I built a simple Django/React app that allows users to post short texts that can be liked and unliked. In the console I get, POST http://localhost:8000/api/posts/create/ 403 (Forbidden) and POST http://localhost:8000/api/posts/create/ 403 (Forbidden).
The REST Framework Renderer gives me,
GET /api/posts/create/ HTTP 405 Method Not Allowed Allow: POST, OPTIONS Content-Type: application/json Vary: Accept { "detail": "Method \\"GET\\" not allowed." }
and,
GET /api/posts/action/ HTTP 405 Method Not Allowed Allow: OPTIONS, POST Content-Type: application/json Vary: Accept { "detail": "Method \\"GET\\" not allowed." }
The console gives me, xhr.send(jsonData) in the components as error. At first I thought it was a simple authentication error but I tried signing in to admin on different browsers to no success.
What am I missing here?
Any assistance is greatly appreciated.
webapp/webapp-web/src/lookup/components.js
function getCookie(name) {
var cookieValue = null;
if (document.cookie && document.cookie !== '') {
var cookies = document.cookie.split(';');
for (var i = 0; i < cookies.length; i++) {
var cookie = cookies[i].trim();
// Does this cookie string begin with the name we want?
if (cookie.substring(0, name.length + 1) === (name + '=')) {
cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
break;
}
}
}
return cookieValue;
}
export function backendLookup(method, endpoint, callback, data) {
let jsonData;
if (data){
jsonData = JSON.stringify(data)
}
const xhr = new XMLHttpRequest()
const url = `http://localhost:8000/api${endpoint}`
xhr.responseType = "json"
const csrftoken = getCookie('csrftoken');
xhr.open(method, url)
xhr.setRequestHeader("Content-Type", "application/json")
if (csrftoken){
xhr.setRequestHeader("HTTP_X_REQUESTED_WITH", "XMLHttpRequest")
xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest")
xhr.setRequestHeader("X-CSRFToken", csrftoken)
}
xhr.onload = function() {
callback(xhr.response, xhr.status)
}
xhr.onerror = function (e) {
callback({"message": "The request was an error"}, 400)
}
xhr.send(jsonData)
}
api/urls.py
from django.urls import path
from .views import (
post_action_view,
post_delete_view,
post_detail_view,
post_list_view,
post_create_view,
)
'''
CLIENT
Base ENDPOINT /api/tweets/
'''
urlpatterns = [
path('', post_list_view),
path('action/', post_action_view),
path('create/', post_create_view),
path('<int:post_id>/', post_detail_view),
path('<int:post_id>/delete/', post_delete_view),
]
webapp/urls.py
"""tweetme2 URL Configuration
The `urlpatterns` list routes URLs to views. For more information please see:
https://docs.djangoproject.com/en/2.2/topics/http/urls/
Examples:
Function views
1. Add an import: from my_app import views
2. Add a URL to urlpatterns: path('', views.home, name='home')
Class-based views
1. Add an import: from other_app.views import Home
2. Add a URL to urlpatterns: path('', Home.as_view(), name='home')
Including another URLconf
1. Import the include() function: from django.urls import include, path
2. Add a URL to urlpatterns: path('blog/', include('blog.urls'))
"""
from django.conf import settings
from django.conf.urls.static import static
from django.contrib import admin
from django.urls import path, re_path, include # url()
from django.views.generic import TemplateView
from app.views import (
posts_list_view,
posts_detail_view,
posts_profile_view,
)
urlpatterns = [
path('admin/', admin.site.urls),
path('', posts_list_view),
path('<int:tweet_id>', posts_detail_view),
path('profile/<str:username>', posts_profile_view),
path('api/posts/', include('app.api.urls'))
]
if settings.DEBUG:
urlpatterns += static(settings.STATIC_URL,
document_root=settings.STATIC_ROOT)
api/views.py
import random
from django.conf import settings
from django.http import HttpResponse, Http404, JsonResponse
from django.shortcuts import render, redirect
from django.utils.http import is_safe_url
from rest_framework.authentication import SessionAuthentication
from rest_framework.decorators import api_view, authentication_classes, permission_classes
from rest_framework.permissions import IsAuthenticated
from rest_framework.response import Response
from ..forms import PostForm
from ..models import Post
from ..serializers import (
PostSerializer,
PostActionSerializer,
