I am trying to make a PUT request on my user model to edit username, bio etc. using Django Rest w/ React frontend.
When I make the PUT request at the url via the django rest client it works no issues. From the frontend, when I am not logged into any django user I can send the PUT request via AXIOS with no issues.
Once I am logged into any django user, even with superuser permissions, I get 403 Forbidden Error on my PUT request.
Here is my views.py:
class RetrieveUpdateDestroyUser(RetrieveUpdateDestroyAPIView):
serializer_class = UserCreateUpdateSerializer
queryset = CustomUser.objects.all()
lookup_field = 'id'
permission_classes = (AllowAny,)
def update(self, request, *args, **kwargs):
"""
PUT and UPDATE requests handled by this method.
"""
return super().update(request, *args, **kwargs)
In my frontend, this is how I make the PUT request (put request done with axios):
export class UserProxy extends BackendProxy {
updateUser(updatedUser, userID) {
let parameters = `user/${userID}`
return new Promise((resolve, reject) => {
this.putRequest(updatedUser, parameters)
.then(response => { resolve(response) })
.catch(error => {
console.log(error)
reject(error)
})
});
}
}Just very confused as to why I don't get the 403 Forbidden when I am not logged into a django user, but I do when I'm logged in. I am using Python-Social-Auth also for logins if that matters.
Thanks!
One thing that can cause this is if you are using SessionAuthentication. Anonymous users get "authenticated" early in the auth process. Authenticated users go through an additional check of CSRF. If that fails, a HTTP 403 is thrown.
In my case, I realized I should be using GET, and CSRF does not apply (https://www.django-rest-framework.org/topics/ajax-csrf-cors/#csrf-protection).