Django休息框架 - PUT请求的认证错误

时间:2012-09-08 19:37:46

标签: django backbone.js django-rest-framework

对于我的模型'Presentacion'

,我有一个非常简单的资源
class PresentacionResource(ModelResource):
    model = Presentacion
    fields = (some fields)
    ignore_fields = (few to ignore)

我需要为此实现身份验证,所以当我读到时,我创建了两个包装器

class AuthListOrCreateModelView(ListOrCreateModelView):
    permissions = (IsAuthenticated, )
class AuthInstanceModelView(InstanceModelView):
    permissions = (IsAuthenticated, )

然后在我的urls.py

url(r'^presentaciones/$', AuthListOrCreateModelView.as_view(resource=PresentacionResource), name='presentacion-root'),
url(r'^presentaciones/(?P<id>[0-9]+)$', AuthInstanceModelView.as_view(resource=PresentacionResource), name='presentacion'),

这对于GET'sentaciones /'请求工作正常但是当我尝试发出PUT请求时,我得到了403 FORBIDDEN

对我来说奇怪的是,GET工作正常:只要我已经记录,它就会正确响应,但如果我注销它就会响应403 FORBIDDEN。

3 个答案:

答案 0 :(得分:9)

如果问题是X-CSRF令牌头,您可以像这样修改Backbone.sync,以便为每个POST,PUT,DELETE请求发送令牌。

        /* alias away the sync method */
        Backbone._sync = Backbone.sync;

        /* define a new sync method */
        Backbone.sync = function(method, model, options) {

            /* only need a token for non-get requests */
            if (method == 'create' || method == 'update' || method == 'delete') {
                // CSRF token value is in an embedded meta tag 
                var csrfToken = $("meta[name='csrf_token']").attr('content');

                options.beforeSend = function(xhr){
                    xhr.setRequestHeader('X-CSRFToken', csrfToken);
                };
            }

            /* proxy the call to the old sync method */
            return Backbone._sync(method, model, options);
        };

答案 1 :(得分:3)

如果您正在使用Django基于会话的身份验证,那么您可能会绊倒Django内置的CSRF保护(请参阅UserLoggedInAuthentication类[1])。

如果是这种情况,您需要确保将CSRF cookie发送到客户端,然后您可以调整jQuery指令[2]以向可能更改数据的请求发送X-CSRFToken标头。

[1] http://django-rest-framework.org/_modules/authentication.html

[2] https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax

答案 2 :(得分:2)

我意识到这是一篇较老的帖子,但我最近正在处理这个问题。扩展@ orangewarp的答案并使用django文档(https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax),这是一个解决方案:

此解决方案使用csrftoken cookie。另一个解决方案是在API中创建一个csrf令牌端点并从那里获取csrf。

  Backbone._sync = Backbone.sync;

  Backbone.sync = function(method, model, options) {
      //from django docs
      function getCookie(name) {
          var cookieValue = null;
          if (document.cookie && document.cookie != '') {
              var cookies = document.cookie.split(';');
              for (var i = 0; i < cookies.length; i++) {
                  var cookie = jQuery.trim(cookies[i]);
                  // Does this cookie string begin with the name we want?
                  if (cookie.substring(0, name.length + 1) == (name + '=')) {
                      cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
                      break;
                  }
              }
          }
          return cookieValue;
      }

      /* only need a token for non-get requests */
      if (method == 'create' || method == 'update' || method == 'delete') {
          var csrfToken = getCookie('csrftoken');

          options.beforeSend = function(xhr){
              xhr.setRequestHeader('X-CSRFToken', csrfToken);
          };
      }

      return Backbone._sync(method, model, options);
  };