2

Getting an error with a HiddenInput field called "security_hash"

It says in the documentation that had I used {{ form }} in my template these values would have been created automatically

But I am not using a template, rather just the comments/post/ endpoint with POST data as follows:

enter image description here

How can I get the security_hash value without this extra view to pass in as POST value?

Edit: I am thinking would it be possible and advisable to pass the {{ form.security_hash }} value from the template/view to the form behind the scenes so this error can be averted.

Edit2: For clarification the security_hash field in question is shown here in code the security_hash value looks like it is being generated from the 'initial_security_hash' function which uses the content_type, object_pk, and timestamp fields to generate a hash on line 73, this function is called on line 69.

Due to this I am also further confused as to why my input is not being accepted as I pass in the content_type, object_pk, and timestamp fields

ArdentBlaze
  • 93
  • 6
  • Can you give more details about your actual calling context? Where are you initiating the POST request? I’m guessing you are not actually using the provided `CommentSecurityForm`. What is your actual context? – metahamza Dec 19 '15 at 14:29
  • @metahamza I am making a call at the /post/ endpoint as specfied in the urls.py file (https://github.com/django/django-contrib-comments/blob/master/django_comments/urls.py#L11) which links to this view (https://github.com/django/django-contrib-comments/blob/master/django_comments/views/comments.py#L34). I am providing all the details as shown in the picture in my question with my POST call. – ArdentBlaze Dec 22 '15 at 01:12
  • Yes that makes sense, I meant more like, where does the POST call initiate from? From an AJAX call in JavaScript? From a worker process? Another Django view? – metahamza Dec 22 '15 at 13:23
  • If my answer works for you, please mark it as such! Thanks :) – metahamza Dec 24 '15 at 14:38
  • @metahamza sorry about the delay was on a bit of a break, my context btw was an iOS app using a REST POST call. – ArdentBlaze Dec 24 '15 at 15:39
  • I tried your ans out but `CommentSecurityForm(users.MyUser)` cannot be instantiated in this way as i get `_get_pk_val() missing argument:'self`, I could not figure the exact way to do so for my use case. I think a custom class which inherits from CommentSecurityForm and in the create method generate_security_data could work.But I don't think this hash is providing me much security (just ensures that the target object for the comment is not changed). Thus I think it is best for my case to patch this security check away.Your ans provides the right direction tho, ill add relevant comments later. – ArdentBlaze Dec 24 '15 at 15:49
  • Ok, makes sense! Yeah its a bit tricky, it seems that the comments framework originally intended for you to build this form via a provided template tag which is a bit of a black box. Glad my answer helped point a direction. Cheers – metahamza Dec 24 '15 at 16:04

1 Answers1

3

This is happening because the security hash is generated from an instantiated CommentSecurityForm. Then the security hash value is included as a hidden field and passed back through the POST request, at which time it is validated.

Even though you are passing the content_type, object_pk, and timestamp fields to the request, it doesn’t matter because you need to have the security_hash value before the POST request is submitted.

Look at the doc here - https://github.com/django/django-contrib-comments/blob/master/django_comments/forms.py#L62

I’m guessing you are not using the provided CommentSecurityForm, which would include the security validation fields automatically.

If that assumption is correct, you should instantiate the form, something like

my_form = CommentSecurityForm(users.MyUser)
security_dict = my_form.generate_security_data()

Then, this security_dict containers the following keys - content_type, object_pk, timestamp, security_hash. You’ll then need to pass these values to whatever context your POST request initiates from and include them in the request for the security validation to pass.

metahamza
  • 1,405
  • 10
  • 26