4

I use Django 1.9.7 & Python 3.5

I implement creating user mechanism and tried to test with POSTMAN(chrome application), but it doesn't work and it shows something like belows:

Forbidden (CSRF cookie not set.): /timeline/user/create/

This is the code :

urls.py

from django.conf.urls import url
From. import views

app_name = 'timeline'
urlpatterns = [
    # ex) /
    url(r'^$', views.timeline_view, name='timeline_view'),

    # ex) /user/create
    url(r'^user/(?P<method>create)/$', views.user_view, name='user_view'),
]

views.py

from django.contrib.auth import authenticate, login, logout
from django.shortcuts import render, HttpResponse

from timeline.models import *


def timeline_view(request):
    return HttpResponse('hello world')


def user_view(request, method):
    if method == 'create' and request.method == 'POST':
        print("hi")
        username = request.POST.get('username')
        username = request.POST.get('username')
        user = User.objects.create_user(username, password=password)
        user.first_name = request.POST.get('name','')
        user.save()
        profile = UserProfile()
        profile.user = user
        profile.save()
        return HttpResponse('create success')
    else:
        return HttpResponse('bad request', status=400)

POSTMAN : enter image description here

I tried Django CSRF Cookie Not Set but I think this post is for past version.

Community
  • 1
  • 1
user3595632
  • 5,380
  • 10
  • 55
  • 111
  • you have defined username twice...password not even once – amit_183 Jul 11 '16 at 11:06
  • 1
    Django needs CSRF token to allow requests and Postman doesn't add it in the header until implemented. Please refer [this](http://stackoverflow.com/questions/38158742/http-post-request-to-a-django-webservice-need-login-info-using-postman/38161448#38161448) for adding csrf token in the request header. Also POST is all what is needed, why _create_, until required for something specific. – kapilsdv Jul 11 '16 at 11:26
  • Please read this [django docs](https://docs.djangoproject.com/en/1.9/ref/csrf/). By default django will protect any POST request. Also you can just use [this](https://docs.djangoproject.com/en/1.9/ref/csrf/#django.views.decorators.csrf.csrf_exempt) but it is not recommended. – Stavinsky Jul 11 '16 at 11:29

4 Answers4

6

for testing i used the @csrf_exempt decorator.

from django.views.decorators.csrf import csrf_exempt

@csrf_exempt
def user_view(request, method):
    ...

now you should be able to call this function without the csrf cookie.

(last time i tried it, i was using django 1.8.7)

source: https://docs.djangoproject.com/en/1.9/ref/csrf/#edge-cases

gidiei
  • 79
  • 1
  • 7
1

You should put CSRFToken in request headers.
After sending request via postman, look at the response Cookies section, take csrftoken value and put in Headers section of request, like this:
key:X-CSRFToken
value: jSdh6c3VAHgLShLEyTjH2N957qCILqmb #your token value

Ivan Semochkin
  • 8,649
  • 3
  • 43
  • 75
1

Sometimes Version problem in 'Postman' :

I have face the same problem. While sending the data using the oldest version of postman in POST method.
That time I have received the empty json data in server side.
And I have fix this problem, Once I uninstall the oldest version of postman and installed with latest version.

Mohammed Yasin
  • 487
  • 7
  • 12
  • Suddenly started to raise error, being all config well, in other computer was working well, reinstall dont work for my I think due installed same version but i installed chrome version and work well, maybe is something of cookies cached but i don't understand it, thanks! – Francisco Rodeño Sanchez Jul 18 '20 at 13:02
0

Use this below statement on top of each and every view function definition (views.py). We don't need to use CRF related statements.

@api_view(["POST", "GET"])

eg:

@api_view(["POST", "GET"])
def GivenInput():
   return Response(e.args[0],status.HTTP_400_BAD_REQUEST)

Note*: But I didn't know that any alternative way to make it global throughout the file.

Surya
  • 37
  • 6