django ajax post 403禁止

Question

使用django 1.4即时消息403当我尝试从我的javascript做一个职位做我的Django服务器。尽管问题只与帖子有关，但我的工作正常。也试过@csrf_exempt没有运气

更新：我现在可以发布，我添加了{% csrf_token %}，但帖子响应是空的，虽然GET来的正确，任何想法？

我Django的看法：

@csrf_protect 
def edit_city(request,username): 
    conditions = dict() 

    #if request.is_ajax(): 
    if request.method == 'GET': 
     conditions = request.method 

    elif request.method == 'POST': 
     print "TIPO" , request.GET.get('type','')  
     #based on http://stackoverflow.com/a/3634778/977622  
     for filter_key, form_key in (('type', 'type'), ('city', 'city'), ('pois', 'pois'), ('poisdelete', 'poisdelete'), ('kmz', 'kmz'), ('kmzdelete', 'kmzdelete'), ('limits', 'limits'), ('limitsdelete', 'limitsdelete'), ('area_name', 'area_name'), ('action', 'action')): 
      value = request.GET.get(form_key, None) 
      if value: 
       conditions[filter_key] = value 
       print filter_key , conditions[filter_key] 

     #Test.objects.filter(**conditions) 
    city_json = json.dumps(conditions) 

    return HttpResponse(city_json, mimetype='application/json') 

这里是我的javascript代码：

function getCookie(name) { 
    var cookieValue = null; 
    if (document.cookie && document.cookie != '') { 
     var cookies = document.cookie.split(';'); 
     for (var i = 0; i < cookies.length; i++) { 
      var cookie = jQuery.trim(cookies[i]); 
      // Does this cookie string begin with the name we want? 
      if (cookie.substring(0, name.length + 1) == (name + '=')) { 
       cookieValue = decodeURIComponent(cookie.substring(name.length + 1)); 
       break; 
      } 
     } 
    } 
    return cookieValue; 
} 
var csrftoken = getCookie('csrftoken'); 

function csrfSafeMethod(method) { 
    // these HTTP methods do not require CSRF protection 
    return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method)); 
} 
function sameOrigin(url) { 
    // test that a given url is a same-origin URL 
    // url could be relative or scheme relative or absolute 
    var host = document.location.host; // host + port 
    var protocol = document.location.protocol; 
    var sr_origin = '//' + host; 
    var origin = protocol + sr_origin; 
    // Allow absolute or scheme relative URLs to same origin 
    return (url == origin || url.slice(0, origin.length + 1) == origin + '/') || 
     (url == sr_origin || url.slice(0, sr_origin.length + 1) == sr_origin + '/') || 
     // or any other URL that isn't scheme relative or absolute i.e relative. 
     !(/^(\/\/|http:|https:).*/.test(url)); 
} 
$.ajaxSetup({ 
beforeSend: function(xhr, settings) { 
    if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) { 
     // Only send the token to relative URLs i.e. locally. 
     xhr.setRequestHeader("X-CSRFToken", 
          $('input[name="csrfmiddlewaretoken"]').val()); 
    } 
} 
}); 

$.post(url,{ type : type , city: cityStr, pois: poisStr, poisdelete: poisDeleteStr, kmz: kmzStr,kmzdelete : kmzDeleteStr,limits : limitsStr, area_nameStr : area_nameStr , limitsdelete : limitsDeleteStr},function(data,status){ 
        alert("Data: " + data + "\nStatus: " + status); 
        console.log("newdata" + data.area_name) 
       }); 

我还从网站上试着与没有运气：

$.ajaxSetup({ 
    beforeSend: function(xhr, settings) { 
     if (!csrfSafeMethod(settings.type) && sameOrigin(settings.url)) { 
      // Send the token to same-origin, relative URLs only. 
      // Send the token only if the method warrants CSRF protection 
      // Using the CSRFToken value acquired earlier 
      xhr.setRequestHeader("X-CSRFToken", csrftoken); 
     } 
    } 
}); 

我失去了什么？

Answer 1

得到它在我的模板添加{% csrf_token %}某处形式中工作

Answer 2

你其实可以与您的数据一起传递{csrfmiddlewaretoken：“{{csrf_token}}}，它的工作原理所有的时间

Answer 3

在我的情况下，我有一个模板，我不想要<form></form>元素。但我仍然想使用jQuery进行AJAX POST请求。

由于CSRF cookie为空，即使我遵循django文档（https://docs.djangoproject.com/en/1.5/ref/contrib/csrf/），我也得到403错误。解决方案是在同一页面，提及ensure_csrf_cookie修饰器。

我CSRF饼干没有得到设定，当我加入这个在我views.py的顶部：

from django.views.decorators.csrf import ensure_csrf_cookie 
@ensure_csrf_cookie 

而且，请注意，在这种情况下，你不需要的DOM元素在您的标记/模板：{% csrf_token %}