'CSRF verification failed." from django.contrib.comments. can you help solve it? django 1.3

[brycenesbitt]

I'm using django.contrib.comments and get 'CSRF token missing or incorrect.' when previewing or submitting a comment.  I have:

MIDDLEWARE_CLASSES = (

    'django.middleware.csrf.CsrfViewMiddleware',

    'django.middleware.common.CommonMiddleware',

    'django.contrib.sessions.middleware.SessionMiddleware',

    'django.contrib.auth.middleware.AuthenticationMiddleware',

    'django.contrib.messages.middleware.MessageMiddleware',

)

url(r'^comments/',              include('django.contrib.comments.urls')),

url(r'^entry/(?P<pk>\d+)/comment',      'rp2.views.entry_comment_add'),

@csrf_protect  #does not matter if this is here or not

def entry_comment_add(request, pk):

    entry = models.Entry.objects.get(pk=pk)

    assert isinstance(entry, models.Entry)

    return render(request, 'entry_comment_popup.html', {'entry':entry})

{% extends 'head-plain.html' %}

<!-- entry_comment_popup.html -->

{% load comments %}

{% block content %}

{% render_comment_form for entry %}

{% endblock %}

The HTML looks like it has the csrf security_hash in the proper place:

<form action="/comments/post/" method="post">
      <div><input type="hidden" name="object_pk" value="28" id="id_object_pk" /></div>
      <div><input type="hidden" name="timestamp" value="1340899354" id="id_timestamp" /></div>
      <div><input type="hidden" name="security_hash" value="6e85e1c846861c80575ce435b21a855706725b00" id="id_security_hash" /></div>

...

I have read https://docs.djangoproject.com/en/dev/ref/contrib/comments/

[Jonas Geiregat]

On do, jun 28, 2012 at 09:14:36 -0700, brycenesbitt wrote:
> <form action="/comments/post/ <view-source:http://127.0.0.1:8000/comments/post/>" method="post">

> <div><input type="hidden" name="object_pk" value="28" id="id_object_pk" /></div>
> <div><input type="hidden" name="timestamp" value="1340899354" id="id_timestamp" /></div>
> <div><input type="hidden" name="security_hash" value="6e85e1c846861c80575ce435b21a855706725b00" id="id_security_hash" /></div>

After the starting form tag add {% csrf_token %}

More information about it: https://docs.djangoproject.com/en/dev/ref/contrib/csrf/

[Ian Clelland]

On Thu, Jun 28, 2012 at 9:14 AM, brycenesbitt <digitalb...@gmail.com> wrote:

I'm using django.contrib.comments and get 'CSRF token missing or incorrect.' when previewing or submitting a comment.  I have:

... 

The HTML looks like it has the csrf security_hash in the proper place:
<form action="/comments/post/" method="post">
<div><input type="hidden" name="object_pk" value="28" id="id_object_pk" /></div>
<div><input type="hidden" name="timestamp" value="1340899354" id="id_timestamp" /></div>
<div><input type="hidden" name="security_hash" value="6e85e1c846861c80575ce435b21a855706725b00" id="id_security_hash" /></div>
... 

 

The "security_hash" field that you see is part of the comments app, and is not the CSRF token. That needs to be output by a {% csrf_token %} tag (or its equivalent). If it's working, you should see another hidden input field, which looks like this:

<div style="display:none">

    <input type="hidden" name="csrfmiddlewaretoken" value="36d43c1652d5676d6d411950e077eeaa1cc1f799"/>

</div>

The comments app normally does that automatically -- it's part of django/contrib/comments/templates/form.html -- Are you overriding the comment form in your own app? If so, you need to include the call to {% csrf_token %} yourself.

@csrf_protect  #does not matter if this is here or not

No, if you have the CSRFViewMiddleware installed, then you don't need this line at all.

--
Regards,
Ian Clelland
<clel...@gmail.com>

[brycenesbitt]

The "security_hash" field that you see is part of the comments app, and is not the CSRF token. That needs to be output by a {% csrf_token %} tag (or its equivalent). If it's working, you should see another hidden input field, which looks like this:

<div style="display:none">

    <input type="hidden" name="csrfmiddlewaretoken" value="36d43c1652d5676d6d411950e077eeaa1cc1f799"/>

</div>

The comments app normally does that automatically -- it's part of django/contrib/comments/templates/form.html -- Are you overriding the comment form in your own app? If so, you need to include the call to {% csrf_token %} yourself.

I am not overriding, at least not deliberately.

django/contrib/comments/templates/form.html has:

{% load comments i18n %}

<form action="{% comment_form_target %}" method="post">{% csrf_token %}

I render my form with:

{% render_comment_form for entry %}

---------------

I should note it did work when I first added it to the application.  It broke after I added pybbm.  I've since removed pybbm (it is maintained and broken), but comments

started getting csrf errors.

[brycenesbitt]

On Thursday, June 28, 2012 10:43:58 AM UTC-7, jonas wrote:

After the starting form tag add {% csrf_token %}

I can't.

It is rendered for me by {% render_comment_form for entry %}

[Melvyn Sopacua]

On 30-6-2012 8:39, brycenesbitt wrote:

> <form action="{% comment_form_target %}" method="post">{% csrf_token %}
>
> I render my form with:
> {% render_comment_form for entry %}

You should verify if the generated html looks sane. If you need help
with that, put it up on dpaste.

> ---------------
> I should note it did work when I first added it to the application. It
> broke after I added pybbm. I've since removed pybbm (it is maintained and
> broken), but comments
> started getting csrf errors.

Any chance pybbm started messing with the session storage backend and
you haven't set it back correctly? Do any sessions work at all?

--
Melvyn Sopacua

[brycenesbitt]

It works now that I have fully uninstalled pybbm.
Pybbm was incompatible with my app because it also extended the User
object (something apparently you can only do once?)