5

I'm trying to use Django-Angular to make a AJAX call to a view in Django. I'm following this guide here.

However, when I make a POST I'm getting the message: CSRF verification failed. Request aborted. It seems like the action as described in the docs process_something isn't being called as I shouldn't need the token.

Can anyone spot the issue, below is what I have tried so far...

Here is the relevant js controller script:

   var in_data = {action: 'process_something', somevar: $scope.somevar};
   var post_call = CbgenRestangularDjango.all('pin-verification/').post(in_data)

and the form:

<form ng-controller="PinValidationFormCtrl"  name="CompanyValidPinForm" class="bs-callout">
        <div class="col-xs-2">
            <input class="form-control" name="somevar" ng-model="somevar" type="text">
        </div>

        <div class="col-xs-2">
            <button type="button" class="btn btn-default" ng-click="submitPin()">Verify Pin</button>
        </div>
</form>

and the view: 

class VerificationView(JSONResponseMixin, View):
    # other view methods

    @allowed_action
    def process_something(self, in_data):
        # process input data
        out_data = {
            'foo': 'bar',
            'success': True,
        }
        return out_data
Improve this question
5
  • 2
    @Stewie I think the question is clear, and you can see what I have already tried. I'm unsure why you posted your comment, please elaborate. Thanks. Commented Dec 29, 2013 at 18:46
  • Have you setup angular app as specified here? Commented Dec 29, 2013 at 19:12
  • yep @mariodev I have :). I have Django-Angular working for normal GET requests, but for some reason it's not calling process_something function in the view on POSTs being made, and I think this is why I have the message about CSRF as [@]allowed_action is not being run. Commented Dec 29, 2013 at 21:32
  • Does the POST request work when you decorate process_something method with @csrf_exempt? (If decorating class-based view's method with csrf_exempt doesn't work, try this) Commented Jan 2, 2014 at 16:16
  • a (firebug) screenshot of the attempted post request would also be helpful. Commented Jan 6, 2014 at 16:56

4 Answers 4

Reset to default
5
+50

The post() method accepts a config parameter to pass the X_CSRFTOKEN header:

var config = { headers : { 'X_CSRFTOKEN' : $cookies.csrf_token }};
var in_data = {action: 'process_something', somevar: $scope.somevar};
var post_call = 
CbgenRestangularDjango.all('pin-verification/').post(in_data, config);

In your view's template the form must include the token as follows:

<form ...>
    {% csrf_token %}
    ...
</form>

Note $cookies depends on ngCookies (see http://docs.angularjs.org/api/ngCookies.$cookies)

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

4

You must pass the csrf token when sending a HTTP POST request.

Include {% csrf_token %} in your form or add a custom header X-CSRFToken. This should work.

Improve this answer

Comments

3

Its most likely you are missing a header in your angular's app module config.

Try setting the following 

.config(function($httpProvider) {
  $httpProvider.defaults.headers.common['X-Requested-With'] = 'XMLHttpRequest';
});

Django applications do not require this header, but if it is missing, all invocations to: request.is_ajax() would return False, even for perfectly valid Ajax requests

Found here: http://django-angular.readthedocs.org/en/latest/integration.html Also there was an api change at angular version >= 1.1.x (this header default was dropped since that version). Perhaps Django did not catch up with their documentation in every part.

Maybe you just need to clear your browser cache as you might have an outdated cookie sending an invalid token letting the request mapping fail.

Improve this answer

1 Comment

Did you try this? I deleted this answer for some days but I am still curious if this can be the problem so I reactivated it.
2

you can also try/use the @csrf_exempt decorator

--> https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#django.views.decorators.csrf.csrf_exempt

and here's the Django documentation of how to apply it to class based views =)

https://docs.djangoproject.com/en/dev/topics/class-based-views/intro/#decorating-class-based-views

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.