1

I am using django-threadedcomments. Everything works fine except 2 things: csrf token and user template tag.

Problem is, when user submits a comment, there is no csrf token for the form, so the form could not be validated server-side. Tried adding csrf token to the dictionaries that threaded-comments passes internal with no result; kept receiving errors (most of them telling that this-method takes only 2 arguments with 3 given). Tried to fix those methods to accept 3 arguments and just pass third one further; no success.

Did someone stumble upon the same problem in past and solved it? because this is not an acceptable solution for me:

MIDDLEWARE_CLASSES = (
    #'django.middleware.csrf.CsrfViewMiddleware',
)

Second one - there is a HTML helper to get the user_id for the user who posted a comment. Is there an out of the box html helper to get the name of the user by id or would i have to write it myself?

http://code.google.com/p/django-threadedcomments/

Here is the code for the project, I cant really tell exactly which chunks of it should be posted here so I just give link to the entire project.

I am really stuck in here and any help would be welcomed.

Thanks in advance.

Ruslan
  • 1,208
  • 3
  • 17
  • 28

3 Answers3

1

You should use {% csrf_token %} tag or @csrf_protect in a views

errx
  • 1,761
  • 4
  • 18
  • 25
  • Whenever a {% csrf_token %} tag is used it should be provided by the view that was called, problem is: Tried adding csrf token to the dictionaries that threaded-comments passes internal with no result; kept receiving errors (most of them telling that this-method takes only 2 arguments with 3 given). Tried to fix those methods to accept 3 arguments and just pass third one further; no success. – Ruslan Jan 30 '11 at 12:20
  • did you try to use decorator method? – errx Jan 30 '11 at 12:24
  • btw: why you dont want to use CsrfViewMiddleWare? – errx Jan 30 '11 at 12:25
  • Yes - it ignores it completely doing nothing. And when i submit the form it gives a 403 csrf error. – Ruslan Jan 30 '11 at 12:30
  • Maybe you forgot to pass context? context_instance=RequestContext(request)) – errx Jan 30 '11 at 12:34
  • Told in the description of my problem that if I try to i get error. Thats the point - I don't know how to fix that issue. That what I've asked in first place. – Ruslan Jan 30 '11 at 12:45
1

Tried adding csrf token to the dictionaries that threaded-comments passes internal with no result;

csrf_token is a template tag -- it shouldn't be passed as an argument somewhere.

I took a look at threadedcomments and it's based on contrib.comments with no html rendering, so it's up to you to insert the csrf_token in your template.

What does your TEMPLATE code look like that is displaying your form code?

If you have CsrfViewMiddleware enabled and you are using RequestContext in your view, you simply need to add {% csrf_token %} inside of your <form></form> tags.

As for getting the user name:
ThreadedComment is a subclasses of Comment which has a name property, or you could just access the User directly...

{% for comment in comments % 
    {{ comment.user.first_name }}
    {{ comment.name }}
{% endfor %}
Yuji 'Tomita' Tomita
  • 115,817
  • 29
  • 282
  • 245
-1

You can put your form in its own template and {% include %} it into your page template. As of Django 1.3, {% include %} can pass context variables to the included template. Here's what I'm using with django.contrib.comments instead of a templatetag:

...
{% include "comments/comment-form.html" with content_object=article user=request.user %}
...

{%csrf_token %} works in this included template because it's using your main view context.

gjost
  • 49
  • 1
  • 3