From: Cecilia A. <cec...@lu...> - 2011-04-27 08:08:36
|
Hi Alaa, Thanks for the suggestion, but it didn't work. I still got the same CSRF error when clicking the accept and reject buttons. However, looking at the Django sites listed below, I think the reason it didn't work is that your fix is for Django 1.2 and later only. http://docs.djangoproject.com/en/1.1/ref/contrib/csrf/ http://docs.djangoproject.com/en/dev/ref/contrib/csrf/ Since I couldn't find any appropriate rpm packages for Django 1.2, I am unable at this point to update Django, and therefore applied the following (ugly) fix, and now I can review suggestions again. In pootle/html/js/translatepage.js: /* Uncomment when using Django 1.2 or later */ // if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) { // // Only send the token to relative URLs i.e. locally. // xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken')); // } /* Uncomment when using Django 1.1 or earlier */ if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) { // Only send the token to relative URLs i.e. locally. xhr.setRequestHeader("X-CSRFToken", $("#csrfmiddlewaretoken").val()); } Now I have to remember to change it back when I finally do upgrade Django... (>_<) So if you can incorporate a more beautiful fix in the next Pootle release, that would be tremendously helpful. Maybe the following information can help you. With your CSRF fix in translatepage.js unchanged, the X-CSRFToken in the request header is null: X-CSRFToken:null X-Requested-With:XMLHttpRequest The relevant code in Django corresponding to the script csrf.py mentioned in the other thread, seems for Django 1.1.4 to be django/contrib/csrf/middleware.py: csrf_token = _make_token(session_id) # check incoming token request_csrf_token = request.POST.get('csrfmiddlewaretoken', '') if request_csrf_token == "": # Fall back to X-CSRFToken, to make things easier for AJAX request_csrf_token = request.META.get('HTTP_X_CSRFTOKEN', '') if request_csrf_token == "": return HttpResponseForbidden(_ERROR_MSG) if request_csrf_token != csrf_token: return HttpResponseForbidden(_ERROR_MSG) Cecilia -----Original Message----- From: Alaa Abd El Fattah [mailto:al...@tr...] Sent: Tuesday, April 26, 2011 7:47 PM To: Cecilia Albertsson Cc: Tra...@li... Subject: Re: [translate-pootle] Cannot review suggestions after CentOS update Try upgrading to 2.1.6 which we just released, it fixed the CSRF issue. cheers, Alaa |