If a user visits the views.frontend.respond view without having previously visited a page that sets a CSRF cookie, the response fails to set a CSRF cookie, leading to 403 errors when submitting an annotation or response.
This is because Django sets a flag on the request object when the token is first accessed, telling the middleware to add a Set-Cookie header; in the case of the 'respond' view this happens in the dummy request, so the header never gets passed back to the user.
To fix this, we need to call get_token in the context of the real request, and then ensure the dummy request is using the same token (so that the right token appears in the output of the {% wagtailreview %} tag).
If a user visits the
views.frontend.respondview without having previously visited a page that sets a CSRF cookie, the response fails to set a CSRF cookie, leading to 403 errors when submitting an annotation or response.This is because Django sets a flag on the request object when the token is first accessed, telling the middleware to add a Set-Cookie header; in the case of the 'respond' view this happens in the dummy request, so the header never gets passed back to the user.
To fix this, we need to call
get_tokenin the context of the real request, and then ensure the dummy request is using the same token (so that the right token appears in the output of the{% wagtailreview %}tag).