-
Notifications
You must be signed in to change notification settings - Fork 9
AJAX's empty POST dictionary conflicts with csrf middleware #1
Comments
Hi. Which version of Django are you using? Staring with Django 1.2.5 (release notes), it was changed how Django validates CSRF. Here is an exerpt from the release notes: Additionally, Django will now accept the CSRF token in the custom HTTP header _X-CSRFTOKEN, So if you are using Django >= 1.2.5, it can validate csrf either by validating Hope this helps. |
Hi, it's Django 1.3 I'm afraid. And your jQuery fix is included and running, and the token is being included in the headers. The trouble is that POST is failing to be parsed in the first place, I think. Could this be a bug with Django core? Traceback from the bug at http://dpaste.com/637781/. |
Actually maybe the issue is not to do with the post being empty, but the Content Type: This is the dump of self at the point of the AttributeError (self.META['CONTENT_TYPE'] is None).
|
Very interesting. I am starting to think it's a bug in Django. Here is an exert from Django Docs (here): HttpRequest.method
So the request.method cannot be a None because that is not a string. |
I asked on StackOverflow regarding Judging from the response, it might have to do something with the client side. What is your system config? Maybe the problem is there somewhere (e.g. browser) |
Using Firefox 7.0.1 on Ubuntu. I've posted details about the ajax call on Stack Overflow, if that helps. |
Can you post the dump of the |
request on deletion (which doesn't work): http://dpaste.com/641300/ - taken from django debug screen I reckon it might be the fact that the content-type is not set. |
I don't see any META values in the file upload dump here. Can you please add this line in your view: def Upload(request):
print request
# rest of view here And then post the dump of the print statement in dpaste. Thank you. |
Sorry about the delay. http://dpaste.com/hold/649324/ |
That's the dump for delete. Can you post sump for upload. I wan to see the value of |
Ok, this is the dump of the request when I upload files: http://dpaste.com/hold/650551/ Note that the upload part does actually work, it's just the delete buttons. |
I'm unable to get the delete buttons working with csrf middleware turned on.
Here's my analysis of the situation, I can't work out whether the bug might be seen to lie with Jquery fileupload, Django, or your implementation:
jquery.fileupload-ui.js uses the following code to post the data (l.88). The data variable passed $.ajax() does not contain any POST data but just does it with a query string at the end of the URL. (http://api.jquery.com/jQuery.ajax/ - see the 'data' argument.)
This would work fine but for Django's csrf middleware here (django.middleware.csrf, l. 199):
That looks like it's going to work, but request.POST.get() chokes with the following exception, because the POST data couldn't be parsed. (On django/http/init.py in _load_post_and_files line 269).
Hope that makes sense.
The text was updated successfully, but these errors were encountered: