403 Forbidden messages when saving items in django-admin

[Alban Hertroys]

Howdy,

I run a Django website for some people that's hosted on a remote site. The issue I'm running into is that in the django admin section (the contrib module) my users get a 403 Forbidden message every time they save an item by pressing the "Save" submit-button:

Forbidden
You don't have permission to access /admin/Article/newsitem/10/ on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

The odd thing is that when I look at the list of items (in the above case news-items), the item that they attempted to save is there. Nothing about it seems to be missing, even uploaded images are where they're supposed to be.

This leads me to believe that it's actually a redirect that occurs after processing the POST request that is causing those 403 errors, but that would seem to be something internal to the admin contrib module?

Is this familiar to anyone or do you have any good suggestions of where to start digging?

The site is hosted remotely and I only have FTP access to it, so I can't verify a whole lot. If it's not something in my code or in the file structure, I'll have to pass the question on to the server admin who is not familiar with Django.

I'm fairly confident that the site is running Django 1.4.

[Avraham Serour]

> You don't have permission

the error seems to be fairly descriptive.

you need to log in the django admin as superuser and grant permission to the users

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/a4b47ccc-f8e2-40a8-856c-ea7bfe7cfd99%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Alban Hertroys]

On Sunday, October 6, 2013 6:09:22 PM UTC+2, אברהם סרור wrote:

> You don't have permission
the error seems to be fairly descriptive.

you need to log in the django admin as superuser and grant permission to the users

Are you sure? That doesn't seem to match my description of the problem.

What they try to save does get saved. It's only after saving the data that the 403 gets fired.

I'll see if I can get the server maintainer to look into that; I don't have a superuser account, so I can't verify what's happening there.

I think this problem started popping up after an upgrade of Django or after migration to a new server (the old one apparently got retired at some point). Frankly, it's difficult to determine when this started happening as the site owners are fairly lax about updating content - it's probably been half a year since they last attempted to edit anything...

[Nick Apostolakis]

Ask if Apache mod sec  is installed on the server
If it is it can account for a lot of weirdiness

> --
> You received this message because you are subscribed to the Google Groups "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
> To post to this group, send email to django...@googlegroups.com.
> Visit this group at http://groups.google.com/group/django-users.

> To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/c344a1dd-521d-44fe-aa49-cbe867bb8dc9%40googlegroups.com.

[Daniel Roseman]

Notice that this is the default Apache error message, not one for Django. That strongly suggests that people are being redirected away from your Django server to another, different one. Perhaps Django is running on a non-standard port, and after saving they are being redirected to the default port 80?
--
DR.

[Alban Hertroys]

On Sunday, October 6, 2013 8:24:20 PM UTC+2, Daniel Roseman wrote:

Notice that this is the default Apache error message, not one for Django. That strongly suggests that people are being redirected away from your Django server to another, different one. Perhaps Django is running on a non-standard port, and after saving they are being redirected to the default port 80?

Both the website and the admin interface run at standard port 80. I thought that perhaps the issue might be the other way around, that people are being redirected away from the standard port to a different one or to a differetn virtual host on the same server, but where would such a thing occur? Remember, this is only happening in the contrib admin module.

I've looked through my models.py, views.py and admin.py scripts (not sure where to look in this case), but I don't seem to explicitly redirect people anywhere. The only redirection taking place are some raise Http404 calls in my views.py, but those are on the normal website part of the code - I don't see how those would get called from the admin module.

I think that for this theory that only leaves the possibility that some other error is triggering an error page from Apache directly and that that error gets redirected to a location we don't have access to? I do have error pages for Http 404 and 500.

I tested one of those raise Http404 cases on the website (not the admin module), and I get a "normal" Django Http 404 message (the site is in DEBUG mode atm).

I've traced the request/response headers leading up to those 403 Forbidden errors, but nothing jumps out - everything seems to be going on inside of our domain.

Now I'm wondering: What would happen if Django did get upgraded from 1.1 to 1.2, 1.3 and finally 1.4, but the admin contrib module didn't get upgraded all the way to 1.4? Would it work at all? Could that explain these errors?

AFAIK, the site is being hosted on Debian Linux (I expect it's the latest stable version, whether they call that Lenny or Harry or Boogy I don't know). Are django and admin contrib packages "linked" in their repository, so that if the base package gets upgraded, so does the dependant package? (I'm not too familiar with Linux and their distro's, more of a BSD man myself)

Thanks for the suggestions so far.