DELETE causes 403 Forbidden errors

[beambot]

Initial install works fine for adding. Deleting removes the image from the client side, but the server throws 403 forbidden error and never reaches PictureDetailView.delete (so the database record does not get deleted):

[29/Jun/2012 23:02:22] "DELETE /upload/delete/11 HTTP/1.1" 403 2294

Any pointers greatly appreciated.

This is using basic "manage.py runserver" (rather than nginx) on Django 1.4.

[sigurdga]

I have not been able to reproduce the "forbidden" error, but deletion of file has been prioritised until now. Delete should work now. But maybe you'll still be stuck in the "forbidden"?

I'm closing it as delete now works nice on my side, using runserver in a virtualenv.

[beambot]

That's so weird.... I did a pull and re-ran it:

[30/Jun/2012 11:46:36] "GET /static/img/loading.gif HTTP/1.1" 200 3897
[30/Jun/2012 11:46:36] "GET /upload/new/ HTTP/1.1" 200 8736
[30/Jun/2012 11:46:40] "POST /upload/new/ HTTP/1.1" 200 228
[30/Jun/2012 11:46:41] "GET /media/pictures/20100212_SnowInATL_reduced.jpg HTTP/1.1" 200 178338
[30/Jun/2012 11:46:42] "DELETE /upload/delete/12 HTTP/1.1" 403 2294
[30/Jun/2012 11:48:03] "POST /upload/new/ HTTP/1.1" 200 203
[30/Jun/2012 11:48:03] "GET /media/pictures/20100212_SnowInATL.jpg HTTP/1.1" 200 422977
[30/Jun/2012 11:48:30] "DELETE /upload/delete/1 HTTP/1.1" 403 2294

This is in a virtualenv (no site packages) with:

Django==1.4
Fabric==1.4.1
Paste==1.7.5.1
Pillow==1.7.7
PyYAML==3.10
WebOb==1.2
distribute==0.6.24
fanstatic==0.11.4
ipdb==0.6.1
ipython==0.12.1
psycopg2==2.4.5
pycrypto==2.5
ssh==1.7.13
wsgiref==0.1.2
yolk==0.4.3

I deactivated the virtualenv and tried to run with my system-level django, AND IT WORKED JUST FINE! Am I forgetting some trivial dependency in my virtualenv? Would you mind sharing your pip requirements setting?

[sigurdga]

Thank you so far. When checking the installed packages in the virtualenv, I saw I had an old django (1.3.1). After upgrading I now have the same "forbidden" error. It seems we have some changes to how CSRF is working in 1.4. I'll keep you posted!

[sigurdga]

I added a csrf.js that will add a csrf header to all ajax requests. Fixed in commit 297bc51

[sigurdga]

Just for the record, my virtualenv now contains:

Django==1.4
Pillow==1.7.7
argparse==1.2.1
distribute==0.6.19
ipython==0.11
wsgiref==0.1.2

[beambot]

Everything works great now -- awesome. Thanks man, you rock!

[sigurdga]

Thanks! Glad we got this working.

[esacteksab]

I experience this same issue with the latest code base. Here are dpastes of settings/configs/etc.

csrf: http://dpaste.org/fgb5p/ html: http://dpaste.org/AdBaS/ rendered page source: http://dpaste.org/wkFQq/ views: http://dpaste.org/wQTRw/ error: http://dpaste.org/f5L7v/ docs: https://docs.djangoproject.com/en/dev/ref/contrib/csrf/ https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#django.views.decorators.csrf.ensure_csrf_cookie At this point I believe it has something to do with the template, I'm just not sure how/why. I have this in another Django project and it works just fine. Current project's packages: http://dpaste.org/IHfO7/ Working Django Project's Packages: dpaste.org/BPOOX/

[beambot]

Perhaps jquery isn't being loaded. Looking at your rendered page source, you're missing "http:"

<script src="//ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js"></script>

[esacteksab]

I downloaded jquery.min.js locally:

<script src="{{ STATIC_URL }}js/jquery.min.js"></script>

Same behavior.

[beambot]

Somehow, your rendered HTML has duplicated code:

<script src="//ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js"></script>
<script src="/site_media/static/js/jquery.ui.widget.js"></script>
<script src="/site_media/static/js/tmpl.min.js"></script>
<script src="/site_media/static/js/load-image.min.js"></script>
<script src="/site_media/static/js/canvas-to-blob.min.js"></script>
<script src="/site_media/static/js/bootstrap.min.js"></script>
<script src="/site_media/static/js/bootstrap-image-gallery.min.js"></script>
<script src="/site_media/static/js/jquery.iframe-transport.js"></script>
<script src="/site_media/static/js/jquery.fileupload.js"></script>
<script src="/site_media/static/js/jquery.fileupload-fp.js"></script>
<script src="/site_media/static/js/jquery.fileupload-ui.js"></script>
<script src="/site_media/static/js/locale.js"></script>
<script src="/site_media/static/js/main.js"></script>

I just ran it locally, and that shouldn't happen. Furthermore, the first instance of this code is proceeded by csrf include. The second version is not.... so the csrf protection is (probably) not getting called on the superceedeing (final) include....?

[esacteksab]

You're correct. I had picture_form.html which included these files. But it inherited from base.html (from my project) which also included these same files. Removing these links in picture_form.html fixed my issue.