Ok, found the reason. The django cookiecutter template I was using 
(https://cookiecutter-django.readthedocs.io/en/latest/)
sets CSRF_COOKIE_HTTPONLY=True for production. Changed the setting and all 
works fine now.

thanks,
Jochen

On Friday, March 9, 2018 at 4:51:29 PM UTC+1, Jochen Wersdoerfer wrote:
>
> Wow ok, I didn't know about that. But the drf browsable api renders the 
> form with data-method='PUT'.
> And I see a put request in the server logs. Hmm, probably it's doing the 
> put in javascript then. And somehow
> the token is not set properly. Ok, I'm going to debug this further. But 
> thanks a lot for pointing me in the
> right direction :).
>
> best,
> Jochen
>
> On Friday, March 9, 2018 at 4:30:35 PM UTC+1, Jani Tiainen wrote:
>>
>> Note that you can use HTML form only to issue GET or POST.
>>
>> Other verbs do require xhr (ajax) calls. There is an example in Django 
>> csrf docs how to pass token in xhr headers.
>>
>> 9.3.2018 17.22 "Jochen Wersdoerfer" <jochen.we...@gmail.com> kirjoitti:
>>
>>> Hi *,
>>>
>>> I'm trying to use custom put forms for the browsable api. In my 
>>> development environment
>>> everything worked as expected, but in production I got csrf errors on 
>>> submitting those put
>>> forms (csrf token missing or incorrect). So I looked at base.html and 
>>> learned that only post
>>> forms get a {% csrf_token %}. Then I used api.html to overwrite the body 
>>> block with a version
>>> that adds {% csrf_token %} to put forms, but it didn't work. I still get 
>>> csrf errors and I'm
>>> wondering whether the csrf_token tag was left out intentionally or if it 
>>> is a bug. Maybe someone
>>> knows something about this?
>>>
>>> best,
>>> Jochen
>>>
>>> -- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "Django REST framework" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to django-rest-framework+unsubscr...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Django REST framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-rest-framework+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to