在 django 项目中删除文件时出现 403 FORBIDDEN

Posted 2023-05-09

【中文标题】在 django 项目中删除文件时出现 403 FORBIDDEN

【英文标题】：403 FORBIDDEN when delete file in django project

【发布时间】：2016-10-11 18:50:38

【问题描述】：

将django-jquery-file-upload 集成到我的 Django 项目中。现在上传和查看列表工作。但无法删除文件。

详情：

文件在 /opt/data/myproject/uploads/picture

权限：

drwxrwxrwx 2 daemon daemon 39 Jun 10 15:50 图片

class FileListView(ListView):
    model = Picture

    def render_to_response(self, context, **response_kwargs):
        files = [ serialize(p) for p in self.get_queryset() ]
        data = 'files': files
        response = JSONResponse(data, mimetype=response_mimetype(self.request))
        response['Content-Disposition'] = 'inline; filename=files.json'
        return response

picture_form.html 的一部分：

<form id="fileupload" method="post" action="." enctype="multipart/form-data">% csrf_token %

setting.py

MIDDLEWARE_CLASSES = (
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
    'lib.middleware.SessionTimeout',
    'django.middleware.csrf.CsrfViewMiddleware',
    #'django.middleware.csrf.CsrfResponseMiddleware',
    #'django.middleware.security.SecurityMiddleware',
    'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
)

请求

Host: xxx
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-CSRFToken: xxxxx
X-Requested-With: XMLHttpRequest
Referer: https://myip/myprojectl/upload/new/
Cookie: csrftokenportal=a
zk; 
csrftokenmy=DKoPqrRjSd;
     sessionidcentral=k88cccccc3; 
csrftoken=xxxxxxxxxxxxx
Connection: keep-alive

DELETE https://myip/myproject/upload/delete/22

错误

403 禁止

有什么想法吗？谢谢

更多详情

CSRF verification failed. Request aborted.
Help

Reason given for failure:

    CSRF token missing or incorrect.


In general, this can occur when there is a genuine Cross Site Request Forgery, or when Django's CSRF mechanism has not been used correctly. For POST forms, you need to ensure:

    Your browser is accepting cookies.
    The view function uses RequestContext for the template, instead of Context.
    In the template, there is a % csrf_token % template tag inside each POST form that targets an internal URL.
    If you are not using CsrfViewMiddleware, then you must use csrf_protect on any views that use the csrf_token template tag, as well as those that accept the POST data.

You're seeing the help section of this page because you have DEBUG = True in your Django settings file. Change that to False, and only the initial error message will be displayed.

You can customize this page using the CSRF_FAILURE_VIEW setting.

看了doc，看来这三个要求我已经做到了。

【问题讨论】：

也许这可以帮助你：***.com/questions/4547639/…

@gglasses 试过了，仍然卡在这个问题上。也许我做错了什么。或缺少什么。

【参考方案1】：

我找到了原因。我的 django 项目重命名了 csrftoken，但是在下载的 js 文件中，使用了“csrftoken”。结果，我的程序找不到 csrftoken。