Buildout.coredev: site warning for normal link to browser view

My xmldirector.plonecore add-on has a set of links linking to other browser views. Two of them ("Log" and "Log clear") cause a site warning. Why? What is special about these links and what triggers the warning?


Is the new plone.protect. You are probably performing a DB write with a GET.

Alright. I was confused by the warning with the logger view which created an annotation lazily in this case causing the write as part of a view operation. Thanks.


This raises the question how to retrieve and include the CSRF token in a canonical way - in particular for code that is supposed to run with Plone 4.3 and Plone 5.0?


Is probably simple to bypass CSRF in that case:

About the Plone 4/Plone 5 way to do it: I had no luck on this task recently... :smiley:

For the logs:

plone.protect = 3.0.1
plone.keyring = 3.0.0

within my Plone 4.3 buildout seems to work in order writing code being compatible with Plone 4 and 5.


It doesn't actually matter if it's a GET request. The request just needs the CSRF token.

There are some urls that have the token append to it in Plone 5 right now because they do write on GET.

This is off the top of my head, but to generate the token in a url, it's something like: string: my-url?_authenticator=${context/@@authenticator/token}

1 Like