search

plone / plone4.csrffixes

Backport the auto CSRF implementation from Plone 5 to Plone 4
https://pypi.python.org/pypi/plone4.csrffixes
0 stars 4 forks source link

Are the new pinnings supposed to work w/ plone < 4.3.x ? #12

Open simahawk opened 8 years ago

simahawk commented 8 years ago

The new pinnings

Products.CMFQuickInstallerTool = 3.0.12 Products.PlonePAS = 5.0.4

will not work on plone < 4.3.

I suspected that and tested on a client stage on 4.2 that has PlonePAS 4.2.x.

The 2nd one breaks the buildout (wants a newer version of Zope) while the 1st one breaks the instance when running it.

Maybe we should rename the paragraph "Additional addon versions for Plone vX.X.X" ?

mauritsvanrees commented 8 years ago

I have now tried this with Plone 4.2.7.

Indeed this PlonePAS version requires at least Zope2 2.13.22. Only Plone 4.3.3 and higher have this version normally.

With CMFQuickInstaller zope fails to startup:

  File ".../Products/CMFQuickInstallerTool/InstalledProduct.py", line 73,
         in InstalledProduct
    @security.protected(ManagePortal)
AttributeError: protected

This needs at least AccessControl 3.0, which is available by default since Plone 4.3.0.

Then when I am installing a random package I get another traceback:

  Module Products.CMFQuickInstallerTool.QuickInstallerTool, line 603, in installProduct
   - __traceback_info__: ('plone.app.openid',)
TypeError: runAllImportStepsFromProfile() got an unexpected keyword argument 'blacklisted_steps'

This needs at least Products.GenericSetup 1.7.5, which is included since Plone 4.3.4.

So by now when I want those hot fix version pins including QI and PlonePAS, I need these pins:

[versions]
# Standard hotfix pins:
plone.protect = 3.0.15
plone.keyring = 3.0.1
plone.locking = 2.0.8
plone4.csrffixes = 1.0.8

# Extra dependency:
cssselect = 0.9.1

Products.CMFQuickInstallerTool = 3.0.12
# Needed for QI:
AccessControl = 3.0
Products.GenericSetup = 1.7.5

Products.PlonePAS = 5.0.4
# Needed for PlonePAS:
Zope2 = 2.13.22

I'm not sure if anything else goes wrong then. I tested this very lightly. I'm not sure it is advisable to install this on 4.2 or older. And the Zope2 pin may need to be the entire zope2 cfg.

adaugherity commented 8 years ago

Additionally, if one has Products.PloneSurvey in their buildout, the Products.PlonePAS pin will cause breakage, even with Plone 4.3 (4.3.6 tested here):

  File "/opt/plone4/buildout-cache/eggs/Products.PloneSurvey-1.4.8-py2.7.egg/Products/PloneSurvey/content/Survey.py", line 28, in <module>
    from Products.PlonePAS.Extensions.Install import challenge_chooser_setup
zope.configuration.xmlconfig.ZopeXMLConfigurationError: File "/opt/plone4/plone4_dev/parts/client2/etc/site.zcml", line 16.2-16.23
    ZopeXMLConfigurationError: File "/opt/plone4/buildout-cache/eggs/Products.PloneSurvey-1.4.8-py2.7.egg/Products/PloneSurvey/configure.zcml", line 9.2-9.32
    ZopeXMLConfigurationError: File "/opt/plone4/buildout-cache/eggs/Products.PloneSurvey-1.4.8-py2.7.egg/Products/PloneSurvey/content/configure.zcml", line 7.2-8.31
    ImportError: cannot import name challenge_chooser_setup
[ Zope instance dies here ]

This is probably the fault of PloneSurvey (or else PlonePAS, not csrffixes/protect in any case), but the thing it's trying to import was removed in plone/Products.PlonePAS@4f80b18, which is in PlonePAS >= 5.0.1, so saying pinning Products.PlonePAS to 5.0.4 is good for Plone 4.3.x is not 100% accurate.