Plone news summary view with CSRF protection issue

[zopyx]

Fresh Plone 5.1.2.1 site with migrated news content causes this error when you click on the "News" tab or "News" in the navigation:

 bin/instance fg
2018-05-29 09:54:53 INFO ZServer HTTP server started at Tue May 29 09:54:53 2018
        Hostname: 0.0.0.0
        Port: 5080
2018-05-29 09:54:58 INFO ZEO.ClientStorage zeostorage ClientStorage (pid=7094) created RW/normal for storage: '1'
2018-05-29 09:54:58 INFO ZEO.cache created temporary cache file '<fdopen>'
2018-05-29 09:54:58 INFO ZEO.asyncio.base Connected Protocol(('127.0.0.1', 5200), '1', False)
2018-05-29 09:54:58 INFO ZEO.ClientStorage zeostorage Connected to storage: ('localhost', 5200)
2018-05-29 09:55:11 INFO Zope Ready to handle requests
2018-05-29 09:55:21 INFO plone.protect   File "/home/ajung/sandboxes/plone-server-buildout-plone5/eggs/Zope2-2.13.27-py2.7.egg/ZServer/PubCore/ZServerPublisher.py", line 31, in __init__
    response=b)

  File "/home/ajung/sandboxes/plone-server-buildout-plone5/eggs/Zope2-2.13.27-py2.7.egg/ZPublisher/Publish.py", line 455, in publish_module
    environ, debug, request, response)

  File "/home/ajung/sandboxes/plone-server-buildout-plone5/eggs/Zope2-2.13.27-py2.7.egg/ZPublisher/Publish.py", line 249, in publish_module_standard
    response = publish(request, module_name, after_list, debug=debug)

  File "/home/ajung/sandboxes/plone-server-buildout-plone5/eggs/Zope2-2.13.27-py2.7.egg/ZPublisher/Publish.py", line 143, in publish
    notify(PubBeforeCommit(request))

  File "/home/ajung/sandboxes/plone-server-buildout-plone5/eggs/zope.event-3.5.2-py2.7.egg/zope/event/__init__.py", line 31, in notify
    subscriber(event)

  File "/home/ajung/sandboxes/plone-server-buildout-plone5/eggs/zope.component-4.4.1-py2.7.egg/zope/component/event.py", line 27, in dispatch
    component_subscribers(event, None)

  File "/home/ajung/sandboxes/plone-server-buildout-plone5/eggs/zope.component-4.4.1-py2.7.egg/zope/component/_api.py", line 139, in subscribers
    return sitemanager.subscribers(objects, interface)

  File "/home/ajung/sandboxes/plone-server-buildout-plone5/eggs/zope.interface-4.4.3-py2.7-linux-x86_64.egg/zope/interface/registry.py", line 442, in subscribers
    return self.adapters.subscribers(objects, provided)

  File "/home/ajung/sandboxes/plone-server-buildout-plone5/eggs/zope.interface-4.4.3-py2.7-linux-x86_64.egg/zope/interface/adapter.py", line 607, in subscribers
    subscription(*objects)

  File "/home/ajung/sandboxes/plone-server-buildout-plone5/eggs/plone.transformchain-1.2.2-py2.7.egg/plone/transformchain/zpublisher.py", line 86, in applyTransformOnSuccess
    transformed = applyTransform(event.request)

  File "/home/ajung/sandboxes/plone-server-buildout-plone5/eggs/plone.transformchain-1.2.2-py2.7.egg/plone/transformchain/zpublisher.py", line 75, in applyTransform
    transformed = transformer(request, result, encoding)

  File "/home/ajung/sandboxes/plone-server-buildout-plone5/eggs/plone.transformchain-1.2.2-py2.7.egg/plone/transformchain/transformer.py", line 50, in __call__
    newResult = handler.transformIterable(result, encoding)

  File "/home/ajung/sandboxes/plone-server-buildout-plone5/eggs/plone.protect-3.1.3-py2.7.egg/plone/protect/auto.py", line 186, in transformIterable
    if not self.check():

  File "/home/ajung/sandboxes/plone-server-buildout-plone5/eggs/plone.protect-3.1.3-py2.7.egg/plone/protect/auto.py", line 211, in check
    return self._check()

  File "/home/ajung/sandboxes/plone-server-buildout-plone5/eggs/plone.protect-3.1.3-py2.7.egg/plone/protect/auto.py", line 283, in _check
    '\n'.join(traceback.format_stack()),

aborting transaction due to no CSRF protection on url http://dev.zopyx.de:5080/dynasupport/news/aggregator/summary_view

[agitator]

probably related... I noticed transactions (via undo form) on view access in some of my 5.1 sites, but didn't have time to look into

[davisagli]

Any improvement with this fix? https://github.com/plone/plone.protect/commit/ec1d1fd58bcc1e668ea8b212e40771dc07b89d3a

[davisagli]

I think there have been multiple changes to mitigate this since then. Please reopen if it's still a problem.