From aab4da3a7ee20a2adc20e0a135c7522ce8626829 Mon Sep 17 00:00:00 2001 From: ahmetkotan Date: Thu, 31 Jan 2019 02:18:37 +0300 Subject: [PATCH] fixed authentication permissions --- pins/views.py | 1 - restpi/settings/local.py | 8 +++++++- restpi/settings/shared.py | 11 ++--------- statics/static_dirs/js/pintable.js | 9 +++++++-- templates/pins/index.html | 1 + 5 files changed, 17 insertions(+), 13 deletions(-) diff --git a/pins/views.py b/pins/views.py index 5082713..0298749 100644 --- a/pins/views.py +++ b/pins/views.py @@ -46,7 +46,6 @@ class PinView(PaginationAPIView): if not pin: return Response({"physical": "No pin number."}) - serializer = self.serializer_class(data=request.data) serializer.is_valid(raise_exception=True) diff --git a/restpi/settings/local.py b/restpi/settings/local.py index 26fe172..86b61c3 100644 --- a/restpi/settings/local.py +++ b/restpi/settings/local.py @@ -1,4 +1,10 @@ # SECURITY WARNING: don't run with debug turned on in production! DEBUG = True -ALLOWED_HOSTS = ['*'] \ No newline at end of file +ALLOWED_HOSTS = ['*'] +CORS_ALLOW_CREDENTIALS = True +CORS_ORIGIN_ALLOW_ALL = True +CORS_ORIGIN_WHITELIST = ( + 'localhost', + 'http//:localhost:63342' +) \ No newline at end of file diff --git a/restpi/settings/shared.py b/restpi/settings/shared.py index a983478..a99c02c 100644 --- a/restpi/settings/shared.py +++ b/restpi/settings/shared.py @@ -131,7 +131,7 @@ REST_FRAMEWORK = { 'rest_framework.permissions.IsAuthenticated', ), 'DEFAULT_AUTHENTICATION_CLASSES': ( - 'rest_framework.authentication.BasicAuthentication', + 'rest_framework.authentication.SessionAuthentication', 'tokenauth.auth.TokenAuthentication', ), 'DEFAULT_PARSER_CLASSES': ( @@ -146,11 +146,4 @@ REST_FRAMEWORK = { 'DEFAULT_FILTER_BACKENDS': ('django_filters.rest_framework.DjangoFilterBackend',), 'DEFAULT_PAGINATION_CLASS': 'rest_framework.pagination.PageNumberPagination', 'PAGE_SIZE': 40, -} - -CORS_ALLOW_CREDENTIALS = True -CORS_ORIGIN_ALLOW_ALL = True -CORS_ORIGIN_WHITELIST = ( - 'localhost', - 'http//:localhost:63342' -) \ No newline at end of file +} \ No newline at end of file diff --git a/statics/static_dirs/js/pintable.js b/statics/static_dirs/js/pintable.js index b11d2d6..9c82bfa 100644 --- a/statics/static_dirs/js/pintable.js +++ b/statics/static_dirs/js/pintable.js @@ -15,6 +15,7 @@ app.controller('pinTableController', function($scope, $http) { return new_pinlist; }; + var token = document.getElementsByName("csrfmiddlewaretoken")[0].value; $http.get("/pins/api/") .then(function(response) { $scope.pinlist = response.data.results; @@ -23,7 +24,9 @@ app.controller('pinTableController', function($scope, $http) { $scope.change_mode = function (physical, mode_code) { var url = "/pins/api/" + physical; - $http.post(url, {mode: mode_code}, {headers: {'Content-Type': 'application/json'}}) + $http.post(url, + {mode: mode_code}, + {headers: {'Content-Type': 'application/json', 'X-CSRFToken': token}}) .then(function (response) { if(response.status == 200 && response.data.operation){ console.log(response.data.pin); @@ -39,7 +42,9 @@ app.controller('pinTableController', function($scope, $http) { $scope.change_value = function (physical) { var url = "/pins/api/" + physical; var new_value = ($scope.pinlist[physical-1].value) ? 0 : 1 - $http.post(url, {value: new_value}, {headers: {'Content-Type': 'application/json'}}) + $http.post(url, + {value: new_value}, + {headers: {'Content-Type': 'application/json', 'X-CSRFToken': token}}) .then(function (response) { if(response.status == 200 && response.data.operation){ $scope.pinlist[physical-1] = response.data.pin; diff --git a/templates/pins/index.html b/templates/pins/index.html index 32c2497..a2e1f3d 100644 --- a/templates/pins/index.html +++ b/templates/pins/index.html @@ -3,6 +3,7 @@ {% block title %}Pins{% endblock %} {% block mainarea %} + {% csrf_token %}