Can't get rid of "CSRF verification failed. Request aborted.: when submit form with nothing selected

[Christian Seberino]

I have a Django app with multiple forms on various pages.  They all work except for one with just an optional checkbox.......

I checked and they all have templates with {% csrf_token %}.

The only thing special but the problematic form is that I have a checkbox input that is optional.

That means I'm pressing the submit button when NOTHING has been selected.

Can that cause this CSRF error?

Thanks!

Chris

[Christian Seberino]

Here is the problematic url...

 

https://grandmas4hire.com/admin_status/

Just press submit button w/o doing anything else and you'll see 

[Taofeek Jimoh Iyanda]

Check this website, it may be helpful https://www.techiediaries.com/django-react-forms-csrf-axios/ 

[coolguy]

Tired your link for the form. If this is the form you are concerned about then the message that pops up is for validation i.e. form.is_valid().

[Christian Seberino]

On Wednesday, July 29, 2020 at 5:29:53 PM UTC-5, coolguy wrote:

Tired your link for the form. If this is the form you are concerned about then the message that pops up is for validation i.e. form.is_valid().

Did you see the CSRF error I got?.  Here is a pic https://imgur.com/a/LIRBadQ

Are you saying that CSRF message is due to my view code and how I validate the form?

cs 

[coolguy]

No. What i said the link you sent gives the validation error since fields are blank. Its not working the same way as you. Can you send the code for your html template.

[Christian Seberino]

Here is my template...

{% extends "html_base" %}
{% block body_elements %}

<div id = "admin_status">
        <form action = "." method = "post">
                <p>UPDATE STATUSES</p>
                <table>
                        {% for e in both %}
                                <tr>
                                        <td>
                                                {{e.0.customer.first}}
                                                {{e.0.customer.last}}
                                        </td>
                                        <td>
                                                {{e.0.date|date:"Y-m-d"}}
                                                &nbsp;
                                                &nbsp;
                                                &nbsp;
                                                {{e.0.time|time:"h:i A"}}
                                        </td>
                                        <td>{{e.1}} Completed</td>
                                </tr>
                        {% endfor %}
                </table>
                <p><input type = "submit" value = "UPDATE STATUSES"/></p>
        </form>

        <p><a href = "/admin">Go Back To Admin Page</a></p>

        {% csrf_token %}
</div>

{% endblock %}

Here is the view....

def admin_status(request):
        appts = [e for e in APPT.objects.all() if e.status != "Completed"]
        appts = sorted(appts,
                       key = lambda a : a.customer.last + a.customer.first +   \
                                                    str(a.date) + str(a.time))
        if request.method == "POST":
                form = grandmas4hire.forms.StatusForm(request.POST)

                if form.is_valid():

                        # Need to enter more code here when this page works...
                        reply = django.shortcuts.redirect("/admin_status")
                else:
                        both  = [(e, form.fields[str(e.id)]) for e in appts]
                        reply = django.shortcuts.render(request,
                                                        "admin_status.html",
                                                        {"both" : both})
        else:
                form  = grandmas4hire.forms.StatusForm()
                both  = [(e, form[str(e.id)]) for e in appts]
                reply = django.shortcuts.render(request,
                                                "admin_status.html",
                                                {"both" : both})

        return reply

Here is the dynamic form StatusForm....

class StatusForm(django.forms.Form):
        def __init__(self, *args, **kwargs):
                super().__init__(*args, **kwargs)
                for e in grandmas4hire.models.Appointment.objects.all():
                        self.fields[str(e.id)] =                               \
                                   django.forms.BooleanField(required = False)

(I need to make a dynamic form because I needed 1 field for each Appointment object.)

Chris

[Amitesh Sahay]

Generally, {% csrf_token %} is written just below the opening <form> tag. I mean, not sure if this has anything to do with your issue. Others may confirm as well

Regards,

Amitesh

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To view this discussion on the web visit

https://groups.google.com/d/msgid/django-users/CAG5-5i%2BJC3tOHr3T-a8D6E9Cy2yEohTZOR_Z3HWVTNUtoLnEBg%40mail.gmail.com

.

