5

I have a login form that I want to be available in all my views, so I created a context processor to add this form to every loaded context.

The problem is that {% csrf_token %} on the form template won't render the hidden input tag with the CSRF token value.

This is the context_processor order in settings.py:

TEMPLATE_CONTEXT_PROCESSORS = (
    'django.contrib.auth.context_processors.auth',
    'django.core.context_processors.debug',
    'django.core.context_processors.i18n',
    'django.core.context_processors.media',
    'django.core.context_processors.static',
    'django.core.context_processors.tz',
    'django.contrib.messages.context_processors.messages',
    'django.core.context_processors.request',
    'django.core.context_processors.csrf',
    'absolute.context_processors.absolute',
    'myproject.app.context_processors.base',
)

And then the processor itself on app/context_processors.py:

from django.contrib.auth.forms import AuthenticationForm

def base(request):
    context = dict()
    if not request.user.is_authenticated():
        context['login_form'] = AuthenticationForm()
    return context

The form template:

{% load i18n %}

<form method="post" action="{% url "django.contrib.auth.views.login" %}">

    {% csrf_token %}
    <input type="hidden" name="next" value="{% if request.GET.next %}{{ request.GET.next }}{% else %}{{ request.get_full_path }}{% endif %}" />

    {{ login_form.as_p }}

    <input type="submit" class="button success expand" value="{% trans 'Login' %}" />

</form>

The HTML output for this form:

<form action="/accounts/login/" method="post">


    <input type="hidden" value="/" name="next">

    <p><label for="id_username">Usuário:</label> <input type="text" name="username" maxlength="254" id="id_username"></p>
    <p><label for="id_password">Senha:</label> <input type="password" name="password" id="id_password"></p>

    <input type="submit" value="Login" class="button success expand">

</form>

And the error I get when submitting it:

CSRF verification failed. Request aborted.

However, and as I'm only using class-based views, if I add a csrf_protect decorator the form will work, but like this I would have to declare the dispatch method in all my views:

from django.views.decorators.csrf import csrf_protect

class HomeView(TemplateView):
    template_name = 'home.html'

    @method_decorator(csrf_protect)
    def dispatch(self, *args, **kwargs):
        return super(HomeView, self).dispatch(*args, **kwargs)

Problem status

I gave up from putting the AuthenticationForm on all my views by creating a login form page. Anyway, it would still be awesome if someone could help me find a solution for this problem.

vmassuchetto
  • 1,529
  • 1
  • 20
  • 44
  • A guess: Remove `myproject.` from `'myproject.app.context_processors.base'` – Steinar Lima Jan 08 '14 at 01:14
  • What is the output html when the template is rendered? Whether or not the csrf_token is displayed should not be affected by you using a context processor. Are you using javascript at all? – Alasdair Jan 08 '14 at 01:19
  • 1
    @SteinarLima, removing `myproject` from the context processor import string will give me an import error: `No module named app.context_processors` – vmassuchetto Jan 08 '14 at 09:28
  • @Alasdair, see the edit for the HTML output. The form is placed inside a Zurb Foundation modal, so it appears by using JavaScript, but is submitted by a synchronous POST request. – vmassuchetto Jan 08 '14 at 09:34
  • I can't see any problems with the code you've posted. Maybe I've missed something, or maybe it's an issue with the way you're using the Zurb foundation modal. It might be worth including the form outside of the modal, to confirm that it's not the cause. – Alasdair Jan 08 '14 at 09:53
  • Well @Alasdair, i tried to put the form in several places. It seems not to be related to Foundation. – vmassuchetto Jan 08 '14 at 23:08
  • I don't have any other suggestions I'm afraid. Hope you figure out what the problem is. – Alasdair Jan 08 '14 at 23:12
  • Ok. Couldn't find until now. It's getting really annoying. Thank you for your comments @Alasdair. – vmassuchetto Jan 09 '14 at 09:59
  • Is the form template you posted the same as home.html? If not, how is the form template being included in home.html? – Collin Anderson Jan 24 '14 at 18:24
  • What version of django are you using? in django 1.1, the csrf_token tag doesn't do anything. – Collin Anderson Jan 24 '14 at 18:25

2 Answers2

3

I've spent a couple of hours fighting an issue similar to the one you've described here. The {% csrf_token %} wasn't rendering anything and I was seeing this when in debug mode:

defaulttags.py:66: UserWarning: A {% csrf_token %} was used in a template, but the context did not provide the value. This is usually caused by not using RequestContext.

I was using a simple view that inherited from a TemplateView:

class MenuIndexView(TemplateView):
    template_name = 'menu/index.html'

    def get_context_data(self, **kwargs):
        kwargs = super().get_context_data(**kwargs)

        session = self.request.session
        kwargs['zip_code'] = session.get('zip_code')
        kwargs['calendar'] = helpers.get_menu_calendar(date.today() + timedelta(days=1), timedelta(days=14))
        kwargs['forms'] = {'zip_code': forms.ZipCodeForm({'zip_code': session.get('zip_code')})}

        return kwargs

After fussing around a bit under Django's I realized that pretty much no context at all was available where the tag was being generated (CsrfTokeNode on Django's defaulttags.py file):

class CsrfTokenNode(Node):
    def render(self, context):
        csrf_token = context.get('csrf_token', None)
        if csrf_token:
            if csrf_token == 'NOTPROVIDED':
                return format_html("")
            else:
                return format_html("<input type='hidden' name='csrfmiddlewaretoken' value='{}' />", csrf_token)
        else:
            # It's very probable that the token is missing because of
            # misconfiguration, so we raise a warning
            if settings.DEBUG:
                warnings.warn(
                    "A {% csrf_token %} was used in a template, but the context "
                    "did not provide the value.  This is usually caused by not "
                    "using RequestContext."
                )
            return ''

In this point of the code I was only seeing an item within the context, with a zip_code key.

I opened up the main template file and realized that I was making a rookie mistake - this was my main template menu/index.html:

{% extends 'base.html' %}

{% block content %}
    <div class="menu-order-meta zip_calendar">
        <div class="ink-grid align-center">
            <div class="column-group gutters half-vertical-padding medium">
                {% include 'partials/menu/zip-code.html' with zip_code=zip_code only %}
            </div>
        </div>
    </div>
{% endblock %}

I was including the form through a partial template and I was explicitly restricting the available context within that partial template - notice the with zip_code=zip_code only declaration - (and by doing so, implicitly turning the csrf_token context processor unavailable).

Diogo
  • 919
  • 1
  • 7
  • 11
0

Maybe are you missing django.middleware.csrf.CsrfViewMiddleware in MIDDLEWARE_CLASSES ?

MIDDLEWARE_CLASSES = (
    ....
    'django.middleware.csrf.CsrfViewMiddleware',
    ....
)
Robert
  • 651
  • 1
  • 6
  • 18