Search code examples
pythondjangodjango-csrf

How to handle with csrf-protecting in Django views?

Hello and thank your for your response.

1) I have a model with text and digit

class Mention(models.Model):
    mentionn = models.ForeignKey(Step, on_delete=models.CASCADE)
    mention_text = models.TextField()
    mention_digit = models.IntegerField()

2) A made custom from (not a django, so it is without any modelForm and so on), which request text and digit

<form action="/addcomment{{ stepid }}" method="post">
{% csrf_token %}
<label>
Your text
<textarea name = "mention_text" class="text-area-width" placeholder="You rваш отзыв"></textarea>
</label>
    <label>How much stars?
        <select name="mention_digit">
            <option value="5">5 star</option>
            <option value="4">4 star</option>
            <option value="3">3 star</option>
            <option value="2">2 star</option>
            <option value="1">1 star</option>
        </select>
        </label>
    <input type="submit" class="success expanded button" value="publish"/>
</form>

3) Next i made an view, that genetate it:

def addcomment(request, step_id):
    done = csrf(request)
    if request.POST:
       mentionn = Step(id=step_id)
       mention_text = request.POST.get('mention_text', '')
        mention_digit = request.POST.get('mention_digit', '')
        mentionn_obj = Mention(mentionn=mentionn, mention_text=mention_text, mention_digit=mention_digit)
        mentionn_obj.save()        
    return redirect('/step'+ step_id, done)

And it raise a problem, that csrf_token missing or incorrect. If i set a @csrf_exempt decorator on my view eveything is works (but protection is switched off).

So my task is to make it works. I don't want use django forms, as it is rather harde to cusomize and make look nice.

Global model for web-page:

class Step(models.Model):
    title = models.CharField(max_length=200)
    description = models.CharField(max_length=200)
    annotation = models.TextField()
    main_text = models.TextField()
    main_photo = models.ImageField(upload_to='', height_field=None, width_field=None, max_length=100)
    true_question = models.TextField()
    true_answer = models.TextField()
    true_link = models.CharField(max_length=200, default="http://lieman.ru/exshelp/")

View, that generate all page:

def step(request, step_id):
    stepfields = get_object_or_404(Step, id = step_id)
    navigators = Navigation_bar.objects.filter(navigatorr_id = step_id)
    mentionship = Mention.objects.filter(mentionn_id = step_id)
    username = auth.get_user(request).username
    stepid = step_id
    context = {
        "stepfieldst" : stepfields,
        "navigators" : navigators,
        "mentionship" : mentionship,
        "stepid" : stepid,
        "username" : username,
    }
    return render_to_response('bakot/step.html', context)
Solution

  • To enable CSRF protection, you need to include the request whenever you render a template that uses the {% csrf_token %} tag.

    At the moment, you are not doing this for your step view. The easiest way to do this is to use render instead of render_to_response.

    return render(request, 'bakot/step.html', context)

    It's not clear what make = csrf(request) is meant to do in your add_comment view, but I don't think it's required.