search

javrasya / river-admin

:rocket: A shiny admin interface for django-river built with DRF, Vue & Vuetify
https://riveradminproject.com/
BSD 3-Clause "New" or "Revised" License
95 stars 24 forks source link

Accessing river Admin leads to 403 Forbidden Error #12

Open rupin opened 4 years ago

rupin commented 4 years ago

Describe the bug I try and access http:///river-admin

To Reproduce Steps to reproduce the behavior:

  1. With Django version 2.2
  2. With Python version 3.6.9

Expected behavior I expected the River Admin to load.

Screenshots image

*POSTGRESQL 10

Additional context If permission classes are added in settings, a 403 error is recieved. I have the following added in my settings.py REST_FRAMEWORK = {

Use Django's standard django.contrib.auth permissions,

# or allow read-only access for unauthenticated users.
'DEFAULT_PERMISSION_CLASSES': [
    'rest_framework.permissions.IsAuthenticated'
],
'DEFAULT_AUTHENTICATION_CLASSES': [
    'rest_framework.authentication.TokenAuthentication',  # <-- And here
    'rest_framework.authentication.SessionAuthentication',
    #'rest_framework.authentication.BasicAuthentication'
    'rest_framework.authentication.BasicAuthentication'

],
'EXCEPTION_HANDLER': 'river_admin.views.exception_handler'

}

When the DEFAULT_PERMISSION_CLASSES are removed, the page loads, but no authentication happens as shown in the screenshot.

javrasya commented 4 years ago

Hi @rupin ,

How do you see that it is 403? An on which screen?

The rest framework settings should be as it is stated in the documentation;

REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': [
        'rest_framework.authentication.BasicAuthentication',
        'rest_framework.authentication.TokenAuthentication',
    ],
    'EXCEPTION_HANDLER': 'river_admin.views.exception_handler'
}

river-admin is authentication through two channels; Basic auth which is for the first time you log in and token-based which is for after login. The moment you log in, a token is generated as to reside in your browser session like a cookie and then that token keeps getting used for all the API calls.

rupin commented 4 years ago

When I try to access /river-admin I get a 403 Error.

See a video of this in action here https://www.loom.com/share/2f161ad4a8604de0898b87a182e21c2a

I understand the settings as stated in the documentation. But I also have a permission class

'DEFAULT_PERMISSION_CLASSES': [ 'rest_framework.permissions.IsAuthenticated' ],

Which when removed from my settings, leads to the login page being visible. What are the login credentials to river-admin? these are not the same as the django admin interface?

agriev commented 3 years ago

in safari:

Screenshot 2021-01-19 at 16 38 05

and csrf token presents in request.

Screenshot 2021-01-19 at 16 39 21

in chrome everything is correct

redbearder commented 3 years ago

I also face this issue and simple way to fix that is delete csrf cookie in browser developer console root cause has not been found later

VaZark commented 2 years ago

I faced the same error but on adding "rest_framework.authtoken" along with "rest_framework", it started working.