为什么我在AJAX请求使用@csrf_exempt时，得到一个403 Forbidden错误？ [英] Why am I be getting a 403 Forbidden error when using @csrf_exempt in AJAX request?

问题描述

我试图写在Django一个非常基本的AJAX请求，我不断收到403禁止错误在这两个浏览器开发和Django的控制台。我发布一个类似的问题有一天，已经尝试了所有建议的解决方案，包括@csrf_exempt（排除如果这是连CSRF问题），我都试过，包括csrfmiddlewaretoken的：{{csrf_token}}'在AJAX POST请求（下面的数据），这并没有解决问题，无论是。这是我的code。

I am trying to write a very basic AJAX request in Django, and I keep getting the 403 forbidden error in both the Chrome Dev and Django consoles. I posted a similar question the other day and have tried all of the proposed solutions including @csrf_exempt (to rule out if this is even a csrf issue), I have tried including csrfmiddlewaretoken: '{{ csrf_token }}' in the AJAX POST request (underneath data), this did not resolve the issue either. Here is my code.

def profile_listview(request, username,
    template_name=userena_settings.USERENA_PROFILE_DETAIL_TEMPLATE,
    extra_context=None, **kwargs):
    user = get_object_or_404(get_user_model(),
                             username__iexact=username)
    fullsalelist = Entry.objects.filter(author__username__iexact=username)

    @csrf_exempt
    def delete_object(request):
        if request.is_ajax():
            print "request is ajax"
            object_name = request.POST.get('entryname')
            targetobject = Entry.objects.get(headline=object_name)
            if request.user.username == targetobject.author:
                targetobject.delete()
                print "hello" 
            return HttpResponseRedirect('/storefront/')

和AJAX code中的模板：

And AJAX code in the template:

<script type="text/javascript">
    var my_app = {
      username: "{{ request.user.username }}"  
    };
</script>

<script>
 $(document).ready(function() {
    $(".delete_button").click(function() {
        var id = $(this).attr('id');
        $.ajax({
            type: "POST",
            url: "/accounts/" + my_app.username + "/listview/",
            data: { entryname:id },
        });
        return false;
    });
});
</script>

网址

(r'^accounts/(?P<username>[\@\.\w-]+)/listview/$', profile_listview),

事情值得注意：

Things worth noting:

1. 我已经CSRF中间件在我的设置，打开

1. I have csrf middleware turned on in my settings

里面的jQuery的AJAX code，URL和数据都发送了正确的信息

inside the jQuery AJAX code, url and data are both sending the correct information

当我点击删除按钮，我得到了403 Forbidden错误。

When I click the delete button, I get the 403 forbidden error.

打印请求AJAX不会在控制台打印（或任何地方）。

The print "request is ajax" does not print in the console (or anywhere).

我也很困惑，因为我得到相互矛盾的信息。有人告诉我，我应该补充通过javascript的CSRF值（ https：//开头的文档。 djangoproject.com/en/1.7/ref/contrib/csrf/ ）。这让我有2个问题。 1.这是如何比增加csrfmiddlewaretoken什么不同：{{csrf_token}}在我的POST请求？和2。更重要的是，没有的事实，我仍然在使用的时候@csrf_exempt那种使这一有争议的问题得到一个403错误？

I am also confused because I am getting conflicting information. I was told I should add the csrf value via javascript (https://docs.djangoproject.com/en/1.7/ref/contrib/csrf/). This leaves me with 2 questions. 1. How is this any different than adding csrfmiddlewaretoken: '{{ csrf_token }}' in my POST request? and 2. More importantly, doesn't the fact that I still get a 403 error when using @csrf_exempt kind of make this a moot point?

推荐答案

据我了解，delete_object里面profile_listview功能，但profile_listview没有调用它。因此，profile_listview没有http响应。 发布错误消息

To my understanding, delete_object is a function inside profile_listview, but the profile_listview didn't call it. Therefore, the profile_listview has no http response. Post the error message

这篇关于为什么我在AJAX请求使用@csrf_exempt时，得到一个403 Forbidden错误？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！