[coolguy]

By default, Django checks for the CSRF token in all POST requests. Remember to include the csrf_token tag in all forms that are submitted via POST.

Place csrf_token within form tag...

e.g.

<form>

   {% csrf_token%}

</form> tag

[Christian Seberino]

Amitesh

Oh my thank you so much. I actually did move the csrf token outside the form element. That may be it. I will check that soon.

You received this message because you are subscribed to a topic in the Google Groups "Django users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/django-users/dQklGcV6ayQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to django-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/725525470.7515030.1596074301490%40mail.yahoo.com.

[Christian Seberino]

Amitesh

Indeed your suggestion below fixed everything.  I can't thank you enough!

cs

[Christian Seberino]

coolguy

 Remember to include the csrf_token tag in all forms that are submitted via POST.

Yes!  It must be INSIDE the form element *not* outside!  I'm so grateful for your help.

All the Best,

Chris 

[Isha Thakur]

Hi, 

I think, it can help you.

You should never compare the complete HTML content. Just check the functionalities. In case you need disabling the csrf at any cost, following logic should help I guess.

In your views.py file, add the following package

from django.views.decorators.csrf import csrf_exempt

Then just before the function definintion, in which you are performing your checks, add this snippet:

@csrf_exempt

This will disable the default verification of csrf. Even if your incoming request has a hidden csrf token, your server function will completely ignore it. This should do the trick of disabling the csrf.

https://stackoverflow.com/questions/28983158/how-to-disable-csrf-in-testing-django/52185276

Regards

how to disable csrf in testing django? - Stack Overflow You should never compare the complete HTML content. Just check the functionalities. In case you need disabling the csrf at any cost, following logic should help I guess.. In your views.py file, add the following package. from django.views.decorators.csrf import csrf_exempt stackoverflow.com

---

From: django...@googlegroups.com <django...@googlegroups.com> on behalf of coolguy <cooldjango...@gmail.com>
Sent: July 29, 2020 10:05 PM
To: Django users <django...@googlegroups.com>
Subject: Re: Can't get rid of "CSRF verification failed. Request aborted.: when submit form with nothing selected

 

By default, Django checks for the CSRF token in all POST requests. Remember to include the csrf_token tag in all forms that are submitted via POST.

Please place csrf_token in <form> tag. You have placed it outside of form tag.

--

You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/bf5f876f-746f-4efd-bdd0-8510ab0ca426o%40googlegroups.com.

NOTICE:This email and any files transmitted with it are Enablence confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. This message contains Enablence confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

[Amitesh Sahay]

Hi, 

I am glad that I could help you. Cheerz

Regards,

Amitesh

                        reply = django.shortcuts.redirect("/ admin_status")

                else:
                        both  = [(e, form.fields[str(e.id)]) for e in appts]
                        reply = django.shortcuts.render( request,
                                                        "admin_status.html",
                                                        {"both" : both})
        else:
                form  = grandmas4hire.forms. StatusForm()
                both  = [(e, form[str(e.id)]) for e in appts]
                reply = django.shortcuts.render( request,
                                                "admin_status.html",
                                                {"both" : both})

        return reply

Here is the dynamic form StatusForm....

class StatusForm(django.forms.Form):
        def __init__(self, *args, **kwargs):
                super().__init__(*args, **kwargs)
                for e in grandmas4hire.models. Appointment.objects.all():
                        self.fields[str(e.id)] =                               \

                                   django.forms.BooleanField( required = False)

(I need to make a dynamic form because I needed 1 field for each Appointment object.)

Chris

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/bf5f876f-746f-4efd-bdd0-8510ab0ca426o%40googlegroups.com.

NOTICE:This email and any files transmitted with it are Enablence confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. This message contains Enablence confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/DM6PR12MB4579AD3D39BCEA3812885704F0710%40DM6PR12MB4579.namprd12.prod.outlook.com.