Django Rest - Create and Action method returns error 403 forbidden
Question
I built a simple Django/React app that allows users to post short texts that can be liked and unliked. In the console I get, POST http://localhost:8000/api/posts/create/ 403 (Forbidden) and POST http://localhost:8000/api/posts/create/ 403 (Forbidden).
The REST Framework Renderer gives me,
GET /api/posts/create/ HTTP 405 Method Not Allowed Allow: POST, OPTIONS Content-Type: application/json Vary: Accept { "detail": "Method \\"GET\\" not allowed." }
and,
GET /api/posts/action/ HTTP 405 Method Not Allowed Allow: OPTIONS, POST Content-Type: application/json Vary: Accept { "detail": "Method \\"GET\\" not allowed." }
The console gives me, xhr.send(jsonData) in the components as error. At first I thought it was a simple authentication error but I tried signing in to admin on different browsers to no success.
What am I missing here?
Any assistance is greatly appreciated.
webapp/webapp-web/src/lookup/components.js
function getCookie(name) {
var cookieValue = null;
if (document.cookie && document.cookie !== '') {
var cookies = document.cookie.split(';');
for (var i = 0; i < cookies.length; i++) {
var cookie = cookies[i].trim();
// Does this cookie string begin with the name we want?
if (cookie.substring(0, name.length + 1) === (name + '=')) {
cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
break;
}
}
}
return cookieValue;
}
export function backendLookup(method, endpoint, callback, data) {
let jsonData;
if (data){
jsonData = JSON.stringify(data)
}
const xhr = new XMLHttpRequest()
const url = `http://localhost:8000/api${endpoint}`
xhr.responseType = "json"
const csrftoken = getCookie('csrftoken');
xhr.open(method, url)
xhr.setRequestHeader("Content-Type", "application/json")
if (csrftoken){
xhr.setRequestHeader("HTTP_X_REQUESTED_WITH", "XMLHttpRequest")
xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest")
xhr.setRequestHeader("X-CSRFToken", csrftoken)
}
xhr.onload = function() {
callback(xhr.response, xhr.status)
}
xhr.onerror = function (e) {
callback({"message": "The request was an error"}, 400)
}
xhr.send(jsonData)
}
api/urls.py
from django.urls import path
from .views import (
post_action_view,
post_delete_view,
post_detail_view,
post_list_view,
post_create_view,
)
'''
CLIENT
Base ENDPOINT /api/tweets/
'''
urlpatterns = [
path('', post_list_view),
path('action/', post_action_view),
path('create/', post_create_view),
path('<int:post_id>/', post_detail_view),
path('<int:post_id>/delete/', post_delete_view),
]
webapp/urls.py
"""tweetme2 URL Configuration
The `urlpatterns` list routes URLs to views. For more information please see:
https://docs.djangoproject.com/en/2.2/topics/http/urls/
Examples:
Function views
1. Add an import: from my_app import views
2. Add a URL to urlpatterns: path('', views.home, name='home')
Class-based views
1. Add an import: from other_app.views import Home
2. Add a URL to urlpatterns: path('', Home.as_view(), name='home')
Including another URLconf
1. Import the include() function: from django.urls import include, path
2. Add a URL to urlpatterns: path('blog/', include('blog.urls'))
"""
from django.conf import settings
from django.conf.urls.static import static
from django.contrib import admin
from django.urls import path, re_path, include # url()
from django.views.generic import TemplateView
from app.views import (
posts_list_view,
posts_detail_view,
posts_profile_view,
)
urlpatterns = [
path('admin/', admin.site.urls),
path('', posts_list_view),
path('<int:tweet_id>', posts_detail_view),
path('profile/<str:username>', posts_profile_view),
path('api/posts/', include('app.api.urls'))
]
if settings.DEBUG:
urlpatterns += static(settings.STATIC_URL,
document_root=settings.STATIC_ROOT)
api/views.py
import random
from django.conf import settings
from django.http import HttpResponse, Http404, JsonResponse
from django.shortcuts import render, redirect
from django.utils.http import is_safe_url
from rest_framework.authentication import SessionAuthentication
from rest_framework.decorators import api_view, authentication_classes, permission_classes
from rest_framework.permissions import IsAuthenticated
from rest_framework.response import Response
from ..forms import PostForm
from ..models import Post
from ..serializers import (
PostSerializer,
