Forums

Hello,

I published an app on www.hackers.fund and it's working well apart from this:

When trying to create or update Projects and add members to the Project, I used the django-ajax-select package to implement a multi-select widget with search, which is sending ajax GET request to fetch the users. It's working perfectly locally, it's even working on the django admin side. But on the site, it is not and I get a 403 error: CSRF verification failed.

I am completely stuck after having searched for hours, please send help :-) !!

Thanks in advance, Lionel

Does that help you? Cross Site Request Forgery protection | Django documentation

Hey !

Thank you for your message, actually it helped but it was not a CSRF problem !

With django-ajax-select package, you have to implement a LookupChannel class and by default it has a method check_auth which raises a PermissioDenied is the user is not part of staff... That's why it worked in the admin and not on the website. It is specified in the code comments that outside of the admin on should implement the method:

def check_auth(self, request):
    """
    By default only request.user.is_staff have access.

    This ensures that nobody can get your data by simply knowing the lookup URL.

    This is called from the ajax_lookup view.

    Public facing forms (outside of the Admin) should implement this to
    allow non-staff to use this LookupChannel.

    Args:
        request (Request)
    Raises:
        PermissionDenied
    """
    if not request.user.is_staff:
                raise PermissionDenied

So i had to override it and just put:

def check_auth(self, request): if not request.user.is_authenticated: raise PermissionDenied

Thanks a lot anyways for the ultraquick answer and have a good day, Lionel

Glad to hear you worked it out!