search

plone / plone.protect

HTTP protection utilities for the Plone CMS
https://pypi.org/project/plone.protect/
7 stars 8 forks source link

Plone 4.3.4.1: in ZMI acl_users/source_groups, unable to assign a user to a group #8

Closed tkimnguyen closed 9 years ago

tkimnguyen commented 9 years ago

In http://site.com/acl_users/source_groups/manage_groups when I try to assign a user (principal ID) to the Administrators group, I get this error:

Traceback (innermost last):
  Module ZPublisher.Publish, line 138, in publish
  Module ZPublisher.mapply, line 77, in mapply
  Module ZPublisher.Publish, line 48, in call_object
  Module Products.PluggableAuthService.utils, line 3, in wrapper
  Module Products.PluggableAuthService.utils, line 218, in checkCSRFToken
Forbidden: incorrect CSRF token

but when I use the browser's Back button and try again, it succeeds.

The same happens when I remove a user from a group: the first time, I get that error, then the second time it succeeds.

vangheem commented 9 years ago

Closing. I can not reproduce. This likely would have something to do with session storage--maybe you should look there.

Additionally, Products.PluggableAuthService has nothing to do with plone.protect. It's a completely different CSRF implementation.

In plone 5, we'll be patching to not use this: https://github.com/plone/plone.protect/commit/9f3807ae7f25da76fc82d399baae1c551a956985