Forbidden (CSRF token missing or incorrect.): /updatecart_index/

Question

in my html i have this code where the user updating the quantity from the database,why i am encounter this kind of error Forbidden (CSRF token missing or incorrect.): /updatecart_index/ ? eventhought i have this in my form {% csrf_token %}

<form method="POST"  id="form"  >{% csrf_token %}
   <input type="hidden" value="{{bought.id}}" name="itemID">
   <input type="submit" value="-" id="down" formaction="/updatecart_index/"  onclick="setQuantity('down');" >
   <input type="text" name="quantity" id="quantity" value="{{bought.quantity}}" onkeyup="multiplyBy()" style="width: 13%; text-align:left;" readonly>
   <input type="submit" value="+" id="up" formaction="/updatecart_index/" onclick="setQuantity('up');" >
 </form>

<script type="text/javascript">
    $(document).ready(function(){
      $("form").submit(function(){
        event.preventDefault();
        var form_id = $('#form')

        $.ajax({
        url: "{% url 'updatecart_index' %}",
        type: 'POST',
        data: form_id.serialize(),
        header: {'X-CSRFToken': '{% csrf_token %}'},
        dataType: "json",
        success: function (response){
            var success = response['success']
            if(success){
                alert("form submittend");
            }else{
                alert("got error");
            }
        },
        failure: function (error){
            alert("Error occured while calling Django view")
        }

    })
      });
    });
</script>

in views.py

def updatecart_index(request):
    item = request.POST.get("itemID")
    print("dasdasd")
    quantity = request.POST.get("quantity")
    product = CustomerPurchaseOrderDetail.objects.get(id=item)
    print("aa", CustomerPurchaseOrderDetail.objects.get(id=item))
    product.quantity = quantity
    product.save()
    data = {}
    data['success'] = True
    return HttpResponse(json.dumps(data), content_type="application/json")

UPDATE

when i tried @csrf_exempt in views.py, the request.POST.get("item") didnt get the data from the html

i have already {% csrf_token %} in my form – Nov 11 '20 at 04:15 — , Nov 11 '20 at 04:15
@ViaTech can you please post your answer? – Nov 11 '20 at 04:23 — , Nov 11 '20 at 04:23

Safwan Samsudeen · Answer 1 · 2020-11-11T04:39:27.157

You must get the csrf_token from the HTML - after it's rendered. Because Django replaces {% csrf_token %} with a unique token (input type="hidden", actually), so it'll be incorrect. The token in your JS and the token in your form will be different.

<script type="text/javascript">
  $(document).ready(function () {
    $("form").submit(function () {
      event.preventDefault();
      var form_id = $("#form");
      $.ajaxSetup({
        beforeSend: function (xhr, settings) {
          function getCookie(name) {
            var cookieValue = null;
            if (document.cookie && document.cookie != "") {
              var cookies = document.cookie.split(";");
              for (var i = 0; i < cookies.length; i++) {
                var cookie = jQuery.trim(cookies[i]);
                // Does this cookie string begin with the name we want?
                if (cookie.substring(0, name.length + 1) == name + "=") {
                  cookieValue = decodeURIComponent(
                    cookie.substring(name.length + 1)
                  );
                  break;
                }
              }
            }
            return cookieValue;
          }
          if (
            !(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))
          ) {
            // Only send the token to relative URLs i.e. locally.
            xhr.setRequestHeader("X-CSRFToken", getCookie("csrftoken"));
          }
        },
      });
      $.ajax({
        url: "{% url 'updatecart_index' %}",
        type: "POST",
        data: form_id.serialize(),
        dataType: "json",
        success: function (response) {
          var success = response["success"];
          if (success) {
            alert("form submittend");
          } else {
            alert("got error");
          }
        },
        failure: function (error) {
          alert("Error occured while calling Django view");
        },
      });
    });
  });
</script>

Ok - I've changed my answer now. Check [this](https://stackoverflow.com/questions/5100539/django-csrf-check-failing-with-an-ajax-post-request) SO post. — Safwan Samsudeen, Nov 11 '20 at 04:39
in my views.py my item = request.POST.get("itemID") print None, why? — , Nov 11 '20 at 04:42
Try console logging `form_id.serialize()`. What does it show? — Safwan Samsudeen, Nov 11 '20 at 04:51

score 0 · Accepted Answer · answered Nov 11 '20 at 05:20

You can simply do this to you Ajax

<script type="text/javascript">
    $(document).ready(function(){
        $('form').submit(function(){
            event.preventDefault();
            var that = $(this);
            $.ajax({
                url: "{% url 'updatecart_index' %}",
                type: 'POST',
                data: that.serialize()
                ,success: function(data){
                    console.log('Success!');
                }
            });
            return false;
        });
    });
</script>

and dont use csrf_exempt

Forbidden (CSRF token missing or incorrect.): /updatecart_index/

2 Answers2