Search code examples
pyramidcsrf

About pyramid web framework error, CSRF token is missing or invalid

1.jinja2 template file:

<!DOCTYPE html>
<html>
<head>
    <title>image upload demo</title>
</head>
<body>
<form action="{{ imgup_url }}" method="post" accept-charset="utf-8"
      enctype="multipart/form-data">
    <input type=hidden id="token" value="{{ token }}">
    <label for="filename">File:</label>
    <input id="pictitle" name="pictitle" type="text" value="okkk" />
    <input id="upfile" name="upfile" type="file" value="" />

    <input id="button" type="submit" value="upload" />
</form>
</body>
</html>

2.views.py file

@view_config(permission='post', route_name='imgup',
             renderer='shootout:jinja2/imgup.jinja2',
             check_csrf=False)
def ueditor_ImgUp(request):
    """ upload image """
    form = Form(request, schema=ImgUpSchema)
    token1 = request.session.new_csrf_token()
    if 'form.submitted' in request.params:
        token2 = request.session.get_csrf_token()
        if token2 != request.POST['csrf_token']:
            raise ValueError('CSRF token did not match')
        print "imgup is login begin!!!"
        source_pictitle = request.POST.get('pictitle')
        source_filename = request.POST['upfile'].filename

        response = Response()
        myresponse = __myuploadfile(fileObj, source_pictitle, source_filename, 'pic')
        response.write(myresponse)
        print "imgup is success!!!"
        return response
    else:
        return {'imgup_url':'/imgup','token':token1}

3.__init__.py file : 

    engine = engine_from_config(settings, 'sqlalchemy.')
    DBSession.configure(bind=engine)

    session_factory = UnencryptedCookieSessionFactoryConfig(
        settings['session.secret']
        )

    authn_policy = SessionAuthenticationPolicy()
    authz_policy = ACLAuthorizationPolicy()

    config = Configurator(
        settings=settings,
        root_factory=RootFactory,
        authentication_policy=authn_policy,
        authorization_policy=authz_policy,
        session_factory=session_factory
        )

    config.add_static_view('static', 'shootout:static')
    config.add_static_view('html', 'shootout:html')
    config.include(addroutes)
    config.add_route('imgup','/imgup')

when submitted upload button show: 403 Forbidden Access was denied to this resource. CSRF token is missing or invalid

How to solve this problem?Thanks.

Solution

  • pyramid html post method need csrf_token,so i do:

    view:

    csrf_token = request.session.get_csrf_token()
return {'csrf_token':csrf_token}

    template(Jinja2):

    <input id="_csrf" type="hidden" value="{{ csrf_token }}"/>

    success~