Search code examples
djangolookupdjango-ajax-selects

Django - AJAX-SELECT 403 Forbidden

I made a lookup channel, using django-ajax-select, for an field on Model Areas, to use on my ModelForm to select fields when I create or edit a UserProfile.

class FormRegisterProfile(forms.ModelForm):

class Meta: 
    model = UserProfile
    exclude = ('user')

interests  = make_ajax_field(UserProfile,'interests','areas2',help_text=True)
expertise  = make_ajax_field(UserProfile,'expertise','areas2',help_text=True)

What happens is, when i'm logged with an user that's do not have admin permission I get this line on server

[16/Aug/2012 14:56:12] "GET /profile/ajax_lookup/areas2?term=g HTTP/1.1" 403 22

my url.py

(r'^admin/lookups/', include(ajax_select_urls)),
(r'^profile/', include(ajax_select_urls)),
url(r'^profile/edit/$', 'mycu.views.EditUserProfile', {}, 'register.html'),
url(r'^admin/', include(admin.site.urls)),

my lookup channel:

AJAX_LOOKUP_CHANNELS = {
'areas'  : {'model':'mycu.areas', 'search_field':'type'},
'areas2' : ('mycu.lookups', 'AreasLookup'),

my lookups.py

class AreasLookup(LookupChannel):

    model = Areas

    def get_query(self,q,request):
        return Areas.objects.filter(Q(type__icontains=q)).order_by('type')

    def get_result(self,obj):
        u""" result is the simple text that is the completion of what the person typed """
        return obj.type

    def format_match(self,obj):
        """ (HTML) formatted item for display in the dropdown """
        return self.format_item_display(obj)

    def format_item_display(self,obj):
        """ (HTML) formatted item for displaying item in the selected deck area """
        return u"%s" % (escape(obj.type))

without the 'make_ajax_fields' lines on ModelForm, I can easily access the model areas.

what I'm not figured out is:

what's the relationship between admin/lookups

thanks,

Solution

  • The default permissions for django-ajax-selects require the user to be staff (user.is_staff) . See the README note on changing this default in your LookupChannel https://github.com/crucialfelix/django-ajax-selects#check_authselfrequest

    check_auth(self,request):

    To ensure that nobody can get your data via json simply by knowing the URL. The default is to limit it to request.user.is_staff and raise a PermissionDenied exception. By default this is an error with a 401 response, but your middleware may intercept and choose to do other things.

    Public facing forms should write a custom LookupChannel to implement as needed. Also you could choose to return HttpResponseForbidden("who are you?") instead of raising PermissionDenied

    This incorrectly states that it will return a 401 status code when in fact Django will handle the PermissionDenied with a 403 response like you are seeing.