Re: 403 Forbidden nesting plugins

Showing 1-7 of 7 messages
Re: 403 Forbidden nesting plugins Luke Crooks 9/19/12 10:59 PM

Are you using the development server, or nginx/apache?

On Sep 20, 2012 6:48 AM, "Matt Magin" <matt....@gmail.com> wrote:
Hey, I'm getting a 403 error when I attempt to add a plugin inside a Text plugin. I'm running Django 1.4.1 final and django-cms 2.3.2. I've been reading through the groups and it seems that lots of people have had this problem in the past but upgrades have fixed it for them. Unfortunately that doesn't seem to be helping me.

I've collected all the static content and my MEDIA_URL is set up properly, database is all up to date and as far as I can see everything else is functional.

Any ideas about where I can look?

Cheers,
Matt

--
You received this message because you are subscribed to the Google Groups "django-cms" group.
To view this discussion on the web visit https://groups.google.com/d/msg/django-cms/-/rIbY_so7FgkJ.
To post to this group, send email to djang...@googlegroups.com.
To unsubscribe from this group, send email to django-cms+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-cms?hl=en.
Re: 403 Forbidden nesting plugins Matt Magin 9/19/12 11:04 PM
Apache. 

I've been doing more debugging on my own and it seems it's a CSRF error. 

This is being returned:

<h1>Forbidden <span>(403)</span></h1>
<p>CSRF verification failed. Request aborted.</p>
Re: 403 Forbidden nesting plugins Luke Crooks 9/19/12 11:06 PM

Turn debug and template errors to true, then post the full traceback.

To view this discussion on the web visit https://groups.google.com/d/msg/django-cms/-/e1Q8Uoargs8J.

To post to this group, send email to djang...@googlegroups.com.
To unsubscribe from this group, send email to django-cms+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-cms?hl=en.
Re: 403 Forbidden nesting plugins Matt Magin 9/19/12 11:14 PM
Both are true, but it doesn't give me a traceback. This is the entire response: 

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<meta name="robots" content="NONE,NOARCHIVE">
<title>403 Forbidden</title>
<style type="text/css">
html * { padding:0; margin:0; }
body * { padding:10px 20px; }
body * * { padding:0; }
body { font:small sans-serif; background:#eee; }
body>div { border-bottom:1px solid #ddd; }
h1 { font-weight:normal; margin-bottom:.4em; }
h1 span { font-size:60%; color:#666; font-weight:normal; }
#info { background:#f6f6f6; }
#info ul { margin: 0.5em 4em; }
#info p, #summary p { padding-top:10px; }
#summary { background: #ffc; }
#explanation { background:#eee; border-bottom: 0px none; }
</style>
</head>
<body>
<div id="summary">
<h1>Forbidden <span>(403)</span></h1>
<p>CSRF verification failed. Request aborted.</p>

</div>

<div id="info">
<h2>Help</h2>
<p>Reason given for failure:</p>
<pre>
CSRF token missing or incorrect.
</pre>

<p>In general, this can occur when there is a genuine Cross Site Request Forgery, or when
<a
CSRF mechanism</a> has not been used correctly. For POST forms, you need to
ensure:</p>

<ul>
<li>Your browser is accepting cookies.</li>

<li>The view function uses <a
for the template, instead of <code>Context</code>.</li>
<li>In the template, there is a <code>{% csrf_token %}</code> template tag inside each POST form that targets an internal URL.</li> <li>If you are not using <code>CsrfViewMiddleware</code>, then you must use <code>csrf_protect</code> on any views that use the <code>csrf_token</code> template tag, as well as those that accept the POST data.</li> </ul> <p>You're seeing the help section of this page because you have <code>DEBUG = True</code> in your Django settings file. Change that to <code>False</code>, and only the initial error message will be displayed. </p> <p>You can customize this page using the CSRF_FAILURE_VIEW setting.</p> </div> </body> </html>
Re: 403 Forbidden nesting plugins Luke Crooks 9/19/12 11:18 PM

Can you also attach ur settings.py?

Has this just happened when you moved to apache? Or was the same thing happening with runserver?

To view this discussion on the web visit https://groups.google.com/d/msg/django-cms/-/8GXY-f60mIkJ.

To post to this group, send email to djang...@googlegroups.com.
To unsubscribe from this group, send email to django-cms+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-cms?hl=en.
Re: 403 Forbidden nesting plugins Matt Magin 9/19/12 11:38 PM
I'm running a number of different sites on the single django-cms instance (they share a lot of data), so I've been developing on apache from the very beginning. I'm not sure that I ever actually attempted to nest a plugin like this during development though. 

