Django rest framework - Authentication error with PUT requests

I have a very simple Resource like this for my model 'Presentacion'

class PresentacionResource(ModelResource):
    model = Presentacion
    fields = (some fields)
    ignore_fields = (few to ignore)

and I need to implement authentication for this, so as I read, I created two wrappers

class AuthListOrCreateModelView(ListOrCreateModelView):
    permissions = (IsAuthenticated, )
class AuthInstanceModelView(InstanceModelView):
    permissions = (IsAuthenticated, )

And then in my in my urls.py

url(r'^presentaciones/$', AuthListOrCreateModelView.as_view(resource=PresentacionResource), name='presentacion-root'),
url(r'^presentaciones/(?P<id>[0-9]+)$', AuthInstanceModelView.as_view(resource=PresentacionResource), name='presentacion'),

This is working fine for the GET 'presentaciones/' requests but when I try to make a PUT request, I'm getting a 403 FORBIDDEN

What's strange to me is that GET is working fine: as long as I'm logged, it's responding correctly but if I logout it responds with 403 FORBIDDEN.

Answers


If you are using Django's session based authentication, then you may be tripping over the CSRF protection built into Django (see UserLoggedInAuthentication class[1]).

If this is the case, you will need to ensure that a CSRF cookie gets sent to the client and then you can adapt the jQuery instructions[2] to send the X-CSRFToken header with requests that may change data.

[1] http://django-rest-framework.org/_modules/authentication.html

[2] https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax


If the issue is the X-CSRF token header you can modify the Backbone.sync like this to send a token with each POST, PUT, DELETE request.

        /* alias away the sync method */
        Backbone._sync = Backbone.sync;

        /* define a new sync method */
        Backbone.sync = function(method, model, options) {

            /* only need a token for non-get requests */
            if (method == 'create' || method == 'update' || method == 'delete') {
                // CSRF token value is in an embedded meta tag 
                var csrfToken = $("meta[name='csrf_token']").attr('content');

                options.beforeSend = function(xhr){
                    xhr.setRequestHeader('X-CSRFToken', csrfToken);
                };
            }

            /* proxy the call to the old sync method */
            return Backbone._sync(method, model, options);
        };

Need Your Help

Insert SQL Command with dynamic Username and rowtypes

oracle plsql insert execute immediate

I'd like to generate a dynamic Insert statement with different Username and data from a rowtype

Windows Form App show query execution/retrieve time for a OBDC DB2 connection

c# winforms visual-studio-2010 db2

I need progress bar or status message to show the execution query time. Right now the app I have only freezes and I have no way of showing how much time has elapsed and where the query execution is

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.