Forums

default admin django under facebook canvas /admin/ page

I make a default application facebook with django and pythonanyware.

The admin page workin well under webpage , but when I try to access it from facebook canvas with

https://apps.facebook.com/........../admin/

I got this error : Forbidden (403)

CSRF verification failed. Request aborted.

...

"Referer checking failed - https://apps.facebook.com/.../admin/ does not match https://myuser___.pythonanywhere.com/.
In general, this can occur when there is a genuine Cross Site Request Forgery, or when Django's CSRF mechanism has not 
been used correctly. For POST forms, you need to ensure:
The view function uses RequestContext for the template, instead of Context.
In the template, there is a {% csrf_token %} template tag inside each POST form that targets an internal URL.
If you are not using CsrfViewMiddleware, then you must use csrf_protect on any views that use the csrf_token template tag, as  
well as those that accept the POST data."

Also if I try to open the facebook app in browser i got this error :

"400 Bad Request Missing signed_request."

But working well under canvas

In settings.py I put this :

TEMPLATE_LOADERS = (
    #'django.template.loaders.filesystem.Loader',
    #'django.template.loaders.app_directories.Loader',

     'django.template.loaders.eggs.Loader',
)

MIDDLEWARE_CLASSES = (
    'django.middleware.common.CommonMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    #'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django_facebook.middleware.FacebookMiddleware',
    'django.middleware.transaction.TransactionMiddleware',
)



TEMPLATE_CONTEXT_PROCESSORS = [
    'django.core.context_processors.request',

    ##'django.core.context_processors.auth',
    'django.contrib.auth.context_processors.auth',
]

and also 

INSTALLED_APPS = (
    'django.contrib.auth',
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.sites',
    'django.contrib.messages',
    'django.contrib.staticfiles',
    'django_facebook',

    # Uncomment the next line to enable the admin:
    'django.contrib.admin',
    'mysitet.myfacebookapp',
    # Uncomment the next line to enable admin documentation:
    #'django.contrib.admindocs',
)

Thank's . Regards.

deleted-user-4399 | 2 posts | July 9, 2013, 3:03 p.m. | permalink

Django does CSRF checking for POST requests and Facebook doesn't send the CSRF token, so you need to make the view csrf_exempt. Here are some docs.

There's some discussion on StackOverflow and on our forums about the missing_signed_request.

Staff glenn | 10041 posts | PythonAnywhere staff | July 9, 2013, 4:12 p.m. | permalink

Doing something similar with LinkedIn and I'm getting the 403 error in Flask, how do I fix it in Flask?

mritchie712 | 54 posts | Feb. 18, 2015, 8:45 p.m. | permalink

Hi there, I'll try and answer your questions in the other thread you cross-posted, if that's ok.

Staff harry | 2710 posts | PythonAnywhere staff | Feb. 19, 2015, 12:02 p.m. | permalink