https://hostname/en/support/default/", loreq)
?"header", loreq.EntireHeader
IF (loHttp.LastMethodSuccess <> 1) THEN
? loHttp.LastErrorText
ELSE
* Display the JSON response.
? loResp.BodyStr
?loresp.ContentLength
?loresp.Header
RELEASE loResp
ENDIF
RELEASE loReq
RELEASE loHttp
SET SAFETY ON
I’ve also tried it on POSTMAN and I get the same csrf error 403 so at least I have my client code working properly and I was using gets originally but I don’t want to expose the details of the calls in the url. I can also send username/password in the http request.