关于金字塔Web框架错误,CSRF令牌丢失或无效

时间:2013-07-23 08:56:17

标签: pyramid csrf

1.jinja2模板文件:

<!DOCTYPE html>
<html>
<head>
    <title>image upload demo</title>
</head>
<body>
<form action="{{ imgup_url }}" method="post" accept-charset="utf-8"
      enctype="multipart/form-data">
    <input type=hidden id="token" value="{{ token }}">
    <label for="filename">File:</label>
    <input id="pictitle" name="pictitle" type="text" value="okkk" />
    <input id="upfile" name="upfile" type="file" value="" />

    <input id="button" type="submit" value="upload" />
</form>
</body>
</html>

2.views.py文件

@view_config(permission='post', route_name='imgup',
             renderer='shootout:jinja2/imgup.jinja2',
             check_csrf=False)
def ueditor_ImgUp(request):
    """ upload image """
    form = Form(request, schema=ImgUpSchema)
    token1 = request.session.new_csrf_token()
    if 'form.submitted' in request.params:
        token2 = request.session.get_csrf_token()
        if token2 != request.POST['csrf_token']:
            raise ValueError('CSRF token did not match')
        print "imgup is login begin!!!"
        source_pictitle = request.POST.get('pictitle')
        source_filename = request.POST['upfile'].filename

        response = Response()
        myresponse = __myuploadfile(fileObj, source_pictitle, source_filename, 'pic')
        response.write(myresponse)
        print "imgup is success!!!"
        return response
    else:
        return {'imgup_url':'/imgup','token':token1}

3 .__ init__.py文件:

    engine = engine_from_config(settings, 'sqlalchemy.')
    DBSession.configure(bind=engine)

    session_factory = UnencryptedCookieSessionFactoryConfig(
        settings['session.secret']
        )

    authn_policy = SessionAuthenticationPolicy()
    authz_policy = ACLAuthorizationPolicy()

    config = Configurator(
        settings=settings,
        root_factory=RootFactory,
        authentication_policy=authn_policy,
        authorization_policy=authz_policy,
        session_factory=session_factory
        )

    config.add_static_view('static', 'shootout:static')
    config.add_static_view('html', 'shootout:html')
    config.include(addroutes)
    config.add_route('imgup','/imgup')

提交上传按钮时显示: 403禁止 访问被拒绝此资源。 CSRF令牌丢失或无效

如何解决这个问题?谢谢。

1 个答案:

答案 0 :(得分:1)

pyramid html post方法需要csrf_token,所以我这样做:

视图:

csrf_token = request.session.get_csrf_token()
return {'csrf_token':csrf_token}

模板(Jinja2的):

<input id="_csrf" type="hidden" value="{{ csrf_token }}"/>

成功〜