[PKG-Openstack-devel] Bug#862387: openstack-dashboard: instance delete fails with: 403 Forbidden - CSRF verification failed. Request aborted.

[Valentin Vidic]

On Thu, May 18, 2017 at 05:14:10PM +0200, Thomas Goirand wrote:
> FYI, I worked together with upstream during all of last summer to
> somehow gain Django 1.10 compatibility. There was loads of issues, which
> were fixed one by one. I guess this bug means we didn't fixed them all.
> 
> If you're good enough with Django, we'd be very happy to add the patch
> both upstream and in the Debian package. According to one of the
> upstream "leaders" on IRC:
> 
> <robcresswell> zigo: Its on the batchActions and deleteActions
> <robcresswell> inside tables
> <robcresswell> so obviously, very severe.
> <robcresswell> What I dont understand is why this didnt break before

Thanks for the info, unfortunately my Django skills are pretty basic,
so I don't have a patch to share but just some more info that I found
in the meanwhile.

Tried a few Django packages from python-django git:
  * 1.8.16-1~bpo8+1 - works
  * 1.9.7-2 - works
  * 1.10-1 - fails

Since it fails with the first 1.10 release it should definitely be some
change introduced by the first Django 1.10 version.

Like you mentioned the problem seems to be with the tables - from the
page source in the browser the place where {% csrf_token %} should
be inserted in templates/horizon/common/_data_table.html is blank.
Apache error.log seems to confirm this:

UserWarning: A {% csrf_token %} was used in a template, but the context did not provide the value.  This is usually caused by not using RequestContext.

Let me know if you have any ideas what I could try next.

-- 
Valentin