Django @csrf_exempt不能在类视图中工作 [英] Django @csrf_exempt not working in class View
问题描述
我在做这些请求抛出邮递员,这是我到目前为止:
settings.py
MIDDLEWARE_CLASSES = [
'corsheaders.middleware.CorsMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.cache。 UpdateCacheMiddleware',
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'a9.utils.middleware.LocaleMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'a9.core。 access.middleware.AccessMiddleware',
'django.contrib.auth.middleware.SessionAuthenti阳光中间件',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'django.middleware.cache.FetchFromCacheMiddleware',
]
OAUTH2_PROVIDER = {
#这是可用范围的列表
'SCOPES':{'read':'读取范围','写入':'写入范围','groups':'访问你的组'}
}
CORS_ORIGIN_ALLOW_ALL = True
CORS_ALLOW_METHODS =(
'DELETE',
'GET ',
'OPTIONS',
'PATCH',
'POST',
'PUT',
)
CORS_ALLOW_HEADERS =(
'accept',
'accept-encoding',
'authorization',
'content-type',
'dnt',
'origin',
'user-agent',
'x-csrftoken',
'x-requested-with',
)
REST_FRAMEWORK = {
#使用Django的标准d`django.contrib.auth`权限,
#或允许未经身份验证的用户的只读访问。
'DEFAULT_PERMISSION_CLASSES':[
'rest_framework.permissions.DjangoModelPermissionsOrAnonReadOnly',
#'rest_framework.permissions.IsAuthenticated',
],
'DEFAULT_AUTHENTICATION_CLASSES':(
'oauth2_provider.ext.rest_framework.OAuth2Authentication',
#'rest_framework.authentication.TokenAuthentication',
)
}
urls.py
urlpatterns = [
url(r'^ v1 /',include([
url(r'^',include(router.urls)),
url(r'^ auth /', MyAuthentication.as_view()),
url(r'^ o /',include('oauth2_provider.urls',namespace ='oauth2_provider')),
url(r'^ admin /',include (admin.site.urls)),
]))
]
views.py
@method_decorator(csrf_exempt,name ='dispatch')
M级yAuthentication(TemplateView):
def post(self,request,* args,** kwargs):
return HttpResponse('Hello,World!')
此后,我总是遇到一个CSRF验证失败的错误。
我在django-rest-framework的IRC频道中问了这个问题,但我还没有回答。请,任何建议将非常感谢。
我找到了解决方法。您需要创建一个在任何Session Middlewares之前调用的中间件,然后检查您所需的URL或应用程序以免除CSRF令牌验证。所以代码将如下所示:
settings.py
MIDDLEWARE_CLASSES = [
'api.middleware.DisableCSRF',#自定义中间件API
'corsheaders.middleware.CorsMiddleware',
'django.middleware.common .CommonMiddleware',
'django.middleware.cache.UpdateCacheMiddleware',
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'a9.utils.middleware.LocaleMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth .middleware.AuthenticationMiddleware',
'a9.core.access.middleware.AccessMiddleware',
'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
'django.contrib.messages.middleware .MessageMiddleware',
'django.middleware.clickjacking.XF rameOptionsMiddleware',
'django.middleware.cache.FetchFromCacheMiddleware',
]
urls.py
app_name =api
urlpatterns = [
url(r'^ v1 /',include([
url(r'^',include(router.urls)),
url(r'^ auth /',MyAuthentication .as_view()),
url(r'^ o /',include('oauth2_provider.urls',namespace ='oauth2_provider')),
url(r'^ admin /',include admin.site.urls)),
]))
]
csrf_disable.py
from django.core.urlresolvers import resolve
class DisableCSRF(object):
在指定的应用程序名称中禁用CSRF的中间件。
def process_request(self,request):
预处理请求。
app_name =api
如果resolve(request.path_info).app_name == app_name:
setattr(request,'_dont_enforce_csrf_checks',True)
else:
pass#检查CSRF令牌验证
这将只检查CSRF令牌具体的应用程序或URL,而不需要删除所有的CSRF。另外,这是django-rest-framework independent:)
I have an application in Django 1.9 that uses SessionMiddleware. I would like to create an API for this application inside the same project, but when doing a POST request it does not work the @csrf_exempt annotation.