PostActionSerializer,
PostCreateSerializer
)
ALLOWED_HOSTS = settings.ALLOWED_HOSTS
@api_view(['POST'])
# @authentication_classes([SessionAuthentication])
@permission_classes([IsAuthenticated])
def post_create_view(request, *args, **kwargs):
serializer = PostCreateSerializer(data=request.data)
if serializer.is_valid(raise_exception=True):
serializer.save(user=request.user)
return Response(serializer.data, status=201)
return Response({}, status=400)
@api_view(['GET'])
def post_detail_view(request, post_id, *args, **kwargs):
qs = Post.objects.filter(id=post_id)
if not qs.exists():
return Response({}, status=404)
obj = qs.first()
serializer = PostSerializer(obj)
return Response(serializer.data, status=200)
@api_view(['DELETE', 'POST'])
@permission_classes([IsAuthenticated])
def post_delete_view(request, post_id, *args, **kwargs):
qs = Post.objects.filter(id=post_id)
if not qs.exists():
return Response({}, status=404)
qs = qs.filter(user=request.user)
if not qs.exists():
return Response({"message": "You cannot delete this Post"}, status=401)
obj = qs.first()
obj.delete()
return Response({"message": "Post deleted"}, status=200)
@api_view(['POST'])
@permission_classes([IsAuthenticated])
def post_action_view(request, *args, **kwargs):
serializer = PostActionSerializer(data=request.data)
if serializer.is_valid(raise_exception=True):
data = serializer.validated_data
post_id = data.get("id")
action = data.get("action")
qs = Post.objects.filter(id=post_id)
if not qs.exists():
return Response({}, status=404)
obj = qs.first()
if action == "like":
obj.likes.add(request.user)
serializer = PostSerializer(obj)
return Response(serializer.data, status=200)
elif action == "unlike":
obj.likes.remove(request.user)
serializer = PostSerializer(obj)
return Response(serializer.data, status=201)
return Response({}, status=200)
@api_view(['GET'])
def post_list_view(request, *args, **kwargs):
qs = Post.objects.all()
username = request.GET.get("username")
if username != None:
qs = qs.filter(user__username__iexact=username)
serializer = PostSerializer(qs, many=True)
return Response(serializer.data, status=200)
webapp/views.py
import random
from django.conf import settings
from django.http import HttpResponse, Http404, JsonResponse
from django.shortcuts import render, redirect
from django.utils.http import is_safe_url
ALLOWED_HOSTS = settings.ALLOWED_HOSTS
# Create your views here.
def home_view(request, *args, **kwargs):
username = None
if request.user.is_authenticated:
username = request.user.username
return render(request, "pages/home.html", context={"username": username}, status=200)
def posts_list_view(request, *args, **kwargs):
return render(request, "pictures/list.html")
def posts_detail_view(request, post_id, *args, **kwargs):
return render(request, "pictures/detail.html", context={"post_id": post_id})
def posts_profile_view(request, username, *args, **kwargs):
return render(request, "pictures/profile.html", context={"profile_username": username})
webapp/serializers.py
from django.conf import settings
from rest_framework import serializers
from .models import Post
MAX_TWEET_LENGTH = settings.MAX_TWEET_LENGTH
POST_ACTION_OPTIONS = settings.POST_ACTION_OPTIONS
class PostActionSerializer(serializers.Serializer):
id = serializers.IntegerField()
action = serializers.CharField()
def validate_action(self, value):
value = value.lower().strip()
if not value in POST_ACTION_OPTIONS:
raise serializers.ValidationError("This is not a valid action")
return value
class PostCreateSerializer(serializers.ModelSerializer):
likes = serializers.SerializerMethodField(read_only=True)
class Meta:
model = Post
fields = ["id", "content", "likes"]
def get_likes(self, obj):
return obj.likes.count()
def validate_content(self, value):
if len(value) > MAX_TWEET_LENGTH:
raise serializers.ValidationError("This description is too long")
return value
class PostSerializer(serializers.ModelSerializer):
likes = serializers.SerializerMethodField(read_only=True)
content = serializers.SerializerMethodField(read_only=True)
class Meta:
model = Post
fields = ["id", "content", "likes"]
def get_likes(self, obj):
return obj.likes.count()
def get_content(self, obj):
return obj.content
settings.py
"""
Django settings for webapp project.
Generated by 'django-admin startproject' using Django 3.1.2.
