In utils.CSRFToken the existence of a valid session in the request is tested with a simple truth test if not session:
def getCSRFToken(request):
session = getattr(request, 'SESSION', None)
if not session:
# Can happen in tests.
return binascii.hexlify(os.urandom(20))
token = session.get('_csrft_', None)
if token is None:
token = session['_csrft_'] = binascii.hexlify(os.urandom(20))
return token
This fails with session implementations that are "not True" when they are empty. The unfortunate result is that most ZMI interaction with the various plugins breaks. Case in point is the MemCache-based implementation in the old Products.mcdutils.
In
utils.CSRFToken
the existence of a valid session in the request is tested with a simple truth testif not session
:This fails with session implementations that are "not True" when they are empty. The unfortunate result is that most ZMI interaction with the various plugins breaks. Case in point is the MemCache-based implementation in the old
Products.mcdutils
.I'll prepare a PR.