tolomea / django-data-browser

Django app for user friendly querying of Django models
BSD 3-Clause "New" or "Revised" License
350 stars 28 forks source link

CSRF token from the 'X-Csrftoken' HTTP header has incorrect length. #57

Closed ErikUmble closed 1 year ago

ErikUmble commented 1 year ago

I receive this server-side error when user clicks 'Save View' within a data-browser view. And this is the html log "POST /data-browser/api/views/ HTTP/1.1" 403 12628

Note that I am using django-data-browser out of the box, just testing it out to see if it will work for my project.

tolomea commented 1 year ago

Well that's fun and interesting. What versions of Python and Django are you using? Do you have any middleware that might be involved?

tolomea commented 1 year ago

Do you have any interesting configuration around authentication? Is the user in question a super user? if not do they have permissions to the databrowser View model.

ErikUmble commented 1 year ago

Python 3.8.2 Django 4.0.9 The user is a superuser (created by python manage.py createsuperuser)

ErikUmble commented 1 year ago

The rest of the setup is mostly the default from cookiecutter-django

tolomea commented 1 year ago

It's because the cookie cutter setup enables CSRF_COOKIE_HTTPONLY which per the Django docs "Although the setting offers little practical benefit, it’s sometimes required by security auditors." https://docs.djangoproject.com/en/dev/ref/settings/#csrf-cookie-httponly

I'm unsure if this should be considered a bug or what I could do about it if I were to consider it a bug. I will do some more reading.

tolomea commented 1 year ago

I've cut a new version that hopefully is compatible with this. Please let me know how that goes for you.

ErikUmble commented 1 year ago

Yes, you were right about it being due to that setting (I commented it out and it worked), and I can also confirm that the latest release of django-data-browser fixed the issue, as it now works fine with the setting enabled. Thank you so much!