WebFaction
Community site: login faq

Hi,

I am trying to connect django-paypal with another app, but am having problems when submitting the form. The CSRF Verification fails and 403 forbidden is the result.

I believe that I have properly implemented the Django CSRF Protection Mechanisms, but am not sure if I have missed something there or if there is an error on the paypal end…

I have a {% csrf_token %} in the form in question.

I also have implemented the MIDDLEWARE_CLASSES and am using from django.core.context_processors import csrf in my view.

Thank you!

From my views:

from django.core.context_processors import csrf
from django.shortcuts import render_to_response, get_object_or_404
.........

def first_post(request):
  if request.user.is_authenticated() and request.user.is_active:
    return HttpResponseRedirect(reverse('classifieds.views.create.select_category'))
  else:
    return render_to_response('classifieds/index.html', {'prices': Pricing.objects.all()}, context_instance=RequestContext(request))

@login_required
def view_bought(request, adId):
  request.user.message_set.create(message=_('Your ad has been successfully posted. Thank You for Your Order!'))
  return views.browse.view(request, adId)

@login_required
def select_category(request):
  # list categories available and send the user to the create_in_category view
  return render_to_response('classifieds/category_choice.html', {'categories': Category.objects.all(), 'type': 'create'}, context_instance=RequestContext(request))

  # create Payment object
  payment = Payment.objects.create(ad=ad, pricing=pricing)
  for option in pricing_options:
    payment.options.add(option)

  payment.save()

  # send email when done
  # 1. render context to email template
  email_template = loader.get_template('classifieds/email/posting.txt')
  context = Context({'ad': ad})
  email_contents = email_template.render(context)

  # 2. send email
  send_mail(_('Your ad will be posted shortly.'),
            email_contents,
            settings.FROM_EMAIL,
            [ad.user.email],
            fail_silently=False)

  item_name = _('Your ad on ') + Site.objects.get_current().name
  paypal_values = {'amount': total,
                   'item_name': item_name,
                   'item_number': payment.pk,
                   'quantity': 1}
  if django_settings.DEBUG:
    paypal_form = PayPalPaymentsForm(initial=paypal_values).sandbox()
  else:
    paypal_form = PayPalPaymentsForm(initial=paypal_values).render()

  return render_to_response('classifieds/paypal.html', {'form': paypal_form}, context_instance=RequestContext(request))
  else:
    form = CheckoutForm()

  return render_to_response('classifieds/checkout.html', {'ad': ad, 'form': form}, context_instance=RequestContext(request))

def pricing(request):
  return render_to_response('classifieds/pricing.js', {'prices': Pricing.objects.all(), 'options': PricingOptions.objects.all()}, context_instance=RequestContext(request))

asked 09 May '12, 14:39

Nick_B
11914
accept rate: 0%

edited 13 May '12, 19:51


We would also need to see the View code that made the form to be able to troubleshoot. You may post it here, or if you would like to keep it private send us a support ticket.

permanent link

answered 09 May '12, 17:21

johns ♦♦
5.3k212
accept rate: 23%

Looking at the source being rendered by the browser the CSRF token is indeed missing on the '/checkout/7' and the '/create/preview/7/#' uris it is present on the '/create/edit/7/' uri.

<div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='DokXCAqGZ7YlWgaWwlEAfxM7aWzHk58Q' /></div>

Why it is missing is difficult to determine. Some things to check next would be,

  1. Verify the token is in the template 'classifieds/checkout.html', It is always good to double check each template that does posts.

    <form action="." method="post">{% csrf_token %}
    
  2. Install Django Debug Toolbar to verify the csrf_token is getting passed to those forms.

  3. Use the CSRF exempt rules outlined in the official Django docs on the view to disable Django's checking. .

(10 May '12, 02:55) johns ♦♦

Our servers are not at the same location as our workstations, so I still can't see the Debug Toolbar. If the variable is being passed into the template context than it is odd that it is not being generated. I would like to see the application as a whole to further troubleshoot. Please submit a support ticket so we can see the application in its entirety.

(11 May '12, 17:04) johns ♦♦

Adding @csrf_exempt to the views in question solved the problem. Thanks for the support

permanent link

answered 13 May '12, 17:34

Nick_B
11914
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×904
×108
×6
×5
×3

question asked: 09 May '12, 14:39

question was seen: 7,613 times

last updated: 13 May '12, 19:51

WEBFACTION
REACH US
SUPPORT
AFFILIATE PROGRAM
LEGAL
© COPYRIGHT 2003-2019 SWARMA LIMITED - WEBFACTION IS A SERVICE OF SWARMA LIMITED
REGISTERED IN ENGLAND AND WALES 5729350 - VAT REGISTRATION NUMBER 877397162
5TH FLOOR, THE OLD VINYL FACTORY, HAYES, UB3 1HA, UNITED KINGDOM