Making forms in Django 1.10 and received a CSRF verification failed. Request aborted

Question

I'm having a difficult time getting the POST request to work using Django. I continuously get this 403 error message: Response Page because of request

I'm trying to eventually make a search bar to search a database. On the index.html I have a search bar and then it takes a user input and sends the result to the search.html page. I haven't implemented the query search, I just want the user input to be displayed onto the search.html page using Django form functionality.

I've been using this tutorial to make my first form: https://docs.djangoproject.com/en/1.10/topics/forms/

Below are the python & html scripts I created (Some of the variables are little different from the tutorials, but the concepts are the same)

index.html

<form action="search/" method="post">
        <div class="search-bar">
            <input name="search" type="text" class="form-control" placeholder="What are you interested in?" style="width:1000px"> &nbsp; 
            <button type="submit" class="btn btn-default text-center" style="align-items: center;">Search</button>
        </div>
    </form>

views.py

from django.shortcuts import get_object_or_404, render, render_to_response
from django.http import HttpResponseRedirect
from django.views import generic
from django.utils import timezone
from .models import *
from django.views.generic.base import TemplateView # View static pages easier, no list
from .forms import NameForm
from django.template import RequestContext
from django.views.decorators.csrf import csrf_protect

class IndexView(generic.base.TemplateView):
    template_name = 'ahawebsite/index.html'
# 
class ContactView(generic.base.TemplateView):
    template_name = 'ahawebsite/contact.html'
# 
class AboutView(generic.base.TemplateView):
    template_name = 'ahawebsite/about.html'
# 
class SignupView(generic.base.TemplateView): 
    template_name = 'ahawebsite/signup.html'

# class Searchresults(generic.base.TemplateView): 
#     template_name = 'ahawebsite/search.html'

@csrf_protect  
def get_name(request):
    # if this is a POST request we need to process the form data
    if request.method == 'POST':
    # create a form instance and populate it with data from the request:
        form = NameForm(request.POST)
    # check whether it's valid:
        if form.is_valid():
        # process the data in form.cleaned_data as required
        # ...
        # redirect to a new URL:
            return redirect('thanks')

    # if a GET (or any other method) we'll create a blank form
    else:
        form = NameForm()
#   return render(request,"ahawebsite/search.html",{'form': form})
    return render_to_response("ahawebsite/search.html",{'form': form},context_instance=RequestContext(request))
def say_thanks(request):
    template = loader.get_template("ahawebsite/thanks.html")
    return HttpResponse(template.render({'search': 'search'},request))

urls.py

from django.conf.urls import url

from . import views

app_name = 'ahawebsite'
urlpatterns = [

# Look to views.py file to see the references of the [ ]View objects
    url(r'^$', views.IndexView.as_view(), name='index'),
    url(r'about/$', views.AboutView.as_view(), name='about'),
    url(r'contact/$', views.ContactView.as_view(), name='contact'),
    url(r'signup/$', views.SignupView.as_view(), name='signup'),
    url(r'search/$', views.get_name, name='search'),
    url(r'^thanks/$',views.say_thanks,name='thanks'),
]

search.html

<form action = "/search/" method = "post">
    {% csrf_token %}
    {{ form }}
    <input type = "submit" value = "Submit" />
</form>

I want to not get a 403 page as my response when using the Django form functionality. Am I properly using the CSRF token system? Or am I doing something else completely wrong?

Answer 1

The form you have in index.html has no {% csrf_token %}. Yet it still posts to a function that requires it (get_name). IOW, if the form from index.html is supposed to post to /search/, then you need to add a {% csrf_token %} to its form, as get_name is csrf protected.