Newbie: how to debug POST server response 403?

[Bob Aalsma]

Hi,

I'm new to Django Rest Framework (and new to Javascript), not new to Python, not really now to Django.

I've created a Javascript that should send a POST request to localhost/Django Rest framework app.

I've copied the contents of the message from Javascript console.log into the Rest API html - OK

I've copied the message to a POST through http - OK:

HTTP/1.0 201 Created

BUT when I send the POST from the Javascript to the server, it says

"POST /texts/texts/ HTTP/1.1" 403 58

So I'd want to get a closer look at what happens with the incoming message and I'd normally put a "import ipdb; ipdb.set_trace()" at a convenient place.

And now I discover that I still don't understand enough of this framework to decide on "a convenient place"...

Please help.

Regards,

Bob

[Jani Tiainen]

Hi,

Have you checked from your browser debugging tools (network tab or similar) what's the body of the response? it should tell more detailed reason of an error.

Convenient place would be views dispatch() method where most of the magic happens, though usually it's enough to check response body in browser,

My educated guess is that you're missing CSRF token when doing POST.

--
You received this message because you are subscribed to the Google Groups "Django REST framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-rest-framework+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Jani Tiainen

- Well planned is half done, and a half done has been sufficient before...

[Bob Aalsma]

Hi Jani,

Thanks!

I've checked now (learning as well, thank you :)) and I see the response from the server but the body of the response says "failed to load response data".

I've tested what happens when this user is not logged in: same error. 

[I had taken 403 to mean that the user was authenticated but not permitted to perform the requested operation - not so!]

After logging in again I can see the csrf token as a cookie; the csrf token is included in the send but I'm not sure how to verify the correctness of that part.

Is there a way to see if this is the cause of the problem?

 

Bob

[Jani Tiainen]

Hi,

It is not enought that you send token as a cookie, you need to send cookie value as part of the POST request as well.

Django uses X-CSRFToken header in AJAX calls. You could use normal POST variable if you're using normal form encoded POST, but usually with DRF you send something like JSON where it's not possible to embed CSRF token.

See https://docs.djangoproject.com/en/1.10/ref/csrf/#ajax  for more information and example with jQuery.

--
You received this message because you are subscribed to the Google Groups "Django REST framework" group.

To unsubscribe from this group and stop receiving emails from it, send an email to django-rest-fram...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

-- 
Jani Tiainen

[Bob Aalsma]

Hi,

I'd already copied/applied both versions to my script and there is no difference between the versions

function getCookie(name) {

...

var csrftoken = getCookie('csrftoken');

and

var csrftoken = Cookies.get('csrftoken');

[Bob Aalsma]

I've "removed" permissions in settings.py:

REST_FRAMEWORK = {

    'DEFAULT_PERMISSION_CLASSES': (

        'rest_framework.permissions.AllowAny',

    )

}

 

The next POST shows

The number of GET/POST parameters exceeded settings.DATA_UPLOAD_MAX_NUMBER_FIELDS.

[26/Jan/2017 14:21:57] "POST /texts/texts/ HTTP/1.1" 400 16803

[Bob Aalsma]

I then set settings.DATA_UPLOAD_MAX_NUMBER_FIELDS = None

and I think this means the CSRF is indeed not coming though as a next POST gave:

ValueError: Cannot assign "<django.contrib.auth.models.AnonymousUser object at 0x108eb2208>": "Texts.owner" must be a "User" instance.

[26/Jan/2017 17:07:36] "POST /texts/texts/ HTTP/1.1" 500 17052

[Bob Aalsma]

And the Javascript console indeed says:

"csrftoken: null"

So not an issue for Django REST framework - sorry.