Django: Ajax POST and CSRF giving "403 Forbidden" responses

If you want to protect your site from cross site request forgery, you'll have to enable the CSRF protection middleware.

You can do that by adding "django.middleware.csrf.CsrfViewMiddleware" to your MIDDLEWARE_CLASSES setting.

Once that's done, you have one of two ways to protect yourself.

When rendering forms, you can either:

  • use {{ form }} to print the form automatically
  • or if rendering manually, use the {% csrf_token %} tag somewhere in the form

When it comes to AJAX however, you'll have to either:

  • rewrite the request in a Form (troublesome in most cases)
  • add the output of {{ csrf_token }} (this one is not a tag) into an element and manually append it on every Ajax POST request
  • use a little jQuery snippet to automatically add in an "X-CSRFToken" header to each POST request

The third method is by far the easiest, and this snippet comes straight from the Django docs!

$(document).ajaxSend(function(event, xhr, settings) {
function getCookie(name) {
var cookieValue = null;

if (document.cookie && document.cookie != '') {
var cookies = document.cookie.split(';');

for (var i = 0; i < cookies.length; i++) {
var cookie = jQuery.trim(cookies[i]);

// Does this cookie string begin with the name we want?
if (cookie.substring(0, name.length + 1) == (name + '=')) {
cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
break;
}
}
}

return cookieValue;
}

function sameOrigin(url) {
// url could be relative or scheme relative or absolute
var host = document.location.host;
// host + port
var protocol = document.location.protocol;
var sr_origin = '//' + host;
var origin = protocol + sr_origin;

// Allow absolute or scheme relative URLs to same origin
return (url == origin || url.slice(0, origin.length + 1) == origin + '/') ||
(url == sr_origin || url.slice(0, sr_origin.length + 1) == sr_origin + '/') ||
// or any other URL that isn't scheme relative or absolute i.e relative.
!(/^(\/\/|http:|https:).*/.test(url));
}

function safeMethod(method) {
return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method));
}

if (!safeMethod(settings.type) && sameOrigin(settings.url)) {
xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
}
});

Apparently this snippet will not work for jQuery v1.5 so you have to be using something newer.

Source:

Android: Get file mime type from filename

Man, I wish it were this easy in all languages and platforms!

import android.webkit.MimeTypeMap;

MimeTypeMap.getSingleton().getMimeTypeFromExtension(MimeTypeMap.getFileExtensionFromUrl(source.substring(source.lastIndexOf("."))))

Where source would be either a filename or URL.

*same day edit*

Wow, that's a first I've had to update a post a few hours after putting it up.

There was a bug with filenames containing spaces, causing getFileExtensionsFromUrl() to return null.

Sources:

Python: Sort a list/tuple/class by specific field

This is something that I have to do every once in a while and can never remember the method. To save myself some time, I've written this here in hope that I can remember it next time.

student_tuples = [
('john', 'A', 15),
('jane', 'B', 12),
('dave', 'B', 10),
]

# sort by age
sorted(student_tuples, key = lambda student: student[2])

[('dave', 'B', 10), ('jane', 'B', 12), ('john', 'A', 15)]

This great example is straight from the Python wiki page.

[ Source ]

 
Copyright © Twig's Tech Tips
Theme by BloggerThemes & TopWPThemes Sponsored by iBlogtoBlog