Re: CSRF with AJAX problem

2011-09-30 Thread Yaşar Arabacı 
To create csrf cookie without using csrf tag, your view needs to be
decorated with django.views.decorators.csrf.ensure_csrf_cookie. Also check:
https://code.djangoproject.com/ticket/16936

2011/9/30 Kenneth Love 

> You're using AJAX and forms incorrectly, then. Any form that has a
> solid effect on your database (creating, replacing, or deleting data)
> should be POSTed and should have CSRF token.
>
> Look into pydanny's django-uni-form project (http://readthedocs.org/
> docs/dango-uni-form/en/latest/) for creating your forms. It'll create
> the CSRF token for you if you set the form method to POST (again, as
> it should be). Then, in your AJAX function that submits the form,
> submit the key & value of the CSRF token field to the endpoint. Now
> you have AJAX forms that are still safe and sane.
>
> On Sep 29, 5:15 pm, galgal  wrote:
> > Yes, but that JavaScript code is useless until {% csrf_token %} or
> get_token
> > is used. I don't use POST forms - only AJAX forms so I don't have that
> > cookie made after page load.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To post to this group, send email to django-users@googlegroups.com.
> To unsubscribe from this group, send email to
> django-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/django-users?hl=en.
>
>


-- 
http://yasar.serveblog.net/

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Re: CSRF with AJAX problem

2011-09-30 Thread Kenneth Love 
You're using AJAX and forms incorrectly, then. Any form that has a
solid effect on your database (creating, replacing, or deleting data)
should be POSTed and should have CSRF token.

Look into pydanny's django-uni-form project (http://readthedocs.org/
docs/dango-uni-form/en/latest/) for creating your forms. It'll create
the CSRF token for you if you set the form method to POST (again, as
it should be). Then, in your AJAX function that submits the form,
submit the key & value of the CSRF token field to the endpoint. Now
you have AJAX forms that are still safe and sane.

On Sep 29, 5:15 pm, galgal  wrote:
> Yes, but that JavaScript code is useless until {% csrf_token %} or get_token
> is used. I don't use POST forms - only AJAX forms so I don't have that
> cookie made after page load.

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Re: CSRF with AJAX problem

2011-09-29 Thread galgal 
Yes I have. It returns null if no cookie.

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To view this discussion on the web visit 
https://groups.google.com/d/msg/django-users/-/Y4TMZ5p-XYgJ.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Re: CSRF with AJAX problem

2011-09-29 Thread Javier Guerra Giraldez 
On Thu, Sep 29, 2011 at 7:15 PM, galgal  wrote:
> Yes, but that JavaScript code is useless until {% csrf_token %} or get_token
> is used. I don't use POST forms - only AJAX forms so I don't have that
> cookie made after page load.

have you read it?

-- 
Javier

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Re: CSRF with AJAX problem

2011-09-29 Thread galgal 
Yes, but that JavaScript code is useless until {% csrf_token %} or get_token 
is used. I don't use POST forms - only AJAX forms so I don't have that 
cookie made after page load.

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To view this discussion on the web visit 
https://groups.google.com/d/msg/django-users/-/JYFq1-eA4WgJ.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Re: CSRF with AJAX problem

2011-09-29 Thread Javier Guerra Giraldez 
On Thu, Sep 29, 2011 at 6:23 PM, galgal  wrote:
> How can I make that cookie without using csrf tag?

right there in the code sample you quoted:

xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));

where getCookie() is defined as:

 function getCookie(name) {        var cookieValue = null;
if (document.cookie && document.cookie != '') {            var cookies
= document.cookie.split(';');            for (var i = 0; i <
cookies.length; i++) {                var cookie =
jQuery.trim(cookies[i]);                // Does this cookie string
begin with the name we want?                if (cookie.substring(0,
name.length + 1) == (name + '=')) {                    cookieValue =
decodeURIComponent(cookie.substring(name.length + 1));
   break;                }            }        }        return
cookieValue;    }


-- 
Javier

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

CSRF with AJAX problem

2011-09-29 Thread galgal 
I have a problem/bug found? in AJAX with CSRF. I don't use {% csrf_token %} 
at all. I use only AJAX forms so - there is no cookie set for csrf. In taht 
case - https://docs.djangoproject.com/en/1.3/ref/contrib/csrf/#ajax is 
useless :(
I can use get_token to generate it, but I have to put it in all my sites so 
it has no sense. 

How can I make that cookie without using csrf tag?

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To view this discussion on the web visit 
https://groups.google.com/d/msg/django-users/-/SDNW2jMK0ngJ.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.