tolomea
commented
1 year ago Well that's fun and interesting. What versions of Python and Django are you using? Do you have any middleware that might be involved?
Closed ErikUmble closed 1 year ago
tolomea
commented
1 year ago Well that's fun and interesting. What versions of Python and Django are you using? Do you have any middleware that might be involved?
tolomea
commented
1 year ago Do you have any interesting configuration around authentication? Is the user in question a super user? if not do they have permissions to the databrowser View model.
ErikUmble
commented
1 year ago Python 3.8.2 Django 4.0.9 The user is a superuser (created by python manage.py createsuperuser)
ErikUmble
commented
1 year ago The rest of the setup is mostly the default from cookiecutter-django
tolomea
commented
1 year ago It's because the cookie cutter setup enables CSRF_COOKIE_HTTPONLY which per the Django docs "Although the setting offers little practical benefit, it’s sometimes required by security auditors." https://docs.djangoproject.com/en/dev/ref/settings/#csrf-cookie-httponly
I'm unsure if this should be considered a bug or what I could do about it if I were to consider it a bug. I will do some more reading.
tolomea
commented
1 year ago I've cut a new version that hopefully is compatible with this. Please let me know how that goes for you.
ErikUmble
commented
1 year ago Yes, you were right about it being due to that setting (I commented it out and it worked), and I can also confirm that the latest release of django-data-browser fixed the issue, as it now works fine with the setting enabled. Thank you so much!
I receive this server-side error when user clicks 'Save View' within a data-browser view. And this is the html log "POST /data-browser/api/views/ HTTP/1.1" 403 12628
Note that I am using django-data-browser out of the box, just testing it out to see if it will work for my project.