search

plone / plone4.csrffixes

Backport the auto CSRF implementation from Plone 5 to Plone 4
https://pypi.python.org/pypi/plone4.csrffixes
0 stars 4 forks source link

Do not disable the transform based on IDisableCSRFProtection. #18

Closed mauritsvanrees closed 8 years ago

mauritsvanrees commented 8 years ago

See discussion at https://github.com/plone/plone.protect/pull/38

jensens commented 8 years ago

I'am a bit lost with this one and the other one. What does it imply?

mauritsvanrees commented 8 years ago

This comment by me on the other one should be clear: https://github.com/plone/plone.protect/pull/38#issuecomment-186636342 But let's see if I can come up with an example.

Say you have an add-on in your site that keeps track of who sees a page how often. It only does this for the view, so let's say this is hooked up to a viewlet that is only shown on IViewView. In the annotations of a page it stores a PersistentDict with as key the username (or anonymous) and as value the number of times the user has seen the page.

Result: every time a page is viewed, there is a write to the database. Bad as idea, but perfect as example.

When you have the latest release of plone4.csrffixes (or plone.protect 3), the result is that on every page view you are redirected to the confirmation page, because it detects the write-on-read.

So the add-on author adds a line to the viewlet: alsoProvides(self.request, IDisableCSRFProtection). Using safeWrite may have been better, but then the example no longer works.

Result, again with latest release of plone4.csrffixes, is that the confirmation page no longer pops up. What stays the same, importantly: the transform kicks in and adds the authenticator to forms and links on the page. That is also what this pull request restores.

Current master has an extra check. If IDisableCSRFProtection.providedBy(self.request) then we return, meaning: the transform is skipped.

Result: for every view that loads the add-on viewlet, the transform is skipped. So: the forms and links do not get the authenticator. So as admin you click on a link to for example createObject?type_name=Document. That page needs an authenticator, but the link does not have it, so you get a confirmation dialog.

That is the problem I am trying to fix here.

mauritsvanrees commented 8 years ago

Since IDisableCSRFProtection does not disable the transform in plone.protect 3.x, we should not do it here either. I am merging this.