Getting 403 Forbidden when trying to post a comment using the javascript plugin only when logged in

[beasyx0]

Hey there, so I followed the tutorial to a T and everything worked flawlessly until I got to the end and enabled the javascript plugin. Now whenever I'm logged in it says 'Sorry, your comment has been rejected' with a log message in my console 'WARNING 2021-01-21 16:18:04,155 log 807 139885087475456 Forbidden: /comments/api/comment/'. When I log out everything works fine. Can you try to guide me in the right direction to figure this out? I have no idea what this could be. Thanks.

Edit:
Looks like im getting a 403 'rejected' from the WriteCommentSerializer from the comment_will_be_posted signal but that's as far as I've gotten so far. Sorry if this is the wrong place for this. I don't know if this is a 'bug' but thought I'd post anyways.

[danirus]

Hi @beasyx0, it seems to be the same issue as #256.
It will be fixed in the next release, v2.8.2.
Thanks for reporting it.

[danirus]

Duplicate of #256

[danirus]

Resolved with ebd355d.

[beasyx0]

I know this was closed but it's still not working with the new release. Could be due to something else. I dunno. Thank you though.

[danirus]

Hi @beasyx0, I need more information.
I thought it was the same issue as #256, but if not we need to get to know all the detauls.
One thing you could do is to set up the comp demo site and check whether it works for you?
There are instructions on how to do it here in the docs.

[beasyx0]

Alright, I will be able to do that a little later today. Thank you for responding. I have quite the setup for my blog so I thought it may be something on my end and didn't want to make a big deal about it so that is a good way to tell if it's my setup or the app itself. I will report back in a bit. Thank you!

[beasyx0]

HI danirus,
Yes the demo project works as expected. Both the articles app and the quotes app. I'm guessing something within my blog is interfering with the comments app. This may not be a bug with your package. I don't even know where to start to troubleshoot this and I don't expect you to help me if the issue is on my end. Considering there doesn't seem to be anyone else having my issue you can go ahead and close this issue if you would like. Thank you for taking time to respond, the app is great and I hope I can figure it out.
Thanks!

Edit: For reference I am using Cookiecutter Django which has a custom user model that subclasses 'AbstractUser'. Also using django version 3.

[danirus]

Tell me where I can get your code to take a look at it. If you prefer to keep it private, then create the minimum code to reproduce the issue. I don't mind to look into it. Maybe there is something about that AbstractUser that stays in the way of this application. It would be good to catch the issue.

[beasyx0]

Sure. I just made my repo public. I don't know why I have it private to begin with. Have a look if you want just don't make fun of my code I've only been doing this under a year :) . Here's how to run it:

docker-compose -f local.yml build
docker-compose -f local.yml up -d
docker-compose -f local.yml run --rm django python manage.py shell
#inside shell
from djangoimposter.blog.builder import make_all_data
make_all_data(20)
# end shell

[abiatarfestus]

I'm also experiencing this issue in production when logged in. Has the cause been found? In development it works fine, but on production it displays "Sorry, your comment was rejected" and logs: Forbidden: /comments/api/comment/. In the console it points to a the following portion of jquery-3.3.1.min.js:2:

`try{s.send(t.hasContent&&t.data||null)}catch(e){if(n)throw e}},abort:function(){n&&n()}}}),w.ajaxPrefilter(function(e){e.crossDomain&&(e.contents.script=!1)}),w.ajaxSetup({accepts:{script:"text/javascript, application/javascript, application/ecmascript, application/x-ecmascript"},contents:{script:/\b(?:java|ecma)script\b/},converters:{"text script":function(e){return w.globalEval(e),e}}}),w.ajaxPrefilter("script",function(e){void 0===e.cache&&(e.cache=!1),e.crossDomain&&(e.type="GET")}),w.ajaxTransport("script",function(e){if(e.crossDomain){var t,n;return{send:function(i,o){t=w("<script>").prop({charset:e.scriptCharset,src:e.url}).on("load error",n=function(e){t.remove(),n=null,e&&o("error"===e.type?404:200,e.type)}),r.head.appendChild(t[0])},abort:function(){n&&n()}}}});var Yt=[],Qt=/(=)?(?=&|$)|??/;w.ajaxSetup({jsonp:"callback",jsonpCallback:function(){var e=Yt.pop()||w.expando+"_"+Et++;return this[e]=!0,e}}),w.ajaxPrefilter("json jsonp",function(t,n,r){var i,o,a,s=!1!==t.jsonp&&(Qt.test(t.url)?"url":"string"==typeof t.data&&0===(t.contentType||"").indexOf("application/x-www-form-urlencoded")&&Qt.test(t.data)&&"data");if(s||"jsonp"===t.dataTypes[0])return i=t.jsonpCallback=g(t.jsonpCallback)?t.jsonpCallback():t.jsonpCallback,s?t[s]=t[s].replace(Qt,"$1"+i):!1!==t.jsonp&&....

Also unlike in development, in production, the comment form renders with a required name field. Posting comments as an unregistered user works fine, though.

[abiatarfestus]

When I inspected the page, if found the following error to be the cause of the 403 response error: "CSRF Failed: CSRF token missing or incorrect".

[abiatarfestus]

After a couple of unsuccessful attempts, I can report that I managed to get around this error by switching off CSRF_USE_SESSIONS, which was previously set to True in my settings.