fixed authentication permissions

pins/views.py

@@ -46,7 +46,6 @@ class PinView(PaginationAPIView):
         if not pin:
             return Response({"physical": "No pin number."})
 
-
         serializer = self.serializer_class(data=request.data)
         serializer.is_valid(raise_exception=True)
 

restpi/settings/local.py

@@ -1,4 +1,10 @@
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = True
 
-ALLOWED_HOSTS = ['*']
+ALLOWED_HOSTS = ['*']
+CORS_ALLOW_CREDENTIALS = True
+CORS_ORIGIN_ALLOW_ALL = True
+CORS_ORIGIN_WHITELIST = (
+    'localhost',
+    'http//:localhost:63342'
+)

restpi/settings/shared.py

@@ -131,7 +131,7 @@ REST_FRAMEWORK = {
         'rest_framework.permissions.IsAuthenticated',
     ),
     'DEFAULT_AUTHENTICATION_CLASSES': (
-        'rest_framework.authentication.BasicAuthentication',
+        'rest_framework.authentication.SessionAuthentication',
         'tokenauth.auth.TokenAuthentication',
     ),
     'DEFAULT_PARSER_CLASSES': (
@@ -146,11 +146,4 @@ REST_FRAMEWORK = {
     'DEFAULT_FILTER_BACKENDS': ('django_filters.rest_framework.DjangoFilterBackend',),
     'DEFAULT_PAGINATION_CLASS': 'rest_framework.pagination.PageNumberPagination',
     'PAGE_SIZE': 40,
-}
-
-CORS_ALLOW_CREDENTIALS = True
-CORS_ORIGIN_ALLOW_ALL = True
-CORS_ORIGIN_WHITELIST = (
-    'localhost',
-    'http//:localhost:63342'
-)
+}

statics/static_dirs/js/pintable.js

@@ -15,6 +15,7 @@ app.controller('pinTableController', function($scope, $http) {
         return new_pinlist;
     };
 
+    var token = document.getElementsByName("csrfmiddlewaretoken")[0].value;
     $http.get("/pins/api/")
         .then(function(response) {
             $scope.pinlist = response.data.results;
@@ -23,7 +24,9 @@ app.controller('pinTableController', function($scope, $http) {
 
     $scope.change_mode = function (physical, mode_code) {
         var url = "/pins/api/" + physical;
-        $http.post(url, {mode: mode_code}, {headers: {'Content-Type': 'application/json'}})
+        $http.post(url,
+            {mode: mode_code},
+            {headers: {'Content-Type': 'application/json', 'X-CSRFToken': token}})
             .then(function (response) {
                 if(response.status == 200 && response.data.operation){
                     console.log(response.data.pin);
@@ -39,7 +42,9 @@ app.controller('pinTableController', function($scope, $http) {
     $scope.change_value = function (physical) {
         var url = "/pins/api/" + physical;
         var new_value = ($scope.pinlist[physical-1].value) ? 0 : 1
-        $http.post(url, {value: new_value}, {headers: {'Content-Type': 'application/json'}})
+        $http.post(url,
+            {value: new_value},
+            {headers: {'Content-Type': 'application/json', 'X-CSRFToken': token}})
             .then(function (response) {
                 if(response.status == 200 && response.data.operation){
                     $scope.pinlist[physical-1] = response.data.pin;

templates/pins/index.html

@@ -3,6 +3,7 @@
 {% block title %}Pins{% endblock %}
 
 {% block mainarea %}
+    {% csrf_token %}
     <main class="main-bar">
         <div class="container">
             <div class="row justify-content-center">