search

jorgebastida / django-dajax

Easy to use library to create asynchronous presentation logic with django and dajaxice
http://dajaxproject.com/
BSD 3-Clause "New" or "Revised" License
346 stars 99 forks source link

@csrf_exempt not being honoured #39

Closed eamonnfaherty closed 12 years ago

eamonnfaherty commented 12 years ago

I have set @csrf_exempt on my view and I am still getting a csrf error when POSTing to it.

code:

@csrf_exempt @require_person_viewed_is_verified @dajaxice_register def profile(request, id): profile = Profile.objects.select_subclasses().get(id = id) return model_to_dajax(profile, False, 'profile', 'feeds/single_proper.html').json()

request:

POST /dajaxice/feeds.profile/ HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0.2) Gecko/20100101 Firefox/10.0.2 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-gb,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Referer: Content-Length: 26 Content-Type: text/plain; charset=UTF-8 Pragma: no-cache Cache-Control: no-cache

argv=%7B%22id%22%3A5041%7D

Response:

HTTP/1.1 403 FORBIDDEN

Server nginx/0.7.67 Date Mon, 12 Mar 2012 13:26:16 GMT Content-Type text/html Transfer-Encoding chunked Connection keep-alive Keep-Alive timeout=20 Vary Cookie ETag "ecdfed475610726df6c4cae28a35b4e4" X-Varnish 1818915281 Age 0 Via 1.1 varnish Content-Encoding gzip

Forbidden (403)

CSRF verification failed. Request aborted.

Help

```

Reason given for failure:

No CSRF or session cookie.
```
jorgebastida commented 12 years ago

django-dajaxice wraps all ajax calls using the same view, so you cant @csrf_exempt only one. Anyway, make one of your calls vulnerable to csrf attacks isn't a good idea at all.

Yesterday I've release a new django-dajaxice version (0.5) that allows you to make GET calls instead POST ones. http://django-dajaxice.readthedocs.org/en/latest/quickstart.html#how-can-i-do-a-get-request-instead-of-a-post-one

Hope this helps you, Cheers.

eamonnfaherty commented 12 years ago

The GET calls do not pass params so this is not really a good alternative.

btw, if a view does not mutate any objects is it still dangerous to expose? And if it does not mutate any objects it should be a GET and not a POST.

eamonnfaherty commented 12 years ago

according to http://www.w3schools.com/ajax/ajax_xmlhttprequest_send.asp the data param is only supported on POST methods. This means that there is currently no way to support csrf_exempt views

eamonnfaherty commented 12 years ago

forked https://github.com/eamonnfaherty/django-dajaxice so you can do:

@dajaxice_register(csrf_exempt=True) or @dajaxice_register(csrf_exempt=False)

Not the neatest of solutions but csrf is not nice to work with anyway :p

jorgebastida commented 12 years ago

Hello @eamonnfaherty Thank you very much about your suggestion. What about sending the args as part of the url if the request is GET?

https://github.com/jorgebastida/django-dajaxice/commit/f878f5e845bee2e511c70e7fd87992fa21f7569e

I've push this changes to develop, and I'll release them soon as 0.5.2.

Thanks!

eamonnfaherty commented 12 years ago

I like the idea that I could have CSRF exempt as well as the GET functionality. For example, I am looking at building a mobile app that uses the same endpoints as the website so having csrf exempt could be handy for registration.