My xmldirector.plonecore add-on has a set of links linking to other browser views. Two of them ("Log" and "Log clear") cause a site warning. Why? What is special about these links and what triggers the warning?
-aj
Is the new plone.protect. You are probably performing a DB write with a GET.
https://dev.plone.org/ticket/13679
Alright. I was confused by the warning with the logger view which created an annotation lazily in this case causing the write as part of a view operation. Thanks.
-aj
This raises the question how to retrieve and include the CSRF token in a canonical way - in particular for code that is supposed to run with Plone 4.3 and Plone 5.0?
-aj
Is probably simple to bypass CSRF in that case: https://github.com/plone/plone.protect#allowing-write-on-read-programatically
About the Plone 4/Plone 5 way to do it: I had no luck on this task recently... 
For the logs:
plone.protect = 3.0.1
plone.keyring = 3.0.0
within my Plone 4.3 buildout seems to work in order writing code being compatible with Plone 4 and 5.
-aj
It doesn't actually matter if it's a GET request. The request just needs the CSRF token.
There are some urls that have the token append to it in Plone 5 right now because they do write on GET.
This is off the top of my head, but to generate the token in a url, it's something like: string: my-url?_authenticator=${context/@@authenticator/token}
1 Like