Closed ErikUmble closed 1 year ago
Well that's fun and interesting. What versions of Python and Django are you using? Do you have any middleware that might be involved?
Do you have any interesting configuration around authentication? Is the user in question a super user? if not do they have permissions to the databrowser View model.
Python 3.8.2 Django 4.0.9 The user is a superuser (created by python manage.py createsuperuser)
The rest of the setup is mostly the default from cookiecutter-django
It's because the cookie cutter setup enables CSRF_COOKIE_HTTPONLY which per the Django docs "Although the setting offers little practical benefit, it’s sometimes required by security auditors." https://docs.djangoproject.com/en/dev/ref/settings/#csrf-cookie-httponly
I'm unsure if this should be considered a bug or what I could do about it if I were to consider it a bug. I will do some more reading.
I've cut a new version that hopefully is compatible with this. Please let me know how that goes for you.
Yes, you were right about it being due to that setting (I commented it out and it worked), and I can also confirm that the latest release of django-data-browser fixed the issue, as it now works fine with the setting enabled. Thank you so much!
I receive this server-side error when user clicks 'Save View' within a data-browser view. And this is the html log "POST /data-browser/api/views/ HTTP/1.1" 403 12628
Note that I am using django-data-browser out of the box, just testing it out to see if it will work for my project.