Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

'CSRF verification failed." from django.contrib.comments. can you help solve it? django 1.3

252 views
Skip to first unread message

brycenesbitt

unread,
Jun 28, 2012, 12:14:36 PM6/28/12
to django...@googlegroups.com
I'm using django.contrib.comments and get 'CSRF token missing or incorrect.' when previewing or submitting a comment.  I have:

MIDDLEWARE_CLASSES = (
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
)

url(r'^comments/',              include('django.contrib.comments.urls')),
url(r'^entry/(?P<pk>\d+)/comment',      'rp2.views.entry_comment_add'),

@csrf_protect  #does not matter if this is here or not
def entry_comment_add(request, pk):
    entry = models.Entry.objects.get(pk=pk)
    assert isinstance(entry, models.Entry)
    return render(request, 'entry_comment_popup.html', {'entry':entry})

{% extends 'head-plain.html' %}
<!-- entry_comment_popup.html -->
{% load comments %}
{% block content %}
{% render_comment_form for entry %}
{% endblock %}

The HTML looks like it has the csrf security_hash in the proper place:

<form action="/comments/post/" method="post">
      <div><input type="hidden" name="object_pk" value="28" id="id_object_pk" /></div>
      <div><input type="hidden" name="timestamp" value="1340899354" id="id_timestamp" /></div>
      <div><input type="hidden" name="security_hash" value="6e85e1c846861c80575ce435b21a855706725b00" id="id_security_hash" /></div>
...

Jonas Geiregat

unread,
Jun 28, 2012, 1:43:58 PM6/28/12
to django...@googlegroups.com
On do, jun 28, 2012 at 09:14:36 -0700, brycenesbitt wrote:
> <form action="/comments/post/ <view-source:http://127.0.0.1:8000/comments/post/>" method="post">
> <div><input type="hidden" name="object_pk" value="28" id="id_object_pk" /></div>
> <div><input type="hidden" name="timestamp" value="1340899354" id="id_timestamp" /></div>
> <div><input type="hidden" name="security_hash" value="6e85e1c846861c80575ce435b21a855706725b00" id="id_security_hash" /></div>

After the starting form tag add {% csrf_token %}

More information about it: https://docs.djangoproject.com/en/dev/ref/contrib/csrf/

Ian Clelland

unread,
Jun 28, 2012, 2:08:44 PM6/28/12
to django...@googlegroups.com
On Thu, Jun 28, 2012 at 9:14 AM, brycenesbitt <digitalb...@gmail.com> wrote:
I'm using django.contrib.comments and get 'CSRF token missing or incorrect.' when previewing or submitting a comment.  I have:
... 


The HTML looks like it has the csrf security_hash in the proper place:
<form action="/comments/post/" method="post">
<div><input type="hidden" name="object_pk" value="28" id="id_object_pk" /></div>
<div><input type="hidden" name="timestamp" value="1340899354" id="id_timestamp" /></div>
<div><input type="hidden" name="security_hash" value="6e85e1c846861c80575ce435b21a855706725b00" id="id_security_hash" /></div>
... 
 

The "security_hash" field that you see is part of the comments app, and is not the CSRF token. That needs to be output by a {% csrf_token %} tag (or its equivalent). If it's working, you should see another hidden input field, which looks like this:

<div style="display:none">
    <input type="hidden" name="csrfmiddlewaretoken" value="36d43c1652d5676d6d411950e077eeaa1cc1f799"/>
</div>

The comments app normally does that automatically -- it's part of django/contrib/comments/templates/form.html -- Are you overriding the comment form in your own app? If so, you need to include the call to {% csrf_token %} yourself.

@csrf_protect  #does not matter if this is here or not

No, if you have the CSRFViewMiddleware installed, then you don't need this line at all.

--
Regards,
Ian Clelland
<clel...@gmail.com>

brycenesbitt

unread,
Jun 30, 2012, 2:39:33 AM6/30/12
to django...@googlegroups.com


The "security_hash" field that you see is part of the comments app, and is not the CSRF token. That needs to be output by a {% csrf_token %} tag (or its equivalent). If it's working, you should see another hidden input field, which looks like this:

<div style="display:none">
    <input type="hidden" name="csrfmiddlewaretoken" value="36d43c1652d5676d6d411950e077eeaa1cc1f799"/>
</div>

The comments app normally does that automatically -- it's part of django/contrib/comments/templates/form.html -- Are you overriding the comment form in your own app? If so, you need to include the call to {% csrf_token %} yourself.

I am not overriding, at least not deliberately.

django/contrib/comments/templates/form.html has:
{% load comments i18n %}
<form action="{% comment_form_target %}" method="post">{% csrf_token %}

I render my form with:
{% render_comment_form for entry %}

---------------
I should note it did work when I first added it to the application.  It broke after I added pybbm.  I've since removed pybbm (it is maintained and broken), but comments
started getting csrf errors.

brycenesbitt

unread,
Jun 30, 2012, 2:40:38 AM6/30/12
to django...@googlegroups.com
On Thursday, June 28, 2012 10:43:58 AM UTC-7, jonas wrote:
After the starting form tag add {% csrf_token %}

I can't.
It is rendered for me by {% render_comment_form for entry %}

Melvyn Sopacua

unread,
Jul 3, 2012, 9:07:51 AM7/3/12
to django...@googlegroups.com
On 30-6-2012 8:39, brycenesbitt wrote:

> <form action="{% comment_form_target %}" method="post">{% csrf_token %}
>
> I render my form with:
> {% render_comment_form for entry %}

You should verify if the generated html looks sane. If you need help
with that, put it up on dpaste.

> ---------------
> I should note it did work when I first added it to the application. It
> broke after I added pybbm. I've since removed pybbm (it is maintained and
> broken), but comments
> started getting csrf errors.

Any chance pybbm started messing with the session storage backend and
you haven't set it back correctly? Do any sessions work at all?

--
Melvyn Sopacua


brycenesbitt

unread,
Jul 16, 2012, 3:01:04 AM7/16/12
to Django users
It works now that I have fully uninstalled pybbm.
Pybbm was incompatible with my app because it also extended the User
object (something apparently you can only do once?)
Reply all
Reply to author
Forward
0 new messages