对于我的模型'Presentacion'
,我有一个非常简单的资源class PresentacionResource(ModelResource):
model = Presentacion
fields = (some fields)
ignore_fields = (few to ignore)
我需要为此实现身份验证,所以当我读到时,我创建了两个包装器
class AuthListOrCreateModelView(ListOrCreateModelView):
permissions = (IsAuthenticated, )
class AuthInstanceModelView(InstanceModelView):
permissions = (IsAuthenticated, )
然后在我的urls.py
中url(r'^presentaciones/$', AuthListOrCreateModelView.as_view(resource=PresentacionResource), name='presentacion-root'),
url(r'^presentaciones/(?P<id>[0-9]+)$', AuthInstanceModelView.as_view(resource=PresentacionResource), name='presentacion'),
这对于GET'sentaciones /'请求工作正常但是当我尝试发出PUT请求时,我得到了403 FORBIDDEN
对我来说奇怪的是,GET工作正常:只要我已经记录,它就会正确响应,但如果我注销它就会响应403 FORBIDDEN。
答案 0 :(得分:9)
如果问题是X-CSRF令牌头,您可以像这样修改Backbone.sync,以便为每个POST,PUT,DELETE请求发送令牌。
/* alias away the sync method */
Backbone._sync = Backbone.sync;
/* define a new sync method */
Backbone.sync = function(method, model, options) {
/* only need a token for non-get requests */
if (method == 'create' || method == 'update' || method == 'delete') {
// CSRF token value is in an embedded meta tag
var csrfToken = $("meta[name='csrf_token']").attr('content');
options.beforeSend = function(xhr){
xhr.setRequestHeader('X-CSRFToken', csrfToken);
};
}
/* proxy the call to the old sync method */
return Backbone._sync(method, model, options);
};
答案 1 :(得分:3)
如果您正在使用Django基于会话的身份验证,那么您可能会绊倒Django内置的CSRF保护(请参阅UserLoggedInAuthentication类[1])。
如果是这种情况,您需要确保将CSRF cookie发送到客户端,然后您可以调整jQuery指令[2]以向可能更改数据的请求发送X-CSRFToken标头。
[1] http://django-rest-framework.org/_modules/authentication.html
[2] https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax
答案 2 :(得分:2)
我意识到这是一篇较老的帖子,但我最近正在处理这个问题。扩展@ orangewarp的答案并使用django文档(https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax),这是一个解决方案:
此解决方案使用csrftoken cookie。另一个解决方案是在API中创建一个csrf令牌端点并从那里获取csrf。
Backbone._sync = Backbone.sync;
Backbone.sync = function(method, model, options) {
//from django docs
function getCookie(name) {
var cookieValue = null;
if (document.cookie && document.cookie != '') {
var cookies = document.cookie.split(';');
for (var i = 0; i < cookies.length; i++) {
var cookie = jQuery.trim(cookies[i]);
// Does this cookie string begin with the name we want?
if (cookie.substring(0, name.length + 1) == (name + '=')) {
cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
break;
}
}
}
return cookieValue;
}
/* only need a token for non-get requests */
if (method == 'create' || method == 'update' || method == 'delete') {
var csrfToken = getCookie('csrftoken');
options.beforeSend = function(xhr){
xhr.setRequestHeader('X-CSRFToken', csrfToken);
};
}
return Backbone._sync(method, model, options);
};