Wow ok, I didn't know about that. But the drf browsable api renders the form with data-method='PUT'. And I see a put request in the server logs. Hmm, probably it's doing the put in javascript then. And somehow the token is not set properly. Ok, I'm going to debug this further. But thanks a lot for pointing me in the right direction :).
best, Jochen On Friday, March 9, 2018 at 4:30:35 PM UTC+1, Jani Tiainen wrote: > > Note that you can use HTML form only to issue GET or POST. > > Other verbs do require xhr (ajax) calls. There is an example in Django > csrf docs how to pass token in xhr headers. > > 9.3.2018 17.22 "Jochen Wersdoerfer" <[email protected] <javascript:>> > kirjoitti: > >> Hi *, >> >> I'm trying to use custom put forms for the browsable api. In my >> development environment >> everything worked as expected, but in production I got csrf errors on >> submitting those put >> forms (csrf token missing or incorrect). So I looked at base.html and >> learned that only post >> forms get a {% csrf_token %}. Then I used api.html to overwrite the body >> block with a version >> that adds {% csrf_token %} to put forms, but it didn't work. I still get >> csrf errors and I'm >> wondering whether the csrf_token tag was left out intentionally or if it >> is a bug. Maybe someone >> knows something about this? >> >> best, >> Jochen >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Django REST framework" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:> >> . >> For more options, visit https://groups.google.com/d/optout. >> > -- You received this message because you are subscribed to the Google Groups "Django REST framework" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
