CODEWITHSUNDEEP
ajaxdjangocsrf
RC-
RC-

Reputation: 163

Issue with ajax call csfr token

I am trying to add an ajax call that changes the status of a listing, between listed and unlisted, when submitting the form I am having a 403 forbidden error in the console of the browser, I made some checking and it appears that Django is forbidding the form because of a lack of csrf token, however I am not good in javascript, so any help would be appreciated.

Here is my code in my view:

@require_POST
@ajax_required
@login_required

def unlist_ajax(request):
    pk = request.POST.get('pk', None)
    is_visible = request.POST.get('is_visible', None)
    if pk and is_visible:
        listing = get_object_or_404(Listing, pk=pk)
        if is_visible == 'true':
                listing.is_visible = False
                listing.save()
                messages.success(request, _("Listing unlisted"))
                return JsonResponse({'status': 'ok'})

         else:
                listing.is_visible = True
                listing.save()
                messages.success(request, _("Listing re-listed"))
                return JsonResponse({'status':'ok'})

and here is the template script:

in the top of the template, in the header:

  <script>
 function unlistPostAjax(listing_id, is_visible) {
var confirmation = confirm("{% trans 'are you sure you want to change the status of your listing?' %}");
if (confirmation) {
$.post("{% url 'dashboard:unlist_ajax' %}", {pk: listing_id, is_visible: is_visible}, function (response) {
console.log('sending delete query'); location.reload();
})
}
}


    </script>

and in the bottom of the body:

 <script src="{% static 'js/jquery.cookie.js' %}"> </script>
<script>
        $(document).ready(function () {
            var csrftoken = $.cookie('csrftoken');
            function csrfSafeMethod (method) {
                // These HTTP methods do not require CSRF protection
                return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method));
            }
            $.ajaxSetup({
                beforeSend: function (xhr, settings) {
                    if(!csrfSafeMethod(settings.type) && !this.crossDomain) {
                        // Set X-CSRFToken HTTP Header
                        xhr.setRequestHeader("X-CSRFToken", csrftoken);
                    }
                }
            });
        });
    </script>

Upvotes: 0

Views: 41

Answers (1)

Oh Great One
Oh Great One

Reputation: 384

You can add this to the top of your <script> or if you have a base html template you can put this in there too.

{% csrf_token %}
<script type="text/javascript">
var csrftoken = jQuery("[name=csrfmiddlewaretoken]").val();

function csrfSafeMethod(method) {
    // these HTTP methods do not require CSRF protection
    return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method));
}
$.ajaxSetup({
    beforeSend: function(xhr, settings) {
        if (!csrfSafeMethod(settings.type) && !this.crossDomain) {
            xhr.setRequestHeader("X-CSRFToken", csrftoken);
        }
    }
});
</script>

Believe you just need to add the csrf above the script you defined, but this is the whole implementation I currently use. I have no issues.

Upvotes: 1

Related Questions