From: Thierry Parmentelat Date: Fri, 8 Mar 2013 13:09:09 +0000 (+0100) Subject: get ajax requests to make it to the frontend X-Git-Tag: myslice-django-0.1-1~51 X-Git-Url: http://git.onelab.eu/?p=unfold.git;a=commitdiff_plain;h=da15d556eee34089124b7e24c9c503a8a0cb39e0 get ajax requests to make it to the frontend by setting the CSRF token in ajax requests --- diff --git a/engine/manifoldproxy.py b/engine/manifoldproxy.py index 0eac7797..1d629c78 100644 --- a/engine/manifoldproxy.py +++ b/engine/manifoldproxy.py @@ -4,7 +4,9 @@ # as well as # static/js/manifold-async.js -from django.core import serializers +import json +# this is for django objects only +#from django.core import serializers from django.http import HttpResponse # xxx should probably cater for @@ -21,6 +23,15 @@ def api (request,format): return # xxx actually ask the backend here - hard_wired_answer = {'a':'some string','b':123} - return HttpResponse (serializers.serialize("json",hard_wired_answer), - mimetype="application/json") + hard_wired_answer = [ {'slice_hrn':'a.b.c'}, {'slice_hrn':'ple.inria.foo' } ] + answer=hard_wired_answer + return HttpResponse (json.dumps(answer), mimetype="application/json") + +#################### +# to enable : see CSRF_FAILURE_VIEW in settings.py +# probably we want to elaborate this one a little in real life +# at least we can display the reason in the django output (although this turns out disappointing) +failure_answer=[ "csrf_failure" ] +def csrf_failure(request, reason=""): + print "CSRF failure with reason '%s'"%reason + return HttpResponseForbidden (json.dump (failure_answer), mimetype="application/json") diff --git a/engine/static/js/manifold-async.js b/engine/static/js/manifold-async.js index ae35630e..ada865aa 100644 --- a/engine/static/js/manifold-async.js +++ b/engine/static/js/manifold-async.js @@ -200,3 +200,29 @@ function __old__manifold_async_render_success(data, query) { } } } + +//http://stackoverflow.com/questions/5100539/django-csrf-check-failing-with-an-ajax-post-request +//make sure to expose csrf in our outcoming ajax/post requests +$.ajaxSetup({ + beforeSend: function(xhr, settings) { + function getCookie(name) { + var cookieValue = null; + if (document.cookie && document.cookie != '') { + var cookies = document.cookie.split(';'); + for (var i = 0; i < cookies.length; i++) { + var cookie = jQuery.trim(cookies[i]); + // Does this cookie string begin with the name we want? + if (cookie.substring(0, name.length + 1) == (name + '=')) { + cookieValue = decodeURIComponent(cookie.substring(name.length + 1)); + break; + } + } + } + return cookieValue; + } + if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) { + // Only send the token to relative URLs i.e. locally. + xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken')); + } + } +}); diff --git a/myslice/settings.py b/myslice/settings.py index 7fc65b81..8d61570d 100644 --- a/myslice/settings.py +++ b/myslice/settings.py @@ -186,7 +186,13 @@ LOGGING = { AUTHENTICATION_BACKENDS = ( 'auth.backend.MyCustomBackend', 'auth.manifoldbackend.ManifoldBackend', ) +### the view to redirect malformed (i.e. with a wrong CSRF) incoming requests +# without this setting django will return a 403 forbidden error, which is fine +# if you need to see the error message then use this setting +CSRF_FAILURE_VIEW = 'engine.manifoldproxy.csrf_failure' + #################### for insert_above #IA_JS_FORMAT = "