Search code examples
pythondjangodjango-rest-frameworkdjango-comments

Django comments security_hash

Getting an error with a HiddenInput field called "security_hash"

It says in the documentation that had I used {{ form }} in my template these values would have been created automatically

But I am not using a template, rather just the comments/post/ endpoint with POST data as follows:

enter image description here

How can I get the security_hash value without this extra view to pass in as POST value?

Edit: I am thinking would it be possible and advisable to pass the {{ form.security_hash }} value from the template/view to the form behind the scenes so this error can be averted.

Edit2: For clarification the security_hash field in question is shown here in code the security_hash value looks like it is being generated from the 'initial_security_hash' function which uses the content_type, object_pk, and timestamp fields to generate a hash on line 73, this function is called on line 69.

Due to this I am also further confused as to why my input is not being accepted as I pass in the content_type, object_pk, and timestamp fields

Solution

  • This is happening because the security hash is generated from an instantiated CommentSecurityForm. Then the security hash value is included as a hidden field and passed back through the POST request, at which time it is validated.

    Even though you are passing the content_type, object_pk, and timestamp fields to the request, it doesn’t matter because you need to have the security_hash value before the POST request is submitted.

    Look at the doc here - https://github.com/django/django-contrib-comments/blob/master/django_comments/forms.py#L62

    I’m guessing you are not using the provided CommentSecurityForm, which would include the security validation fields automatically.

    If that assumption is correct, you should instantiate the form, something like

    my_form = CommentSecurityForm(users.MyUser)
security_dict = my_form.generate_security_data()

    Then, this security_dict containers the following keys - content_type, object_pk, timestamp, security_hash. You’ll then need to pass these values to whatever context your POST request initiates from and include them in the request for the security validation to pass.