PostCreateSerializer
)
ALLOWED_HOSTS = settings.ALLOWED_HOSTS
@api_view(['POST'])
# @authentication_classes([SessionAuthentication])
@permission_classes([IsAuthenticated])
def post_create_view(request, *args, **kwargs):
serializer = PostCreateSerializer(data=request.data)
if serializer.is_valid(raise_exception=True):
serializer.save(user=request.user)
return Response(serializer.data, status=201)
return Response({}, status=400)
@api_view(['GET'])
def post_detail_view(request, post_id, *args, **kwargs):
qs = Post.objects.filter(id=post_id)
if not qs.exists():
return Response({}, status=404)
obj = qs.first()
serializer = PostSerializer(obj)
return Response(serializer.data, status=200)
@api_view(['DELETE', 'POST'])
@permission_classes([IsAuthenticated])
def post_delete_view(request, post_id, *args, **kwargs):
qs = Post.objects.filter(id=post_id)
if not qs.exists():
return Response({}, status=404)
qs = qs.filter(user=request.user)
if not qs.exists():
return Response({"message": "You cannot delete this Post"}, status=401)
obj = qs.first()
obj.delete()
return Response({"message": "Post deleted"}, status=200)
@api_view(['POST'])
@permission_classes([IsAuthenticated])
def post_action_view(request, *args, **kwargs):
serializer = PostActionSerializer(data=request.data)
if serializer.is_valid(raise_exception=True):
data = serializer.validated_data
post_id = data.get("id")
action = data.get("action")
qs = Post.objects.filter(id=post_id)
if not qs.exists():
return Response({}, status=404)
obj = qs.first()
if action == "like":
obj.likes.add(request.user)
serializer = PostSerializer(obj)
return Response(serializer.data, status=200)
elif action == "unlike":
obj.likes.remove(request.user)
serializer = PostSerializer(obj)
return Response(serializer.data, status=201)
return Response({}, status=200)
@api_view(['GET'])
def post_list_view(request, *args, **kwargs):
qs = Post.objects.all()
username = request.GET.get("username")
if username != None:
qs = qs.filter(user__username__iexact=username)
serializer = PostSerializer(qs, many=True)
return Response(serializer.data, status=200)
webapp/views.py
import random
from django.conf import settings
from django.http import HttpResponse, Http404, JsonResponse
from django.shortcuts import render, redirect
from django.utils.http import is_safe_url
ALLOWED_HOSTS = settings.ALLOWED_HOSTS
# Create your views here.
def home_view(request, *args, **kwargs):
username = None
if request.user.is_authenticated:
username = request.user.username
return render(request, "pages/home.html", context={"username": username}, status=200)
def posts_list_view(request, *args, **kwargs):
return render(request, "pictures/list.html")
def posts_detail_view(request, post_id, *args, **kwargs):
return render(request, "pictures/detail.html", context={"post_id": post_id})
def posts_profile_view(request, username, *args, **kwargs):
return render(request, "pictures/profile.html", context={"profile_username": username})
webapp/serializers.py
from django.conf import settings
from rest_framework import serializers
from .models import Post
MAX_TWEET_LENGTH = settings.MAX_TWEET_LENGTH
POST_ACTION_OPTIONS = settings.POST_ACTION_OPTIONS
class PostActionSerializer(serializers.Serializer):
id = serializers.IntegerField()
action = serializers.CharField()
def validate_action(self, value):
value = value.lower().strip()
if not value in POST_ACTION_OPTIONS:
raise serializers.ValidationError("This is not a valid action")
return value
class PostCreateSerializer(serializers.ModelSerializer):
likes = serializers.SerializerMethodField(read_only=True)
class Meta:
model = Post
fields = ["id", "content", "likes"]
def get_likes(self, obj):
return obj.likes.count()
def validate_content(self, value):
if len(value) > MAX_TWEET_LENGTH:
raise serializers.ValidationError("This description is too long")
return value
class PostSerializer(serializers.ModelSerializer):
likes = serializers.SerializerMethodField(read_only=True)
content = serializers.SerializerMethodField(read_only=True)
class Meta:
model = Post
fields = ["id", "content", "likes"]
def get_likes(self, obj):
return obj.likes.count()
def get_content(self, obj):
return obj.content
settings.py
"""
Django settings for webapp project.
Generated by 'django-admin startproject' using Django 3.1.2.
