我正在使用Django Rest的可浏览API来使用会话身份验证进行POST,并且即使提供了CSRF令牌也会丢失 . 我正在寻求有关配置 ModelViewSet 子类的建议,以便这样做 .
这是我的观点:
class TreeAPI(ModelViewSet):
authentication_classes = (SessionAuthentication,)
queryset = Tree.objects.get_roots()
parser_classes = (JSONParser, FormParser, MultiPartParser)
permission_classes = (IsAdminUser,)
throttle_classes = (TreeThrottle,)
serializer_class = TreeSerializer
我能够使用DRF Browsable API到 GET 这个 endpoints ,但是当我使用它到 POST 到这个 endpoints 时,我得到一个带有消息 CSRF token missing or incorrect 的403 .
当我在the constructor to rest_framework.request.Request中设置断点时,我可以看到传入的请求包含所需的 csrfmiddleware 令牌:
在Django Rest的 Request 课程中, POST 实际上是一个属性:
@property
def POST(self):
if not _hasattr(self, '_data'):
self._load_data_and_files()
if is_form_media_type(self.content_type):
# self.data is an empty QueryDict!
return self.data
return QueryDict('', encoding=self._request._encoding)
request.POST 不再包含 csrfmiddlewaretoken 键;它被剥去了表格提供的所有密钥:
因此,传递给 rest_framework.authentication.SessionAuthentication.enforce_csrf(request) 的参数然后传递给 django.middleware.csrf.CsrfViewMiddleware.process_view 找不到 csrfmiddlewaretoken 标记:
if request.method == "POST":
request_csrf_token = request.POST.get('csrfmiddlewaretoken', '')
我能检查什么?这里有哪些可能的错误来源?
Considerations
-
对禁用CSRF不感兴趣
-
对使用令牌认证不感兴趣
-
我熟悉如何使用CSRF令牌和Django文档
-
这是内置的Django REST可浏览API;没有修改UI中的任何内容
EDIT 1 - Middleware
MIDDLEWARE_CLASSES = (
'django.middleware.common.CommonMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
)
EDIT 2 - versions of software - djangorestframework == 3.3.3 - Django == 1.9.8
EDIT 3 - possibly related issues at the git project
EDIT 4 - possibly related stack overflow posts
- Having a POST'able API and Django's CSRF Middleware
- How to make a POST simple JSON using Django REST Framework? CSRF token missing or incorrect
- How to make a Django-Rest-Framework API that takes POST data?
- Django Rest Framework, ajax POST works but PATCH throws CSRF Failed: CSRF token missing or incorrect
- http://www.django-rest-framework.org/api-guide/parsers/#formparser
1 回答
djangorestframework==3.5.4中未显示此问题 . 见http://www.django-rest-framework.org/topics/release-notes/;我有一种感觉这是在3.3.x之后修复的 .