On Thu, Jun 28, 2012 at 9:14 AM, brycenesbitt <[email protected]>
wrote:
> I'm using django.contrib.comments and get 'CSRF token missing or
> incorrect.' when previewing or submitting a comment. I have:
...
The HTML looks like it has the csrf security_hash in the proper place:
> <form action="/comments/post/" method="post">
> <div><input type="hidden" name="object_pk" value="28" id="id_object_pk"
> /></div>
> <div><input type="hidden" name="timestamp" value="1340899354" id="
> id_timestamp" /></div>
> <div><input type="hidden" name="security_hash" value="
> 6e85e1c846861c80575ce435b21a855706725b00" id="id_security_hash" /></div>
> ...
The "security_hash" field that you see is part of the comments app, and is
not the CSRF token. That needs to be output by a {% csrf_token %} tag (or
its equivalent). If it's working, you should see another hidden input
field, which looks like this:
<div style="display:none">
<input type="hidden" name="csrfmiddlewaretoken"
value="36d43c1652d5676d6d411950e077eeaa1cc1f799"/>
</div>
The comments app normally does that automatically -- it's part of
django/contrib/comments/templates/form.html -- Are you overriding the
comment form in your own app? If so, you need to include the call to {%
csrf_token %} yourself.
@csrf_protect #does not matter if this is here or not
>
No, if you have the CSRFViewMiddleware installed, then you don't need this
line at all.
--
Regards,
Ian Clelland
<[email protected]>
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