For more information on this file, see
https://docs.djangoproject.com/en/3.1/topics/settings/
For the full list of settings and their values, see
https://docs.djangoproject.com/en/3.1/ref/settings/
"""
from pathlib import Path
import os
# Build paths inside the project like this: BASE_DIR / 'subdir'.
BASE_DIR = Path(__file__).resolve().parent.parent
# Quick-start development settings - unsuitable for production
# See https://docs.djangoproject.com/en/3.1/howto/deployment/checklist/
# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = 'g7nkjipd$4$n=r8*8c(ct$wf!qg$-hb$wn6_*f$#8j*j7!doge'
# SECURITY WARNING: don't run with debug turned on in production!
DEBUG = True
ALLOWED_HOSTS = ["127.0.0.1", "localhost"]
LOGIN_URL = "/login"
MAX_TWEET_LENGTH = 240
POST_ACTION_OPTIONS = ["like", "unlike"]
# Application definition
INSTALLED_APPS = [
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
# third-party
'rest_framework',
'corsheaders',
# internal
'app',
]
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'corsheaders.middleware.CorsMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]
ROOT_URLCONF = 'webapp.urls'
TEMPLATES = [
{
'BACKEND': 'django.template.backends.django.DjangoTemplates',
'DIRS': [os.path.join(BASE_DIR, "templates")],
'APP_DIRS': True,
'OPTIONS': {
'context_processors': [
'django.template.context_processors.debug',
'django.template.context_processors.request',
'django.contrib.auth.context_processors.auth',
'django.contrib.messages.context_processors.messages',
],
},
},
]
WSGI_APPLICATION = 'webapp.wsgi.application'
# Database
# https://docs.djangoproject.com/en/3.1/ref/settings/#databases
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.sqlite3',
'NAME': BASE_DIR / 'db.sqlite3',
}
}
# Password validation
# https://docs.djangoproject.com/en/3.1/ref/settings/#auth-password-validators
AUTH_PASSWORD_VALIDATORS = [
{
'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
},
]
# Internationalization
# https://docs.djangoproject.com/en/3.1/topics/i18n/
LANGUAGE_CODE = 'en-us'
TIME_ZONE = 'UTC'
USE_I18N = True
USE_L10N = True
USE_TZ = True
# Static files (CSS, JavaScript, Images)
# https://docs.djangoproject.com/en/3.1/howto/static-files/
STATIC_URL = '/static/'
STATICFILES_DIRS = [
os.path.join(BASE_DIR, "static"),
]
STATIC_ROOT = os.path.join(BASE_DIR / "static-root",)
CORS_ALLOW_ALL_ORIGINS = True
CORS_URLS_REGEX = r'^/api/.*$'
DEFAULT_RENDERER_CLASSES = [
'rest_framework.renderers.JSONRenderer',
]
DEFAULT_AUTHENTICATION_CLASSES = [
'rest_framework.authentication.SessionAuthentication'
]
if DEBUG:
DEFAULT_RENDERER_CLASSES += [
'rest_framework.renderers.BrowsableAPIRenderer',
]
#DEFAULT_AUTHENTICATION_CLASSES += [
# 'webapp.rest_api.dev.DevAuthentication'
#]
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': DEFAULT_AUTHENTICATION_CLASSES,
'DEFAULT_RENDERER_CLASSES': DEFAULT_RENDERER_CLASSES
}
[Chrome Network tab][1] [1]: https://i.stack.imgur.com/gOQA8.png
我相信CSRF导致了错误,请检查您的 DRF 设置是使用基本身份验证还是令牌身份验证。
In my case the problem was in the urls.py file, where the ViewSet classes was in the wrong order:
...
router = routers.DefaultRouter()
router.register(r'', VehicleViewSet , basename='VehicleViewSet')
router.register(r'transference', TransferenceViewSet , basename='TransferenceViewSet')
...
Django was testing first if the url match the '', and this always return a successful match, causing my project to respond the request with the wrong ViewSet that has a different Permission class.
The solution was just to put the more specific routes first, ending up like this:
...
router = routers.DefaultRouter()
router.register(r'transference', TransferenceViewSet , basename='TransferenceViewSet')
router.register(r'', VehicleViewSet , basename='VehicleViewSet')
...
action
and create
suburl into api/posts/
url ( webapp/urls.py
)action/
path function is post_action_view
and create
is post_create_view
( api/urls.py
)@api_view(['POST'])
before post_action_view
and post_create_view
( api/views.py
)"Method \\"GET\\" not allowed."
So... do you see any logic here?
Set @api_view(['POST', 'GET'])
if you want to allow both methods.
In other way, set 'POST'
method when you running JS's xhr.open(method, url)
, not 'GET'
.
EDIT1:
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.