I've just checked one of the other sites and it works fine. The apache configs and wsgi programs are identical, except with different paths.

Here's the settings.py:
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# Django settings for Southside Suzuki website.

# -*- coding: utf-8 -*-
import os
from os.path import dirname
gettext = lambda s: s
PROJECT_PATH = os.path.abspath(dirname(dirname(__file__)))

DEBUG = True
TEMPLATE_DEBUG = DEBUG

ADMINS = (
    ('Matt Magin', 'xxxx@xxxx'),
)

MANAGERS = ADMINS

DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.mysql', # Add 'postgresql_psycopg2', 'postgresql', 'mysql', 'sqlite3' or 'oracle'.
        'NAME': 'xxx',                      # Or path to database file if using sqlite3.
        'USER': 'xxx',                      # Not used with sqlite3.
        'PASSWORD': 'xxx',                  # Not used with sqlite3.
        'HOST': '',                      # Set to empty string for localhost. Not used with sqlite3.
        'PORT': '',                      # Set to empty string for default. Not used with sqlite3.
        'OPTIONS': {
           'init_command': 'SET storage_engine=INNODB',
        }
    }
}

# Local time zone for this installation. Choices can be found here:
# although not all choices may be available on all operating systems.
# On Unix systems, a value of None will cause Django to use the same
# timezone as the operating system.
# If running in a Windows environment this must be set to the same as your
# system time zone.
TIME_ZONE = 'Australia/Adelaide'

# Language code for this installation. All choices can be found here:
LANGUAGE_CODE = 'en-AU'

SITE_ID = 3

# If you set this to False, Django will make some optimizations so as not
# to load the internationalization machinery.
USE_I18N = True

# If you set this to False, Django will not format dates, numbers and
# calendars according to the current locale
USE_L10N = True

# Absolute filesystem path to the directory that will hold user-uploaded files.
# Example: "/home/media/media.lawrence.com/media/"
MEDIA_ROOT = os.path.join(PROJECT_PATH, "media", "southsidesuzuki.com.au")

# URL that handles the media served from MEDIA_ROOT. Make sure to use a
# trailing slash if there is a path component (optional in other cases).
MEDIA_URL = '/media/'

# Absolute path to the directory that holds static files.
# Example: "/home/media/media.lawrence.com/static/"
STATIC_ROOT = os.path.join(PROJECT_PATH, "public-static", "southsidesuzuki.com.au")

# URL that handles the static files served from STATIC_ROOT.
STATIC_URL = '/static/'

# URL prefix for admin media -- CSS, JavaScript and images.
# Make sure to use a trailing slash.
# Examples: "http://foo.com/static/admin/", "/static/admin/".
ADMIN_MEDIA_PREFIX = '/static/admin/'

# A list of locations of additional static files
STATICFILES_DIRS = (
    os.path.join(PROJECT_PATH, "global-static", "southsidesuzuki.com.au"),
)

# List of finder classes that know how to find static files in
# various locations.
STATICFILES_FINDERS = (
    'django.contrib.staticfiles.finders.FileSystemFinder',
    'django.contrib.staticfiles.finders.AppDirectoriesFinder',
#    'django.contrib.staticfiles.finders.DefaultStorageFinder',
)

# Make this unique, and don't share it with anybody.
SECRET_KEY = 'g8v596#isox0gm(0=_fz@8(*hygm_*86@q9@s77h#o+symb75*'

# List of callables that know how to import templates from various sources.
TEMPLATE_LOADERS = (
    'django.template.loaders.filesystem.Loader',
    'django.template.loaders.app_directories.Loader',
#     'django.template.loaders.eggs.Loader',
)

MIDDLEWARE_CLASSES = (
    'django.middleware.common.CommonMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'cms.middleware.page.CurrentPageMiddleware',
    'cms.middleware.user.CurrentUserMiddleware',
    'cms.middleware.toolbar.ToolbarMiddleware',
    #'debug_toolbar.middleware.DebugToolbarMiddleware',
)

TEMPLATE_CONTEXT_PROCESSORS = (
  "django.contrib.auth.context_processors.auth",
  "django.core.context_processors.debug",
  "django.core.context_processors.i18n",
  "django.core.context_processors.media",
  "django.core.context_processors.request",
  "django.core.context_processors.static",
  "sekizai.context_processors.sekizai",
)

ROOT_URLCONF = 'cmvwebsites.urls'

