Fix Missing CSRF Token

- Set default CSRF_HEADER_NAME to previous value instead of Django default
- Added csrfmiddlewaretoken value to Ajax POST data from sorting views.
- Moved csrf token template tag inside object representation form

adminsortable/admin.py

@@ -230,7 +230,7 @@ class SortableAdmin(SortableAdminBase, ModelAdmin):
             'sortable_by_class_display_name': sortable_by_class_display_name,
             'jquery_lib_path': jquery_lib_path,
             'csrf_cookie_name': getattr(settings, 'CSRF_COOKIE_NAME', 'csrftoken'),
-            'csrf_header_name': getattr(settings, 'CSRF_HEADER_NAME', 'HTTP_X_CSRFTOKEN'),
+            'csrf_header_name': getattr(settings, 'CSRF_HEADER_NAME', 'X-CSRFToken'),
             'after_sorting_js_callback_name': self.after_sorting_js_callback_name
         })
         return render(request, self.sortable_change_list_template, context)
@@ -255,7 +255,7 @@ class SortableAdmin(SortableAdminBase, ModelAdmin):
             'has_sortable_tabular_inlines': self.has_sortable_tabular_inlines,
             'has_sortable_stacked_inlines': self.has_sortable_stacked_inlines,
             'csrf_cookie_name': getattr(settings, 'CSRF_COOKIE_NAME', 'csrftoken'),
-            'csrf_header_name': getattr(settings, 'CSRF_HEADER_NAME', 'HTTP_X_CSRFTOKEN'),
+            'csrf_header_name': getattr(settings, 'CSRF_HEADER_NAME', 'X-CSRFToken'),
             'after_sorting_js_callback_name': self.after_sorting_js_callback_name
         })
 

adminsortable/templates/adminsortable/admin.sortable.html

@@ -18,7 +18,7 @@
                 $.ajax({
                     url: ui.item.find('a.admin_sorting_url').attr('href'),
                     type: 'POST',
-                    data: { indexes: indexes.join(',') },
+                    data: { indexes: indexes.join(','), csrfmiddlewaretoken: window.csrftoken },
                     success: function() {
                         // set icons based on position
                         lineItems.each(function(index, element) {

adminsortable/templates/adminsortable/change_list.html

@@ -107,7 +107,6 @@
 			{% else %}
         {% include "adminsortable/shared/objects.html" %}
 			{% endif %}
-      {% csrf_token %}
 		</div>
 		{% endif %}
 	</div>

adminsortable/templates/adminsortable/edit_inline/admin.sortable.stacked.inlines.html

@@ -39,7 +39,7 @@
                     $.ajax({
                         url: ui.item.parent().find(':hidden[name="admin_sorting_url"]').val(),
                         type: 'POST',
-                        data: { indexes : indexes.join(',') },
+                        data: { indexes : indexes.join(','), csrfmiddlewaretoken: window.csrftoken },
                         success: function() {
                             var fieldsets = ui.item.find('fieldset'),
                                 highlightedSelector = fieldsets.filter('.collapsed').length === fieldsets.length ? 'h3' : '.form-row',

adminsortable/templates/adminsortable/edit_inline/admin.sortable.tabular.inlines.html

@@ -37,7 +37,7 @@
                     $.ajax({
                         url: ui.item.parent().find(':hidden[name="admin_sorting_url"]').val(),
                         type: 'POST',
-                        data: { indexes : indexes.join(',') },
+                        data: { indexes : indexes.join(','), csrfmiddlewaretoken: window.csrftoken },
                         success: function() {
                             // set icons based on position
                             var icons = ui.item.parent().find('.fa');

adminsortable/templates/adminsortable/shared/object_rep.html

@@ -3,4 +3,5 @@
 <form>
     <input name="pk" type="hidden" value="{{ object.pk|unlocalize }}" />
     <a href="{% url opts|admin_urlname:'do_sorting' object.model_type_id|unlocalize %}" class="admin_sorting_url"><i class="fa fa-{% if forloop.first %}sort-desc{% elif forloop.last %}sort-asc{% else %}sort{% endif %}"></i> {{ object }}</a>
+    {% csrf_token %}
 </form>