For more information on this file, see
https://docs.djangoproject.com/en/3.1/topics/settings/
For the full list of settings and their values, see
https://docs.djangoproject.com/en/3.1/ref/settings/
"""
from pathlib import Path
import os
# Build paths inside the project like this: BASE_DIR / 'subdir'.
BASE_DIR = Path(__file__).resolve().parent.parent
# Quick-start development settings - unsuitable for production
# See https://docs.djangoproject.com/en/3.1/howto/deployment/checklist/
# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = 'g7nkjipd$4$n=r8*8c(ct$wf!qg$-hb$wn6_*f$#8j*j7!doge'
# SECURITY WARNING: don't run with debug turned on in production!
DEBUG = True
ALLOWED_HOSTS = ["127.0.0.1", "localhost"]
LOGIN_URL = "/login"
MAX_TWEET_LENGTH = 240
POST_ACTION_OPTIONS = ["like", "unlike"]
# Application definition
INSTALLED_APPS = [
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
# third-party
'rest_framework',
'corsheaders',
# internal
'app',
]
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'corsheaders.middleware.CorsMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]
ROOT_URLCONF = 'webapp.urls'
TEMPLATES = [
{
'BACKEND': 'django.template.backends.django.DjangoTemplates',
'DIRS': [os.path.join(BASE_DIR, "templates")],
'APP_DIRS': True,
'OPTIONS': {
'context_processors': [
'django.template.context_processors.debug',
'django.template.context_processors.request',
'django.contrib.auth.context_processors.auth',
'django.contrib.messages.context_processors.messages',
],
},
},
]
WSGI_APPLICATION = 'webapp.wsgi.application'
# Database
# https://docs.djangoproject.com/en/3.1/ref/settings/#databases
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.sqlite3',
'NAME': BASE_DIR / 'db.sqlite3',
}
}
# Password validation
# https://docs.djangoproject.com/en/3.1/ref/settings/#auth-password-validators
AUTH_PASSWORD_VALIDATORS = [
{
'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
},
]
# Internationalization
# https://docs.djangoproject.com/en/3.1/topics/i18n/
LANGUAGE_CODE = 'en-us'
TIME_ZONE = 'UTC'
USE_I18N = True
USE_L10N = True
USE_TZ = True
# Static files (CSS, JavaScript, Images)
# https://docs.djangoproject.com/en/3.1/howto/static-files/
STATIC_URL = '/static/'
STATICFILES_DIRS = [
os.path.join(BASE_DIR, "static"),
]
STATIC_ROOT = os.path.join(BASE_DIR / "static-root",)
CORS_ALLOW_ALL_ORIGINS = True
CORS_URLS_REGEX = r'^/api/.*$'
DEFAULT_RENDERER_CLASSES = [
'rest_framework.renderers.JSONRenderer',
]
DEFAULT_AUTHENTICATION_CLASSES = [
'rest_framework.authentication.SessionAuthentication'
]
if DEBUG:
DEFAULT_RENDERER_CLASSES += [
'rest_framework.renderers.BrowsableAPIRenderer',
]
#DEFAULT_AUTHENTICATION_CLASSES += [
# 'webapp.rest_api.dev.DevAuthentication'
#]
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': DEFAULT_AUTHENTICATION_CLASSES,
'DEFAULT_RENDERER_CLASSES': DEFAULT_RENDERER_CLASSES
}
[Chrome Network tab][1] [1]: https://i.stack.imgur.com/gOQA8.png
3 answers
solution1
1 2020-11-08 14:19:05
我相信CSRF导致了错误,请检查您的 DRF 设置是使用基本身份验证还是令牌身份验证。
solution2
1 2021-05-23 22:18:47
In my case the problem was in the urls.py file, where the ViewSet classes was in the wrong order:
...
router = routers.DefaultRouter()
router.register(r'', VehicleViewSet , basename='VehicleViewSet')
router.register(r'transference', TransferenceViewSet , basename='TransferenceViewSet')
...
Django was testing first if the url match the '', and this always return a successful match, causing my project to respond the request with the wrong ViewSet that has a different Permission class.
The solution was just to put the more specific routes first, ending up like this:
...
router = routers.DefaultRouter()
router.register(r'transference', TransferenceViewSet , basename='TransferenceViewSet')
router.register(r'', VehicleViewSet , basename='VehicleViewSet')
...
solution3
0 2020-11-08 14:39:09
- You including
actionandcreatesuburl intoapi/posts/url (webapp/urls.py) - Your
action/path function ispost_action_viewandcreateispost_create_view(api/urls.py) - You set decorators
@api_view(['POST'])beforepost_action_viewandpost_create_view(api/views.py) - You have get error
"Method \\"GET\\" not allowed."
So... do you see any logic here?
Set @api_view(['POST', 'GET']) if you want to allow both methods.
In other way, set 'POST' method when you running JS's xhr.open(method, url) , not 'GET' .
EDIT1:
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
Django rest framework ajax form submit error 403 (forbidden)
Django API Post method returns 403 error
ajax django 403 forbidden error
403 Forbidden error on swfupload and django
Django Returns 403 Forbidden for Email view
urlretrieve for image returns HTTP Error 403: Forbidden
My code returns HTTP Error 403: Forbidden
boilerpy3 returns HTTP Error 403: Forbidden
Finding the cause of of 403 forbidden error in django admin
403 Forbidden Error in django web server
Related Tags