Django + AJAX

Posted in August 28, 2008 ¬ 13:35h.cpf_Comments Off

With the past project, I’ve been using django all the way.
Given the requirements for that project, I judged that we were going to be needing a lot of AJAX, and I immediatelly started looking around for ways to do this. Luckily, it was found pretty quickly.
The is_ajax method

Conveniently enough: django provides a method inside the request, is_ajax, it’s pretty straight forward to  what I was looking to: A method to figure out simply and quickly whether or not a request is indeed originating from my AJAX platform.

There are -however- several items to take in account when using is_ajax:

  1. is_ajax checks the HTTP_X_REQUESTED_WITH header to varify the source to be AJAX or not. This is being used by most of the javascript frameworks, including prototype (which I opted for).
  2. In the current form, the CSRF (Cross Site Reference Forgery) middleware won’t work with AJAX, I have submitted a patch for that, but it has not yet been included in the svn. If you are using (or going to use) the CSRF middleware, you might consider changing the source.


Using is_ajax

To use is_ajax inside your view is a very straight forward and easy thing. However, considering several items, I would advice several things:

  1. I never use AJAX GET requests, ever. Because of that, I’m always checking whether or not the request was indeed a POST request. I advice using the same method (only allow one of both per page you’re requesting). Take in mind though the common sense: POST should be used when you’re intending to change values, GET whenever you’re just going to get some data and return it (get_or_404 e.g.) Even though we’re talking AJAX, we should still be on guard.
  2. NEVER, EVER trust anything coming from an AJAX request. Albeit you should never ever trust any request, I find the AJAX requests still more dubious. Especially since people are discovering ways to misuse the trust in AJAX more quickly. As a rule, anything coming from outside should be checked, and anything coming from the inside should be looked at in suspicion.
  3. When you’re using AJAX in a user authenticated area, always check for that user. It might sound as if I’m saying stupid things, but even though you expect the user to be there (it being a user area after all), it might just as well be something else.

Those things being pressed, this is how I use is_ajax fully:

if request.method != 'POST' or not request.is_ajax() or not request.user.is_authenticated():
    return HttpResponseForbidden('')

Simply put, it follows my method of thinking. First of all, the request should be POST, than, it should be an AJAX request for this function.
Those are the 2 basic “technical” items of the request. The third being the user authentication check, is actually only because it’s more secure and I need to use that user data later on.

If at any of those three the check fails, and goes to the return statement below, I follow the correct way of webdevelopment in telling the user/program the request is forbidden. Because it is, since it didn’t go through the checks. I was tempted to return a 404 document, it being a bit more cryptic, but it won’t change a darn thing after all.

As this concludes my little lecture, I’m going to let you guys play with the django framework some more!
References to the things I spawned at your face:

Share and Enjoy:
  • Print
  • Reddit
  • Identi.ca
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks
  • Slashdot
Django,

You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.