I am doing the requests throw Postman and this is what I have so far:
settings.py
MIDDLEWARE_CLASSES = [
'corsheaders.middleware.CorsMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.cache.UpdateCacheMiddleware',
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'a9.utils.middleware.LocaleMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'a9.core.access.middleware.AccessMiddleware',
'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'django.middleware.cache.FetchFromCacheMiddleware',
]
OAUTH2_PROVIDER = {
# this is the list of available scopes
'SCOPES': {'read': 'Read scope', 'write': 'Write scope', 'groups': 'Access to your groups'}
}
CORS_ORIGIN_ALLOW_ALL = True
CORS_ALLOW_METHODS = (
'DELETE',
'GET',
'OPTIONS',
'PATCH',
'POST',
'PUT',
)
CORS_ALLOW_HEADERS = (
'accept',
'accept-encoding',
'authorization',
'content-type',
'dnt',
'origin',
'user-agent',
'x-csrftoken',
'x-requested-with',
)
REST_FRAMEWORK = {
# Use Django's standard `django.contrib.auth` permissions,
# or allow read-only access for unauthenticated users.
'DEFAULT_PERMISSION_CLASSES': [
'rest_framework.permissions.DjangoModelPermissionsOrAnonReadOnly',
#'rest_framework.permissions.IsAuthenticated',
],
'DEFAULT_AUTHENTICATION_CLASSES': (
'oauth2_provider.ext.rest_framework.OAuth2Authentication',
#'rest_framework.authentication.TokenAuthentication',
)
}
urls.py
urlpatterns = [
url(r'^v1/', include([
url(r'^', include(router.urls)),
url(r'^auth/', MyAuthentication.as_view()),
url(r'^o/', include('oauth2_provider.urls', namespace='oauth2_provider')),
url(r'^admin/', include(admin.site.urls)),
])),
]
views.py
@method_decorator(csrf_exempt, name='dispatch')
class MyAuthentication(TemplateView):
def post(self, request, *args, **kwargs):
return HttpResponse('Hello, World!')
After this I get always a CSRF verification failed error.
I asked this question in the IRC channel of django-rest-framework but I still have no answer. Please, any advice will be very appreciated.
I found out the way to solve this. You need to create a middleware that calls before any Session Middlewares and then check against your desired urls or app to exempt the CSRF token validation. So, the code would be like this:
settings.py
MIDDLEWARE_CLASSES = [
'api.middleware.DisableCSRF', # custom middleware for API
'corsheaders.middleware.CorsMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.cache.UpdateCacheMiddleware',
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'a9.utils.middleware.LocaleMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'a9.core.access.middleware.AccessMiddleware',
'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'django.middleware.cache.FetchFromCacheMiddleware',
]
urls.py
app_name = "api"
urlpatterns = [
url(r'^v1/', include([
url(r'^', include(router.urls)),
url(r'^auth/', MyAuthentication.as_view()),
url(r'^o/', include('oauth2_provider.urls', namespace='oauth2_provider')),
url(r'^admin/', include(admin.site.urls)),
])),
]
csrf_disable.py
from django.core.urlresolvers import resolve
class DisableCSRF(object):
"""Middleware for disabling CSRF in an specified app name.
"""
def process_request(self, request):
"""Preprocess the request.
"""
app_name = "api"
if resolve(request.path_info).app_name == app_name:
setattr(request, '_dont_enforce_csrf_checks', True)
else:
pass # check CSRF token validation
This will only check CSRF token against a specific app or url without removing all the CSRF. Also, this is django-rest-framework independent :)
这篇关于Django @csrf_exempt不能在类视图中工作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!