TEMPLATE_DIRS = (
    # Put strings here, like "/home/html/django_templates" or "C:/www/django/templates".
    # Always use forward slashes, even on Windows.
    # Don't forget to use absolute paths, not relative paths.
    os.path.join(PROJECT_PATH, "templates"),
    os.path.join(PROJECT_PATH, "templates", "southsidesuzuki.com.au")
)

INSTALLED_APPS = (
    'django.contrib.auth',
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.sites',
    'django.contrib.messages',
    'django.contrib.staticfiles',
    # Uncomment the next line to enable the admin:
    'django.contrib.admin',
    # Uncomment the next line to enable admin documentation:
    # 'django.contrib.admindocs',
    'cms',
    'mptt',
    'menus',
    'south',
    'appmedia',
    'sekizai',
    'easy_thumbnails',
    #'debug_toolbar',
    'cms.plugins.text',
    'cms.plugins.picture',
    'cms.plugins.link',
    'cms.plugins.file',
    'cms.plugins.snippet',
    'cms.plugins.googlemap',
    'cms.plugins.video',
    'cmvwebsites.contact',
    'cmvwebsites.service_bookings',
    'cmvwebsites.vehicle_information',
    'cmvwebsites.plugins.alert',
    'cmvwebsites.plugins.gallery',
    'cmvwebsites.plugins.flash',
    'cmvwebsites.plugins.facebook',
    'cmvwebsites.plugins.widgets',
)

# A sample logging configuration. The only tangible logging
# performed by this configuration is to send an email to
# the site admins on every HTTP 500 error.
# more details on how to customize your logging configuration.
LOGGING = {
    'version': 1,
    'disable_existing_loggers': False,
    'handlers': {
        'mail_admins': {
            'level': 'ERROR',
            'class': 'django.utils.log.AdminEmailHandler'
        }
    },
    'loggers': {
        'django.request':{
            'handlers': ['mail_admins'],
            'level': 'ERROR',
            'propagate': True,
        },
    }
}

# Following are the requirements for django-cms
CMS_TEMPLATES = (
    ('homepage.html', 'Homepage'),
    ('basic.html', 'Basic'),
    ('new-vehicle.html', 'New Vehicle Page'),
)

LANGUAGES = [
  ('en', 'English'),
]

CMS_MODERATOR = False
CMS_PERMISSION = False
CMS_REDIRECTS = True

CONTACT_FROM_ADDRESS = 'xxx@xxxx'
CONTACT_TO_ADDRESSES = ['xxx@xxx']

DEALER_SOLUTIONS_CLIENTS = [1185, 1186, 2210, 2211, 7740]

USED_IMAGES_DIR = "vehicle_stock_images"
THUMBNAIL_DEBUG = True

DATE_INPUT_FORMATS = ('%d-%m-%Y', '%d-%m-%y', '%d/%m/%Y', '%d/%m/%y', '%Y-%m-%d')
TIME_INPUT_FORMATS = ('%H:%M', '%I:%M', '%I:%M%p', '%I:%M %p', '%I%p', '%I %p', '%H%M', '%I%M%p', '%I%M %p', '%H.%M', '%I.%M%p', '%I.%M %p')

INTERNAL_IPS = ('127.0.0.1', '192.168.159.1')

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
...
Re: 403 Forbidden nesting plugins Luke Crooks 9/20/12 12:01 AM
Well if it works on your other sites inside the same instance of the
cms, it could be either:

Path incorrect for this site instance

Or this site could be using old js (or this could happen by the wrong
path being set)
>>> </p> <p>You can customize this page using the CSRF_FAILURE_VIEW setting.</p>
>>> </div> </body> </html>
>>>
>>> On Thursday, September 20, 2012 3:36:16 PM UTC+9:30, Luke Crooks wrote:
>>>>
>>>> Turn debug and template errors to true, then post the full traceback.
>>>>
>>>> On Sep 20, 2012 7:04 AM, "Matt Magin" <matt....@gmail.com> wrote:
>>>>>
>>>>> Apache.
>>>>>
>>>>> I've been doing more debugging on my own and it seems it's a CSRF
>>>>> error.
>>>>>
>>>>> This is being returned:
>>>>>
>>>>> <h1>Forbidden <span>(403)</span></h1>
>>>>> <p>CSRF verification failed. Request aborted.</p>
>>>>>
>>>>> On Thursday, September 20, 2012 3:29:14 PM UTC+9:30, Luke Crooks wrote:
>>>>>>
>>>>>> Are you using the development server, or nginx/apache?
>>>>>>
> https://groups.google.com/d/msg/django-cms/-/5BmF_oOcaogJ.