Forbidden (CSRF token missing.): /admin/filer/clipboard/operations/upload/2/

django-cms / django-filer

File and Image Management Application for django

https://django-filer.readthedocs.io/

Other

1.76k stars 577 forks source link

Forbidden (CSRF token missing.): /admin/filer/clipboard/operations/upload/2/ #1410

Closed housUnus closed 9 months ago

housUnus commented 1 year ago

When i try to upload an image using the admin page it doesn't work anymore, it shows that:

Forbidden (CSRF token missing.): /admin/filer/clipboard/operations/upload/2/ [11/Aug/2023 03:23:08] "POST /admin/filer/clipboard/operations/upload/2/?qqfile=Tangerois+Store+Logo.jpg HTTP/1.1" 403 2506

and file is uploaded, I know a csrf_token is missing, but don't know where to add it on your package,

Regards

fsbraun commented 1 year ago

How exactly are you trying to upload the file? Since you say "anymore": What did you change?

housUnus commented 1 year ago

It was working on filer v:2.2.4, but after upgrading to the latest version now it's not working anymore Django==4.2.3 django-filer==3.0.2 I was trying to upload on the admin area

housUnus commented 1 year ago

Please note that I'm using another way of uploading files rather than the admin interface, and it worked fine, I dived into the package code and found @csrf_exempt above the ajax_upload, which should allow the post request to move without a csrf token, so it must be a function that is calling the ajax_upload from the admin that doesn't have the csrf_exempt decorator, that's why it always fails to reach the ajax_upload, the solution might be adding the csrf token while calling the XMLHttpRequest uploader on the client side.

housUnus commented 1 year ago

I have updated the js fileuploader so it sends the csrf without using csrf_exempt, and being blocked for non-unknown reasons as stated before.

fsbraun commented 1 year ago

I have not yet been able to reproduce the bug. How exactly are you uploading? I am unclear if you are using the admin interface (I understand no) or not (I understand you think some call to the admin interface requires the token). Uploads outside the admin interface are currently not supported.

housUnus commented 1 year ago

I was using the admin interface to upload, but i always had the CSRF missing problem,

What I've added is: csrf=document.querySelector('form input[name="csrfmiddlewaretoken"]') . . .o.setRequestHeader("X-CSRFToken",csrf.value)

Which allows sending the csrf token with the request.

stale[bot] commented 10 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] commented 9 months ago

This will now be closed due to inactivity, but feel free to reopen it.