Invoking the advance_status service results in a 403 Forbidden

[ahenrycgi]

Invoking the advance_status service (http://charme-dev.cems.rl.ac.uk/advance_status) results in an http response code of 403 Request Headers:

POST http://charme-dev.cems.rl.ac.uk/advance_status HTTP/1.1
Host: charme-dev.cems.rl.ac.uk
Proxy-Connection: keep-alive
Content-Length: 63
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.57 Safari/537.36
Content-Type: application/json
Referer: http://localhost:8080/CHARMe_Plugin/plugin.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6

Request Body:

annotation=d578e6a0-3124-4f12-b2e5-d213b5b27a15&toState=invalid

Response Headers:

HTTP/1.0 403 Forbidden
Date: Fri, 30 Aug 2013 13:03:51 GMT
Server: Apache/2.2.15 (Red Hat)
Content-Type: text/html; charset=UTF-8
X-Cache: MISS from cache1.uk.logica.com
X-Cache-Lookup: MISS from cache1.uk.logica.com:3128
Via: 1.0 cache1.uk.logica.com (squid/3.1.19)
Connection: close

Response body:

...

  
Forbidden (403)
  
CSRF verification failed. Request aborted.




  
More information is available with DEBUG=True.

...

[kusamau]

This is because the '/advance_status' service is still (https://docs.djangoproject.com/en/dev/ref/contrib/csrf) csrf_protected, as all POST HTTP requests are. For this milestone I will fix it with a (@csrf_exempt) however I think is worth to think more about this.