Ignore CSRF protect for subscriber event

I'm trying to make a MembaerArea and Published the folder in my original PAS product.

It seems the below code.

membershipTool.createMemberArea(userId)
member_folder = plone.api.portal.get("Members")
home_folder = member_folder.get(usersId)
workflow_tool.doActionFor(home_folder, "publish")

Related:

But I got protect error, it is:

...
  File "/usr/local/lib/python3.8/contextlib.py", line 120, in __exit__
    next(self.gen)
  File "/plone/buildout-cache/eggs/cp38/Zope-4.6.3-py3.8.egg/ZPublisher/WSGIPublisher.py", line 164, in transaction_pubevents
    notify(pubevents.PubBeforeCommit(request))
  File "/plone/buildout-cache/eggs/cp38/zope.event-4.5.0-py3.8.egg/zope/event/__init__.py", line 32, in notify
    subscriber(event)
  File "/plone/buildout-cache/eggs/cp38/zope.component-4.6.2-py3.8.egg/zope/component/event.py", line 27, in dispatch
    component_subscribers(event, None)
  File "/plone/buildout-cache/eggs/cp38/zope.component-4.6.2-py3.8.egg/zope/component/_api.py", line 134, in subscribers
    return sitemanager.subscribers(objects, interface)
  File "/plone/buildout-cache/eggs/cp38/zope.interface-5.4.0-py3.8-linux-x86_64.egg/zope/interface/registry.py", line 448, in subscribers
    return self.adapters.subscribers(objects, provided)
  File "/plone/buildout-cache/eggs/cp38/zope.interface-5.4.0-py3.8-linux-x86_64.egg/zope/interface/adapter.py", line 899, in subscribers
    subscription(*objects)
  File "/plone/buildout-cache/eggs/cp38/plone.transformchain-2.0.2-py3.8.egg/plone/transformchain/zpublisher.py", line 86, in applyTransformOnSuccess
    transformed = applyTransform(event.request)
  File "/plone/buildout-cache/eggs/cp38/plone.transformchain-2.0.2-py3.8.egg/plone/transformchain/zpublisher.py", line 75, in applyTransform
    transformed = transformer(request, result, encoding)
  File "/plone/buildout-cache/eggs/cp38/plone.transformchain-2.0.2-py3.8.egg/plone/transformchain/transformer.py", line 59, in __call__
    newResult = handler.transformIterable(result, encoding)
  File "/plone/buildout-cache/eggs/cp38/plone.protect-4.1.6-py3.8.egg/plone/protect/auto.py", line 191, in transformIterable
    if not self.check():
  File "/plone/buildout-cache/eggs/cp38/plone.protect-4.1.6-py3.8.egg/plone/protect/auto.py", line 216, in check
    return self._check()
  File "/plone/buildout-cache/eggs/cp38/plone.protect-4.1.6-py3.8.egg/plone/protect/auto.py", line 288, in _check
    '\n'.join(traceback.format_stack()),

I think it related subscribers notify not in same Request.
Can you have any advice?

Manabu TERADA via Plone Community wrote at 2022-4-8 03:02 +0000:

...
I'm trying to make a MembaerArea and Published the folder in my original PAS product.
...
But I got protect error, it is:
...
I think it related subscribers notify not in same Request.
Can you have any advice?

All subscribers are executed in the same request.

The CSRF protection subscriber is activated for the handling
of the ZPublisher.interfaces.IPubEnd event (it signals the end
of "normal" request processing).

plone.protect allows you to deactivate the check for the current
request or specific objects modified by the current request.
You could use one of those features.

We are trying to ignore protect after creating home_folder the below:

alsoProvides(getRequest(), IDisableCSRFProtection)  
api.content.transition(obj=home_folder, transition="publish") 

But we got the same error. we don't find the error, if no workflow action,

Manabu TERADA via Plone Community wrote at 2022-4-15 01:34 +0000:

We are trying to ignore protect after creating home_folder the below:

alsoProvides(getRequest(), IDisableCSRFProtection)
api.content.transition(obj=home_folder, transition="publish")

But we got the same error. we don't find the error, if no workflow action,

Looks like it should work.

Whenever unexpected things happen I try to debug in order to find
out what goes on.
In your case, I would put 2 (code) breakpoints into the code:
one into the code above to verify that getRequest returns the right
request, one into the plone.protect code to find out why
the protection is triggered (even though it should be disabled).

It looks like the error is truncated. Can you provide us the full traceback?

@jensens

My error is this:

2022-04-07 11:28:39,462 INFO    [plone.protect:285][waitress-2]   File "/usr/local/lib/python3.8/threading.py", line 890, in _bootstrap
    self._bootstrap_inner()

  File "/usr/local/lib/python3.8/threading.py", line 932, in _bootstrap_inner
    self.run()
  File "/usr/local/lib/python3.8/threading.py", line 870, in run
    self._target(*self._args, **self._kwargs)
  File "/plone/buildout-cache/eggs/cp38/waitress-1.4.4-py3.8.egg/waitress/task.py", line 86, in handler_thread
    task.service()
  File "/plone/buildout-cache/eggs/cp38/waitress-1.4.4-py3.8.egg/waitress/channel.py", line 350, in service
    task.service()
  File "/plone/buildout-cache/eggs/cp38/waitress-1.4.4-py3.8.egg/waitress/task.py", line 171, in service
    self.execute()
  File "/plone/buildout-cache/eggs/cp38/waitress-1.4.4-py3.8.egg/waitress/task.py", line 441, in execute
    app_iter = self.channel.server.application(environ, start_response)
  File "/plone/buildout-cache/eggs/cp38/Paste-3.5.0-py3.8.egg/paste/translogger.py", line 69, in __call__
    return self.application(environ, replacement_start_response)
  File "/plone/buildout-cache/eggs/cp38/Zope-4.6.3-py3.8.egg/ZPublisher/httpexceptions.py", line 30, in __call__
    return self.application(environ, start_response)
  File "/plone/buildout-cache/eggs/cp38/Zope-4.6.3-py3.8.egg/ZPublisher/WSGIPublisher.py", line 376, in publish_module
    environ['REMOTE_USER'] = user.getUserName()
  File "/usr/local/lib/python3.8/contextlib.py", line 120, in __exit__
    next(self.gen)
  File "/plone/buildout-cache/eggs/cp38/Zope-4.6.3-py3.8.egg/ZPublisher/WSGIPublisher.py", line 164, in transaction_pubevents
    notify(pubevents.PubBeforeCommit(request))
  File "/plone/buildout-cache/eggs/cp38/zope.event-4.5.0-py3.8.egg/zope/event/__init__.py", line 32, in notify
    subscriber(event)
  File "/plone/buildout-cache/eggs/cp38/zope.component-4.6.2-py3.8.egg/zope/component/event.py", line 27, in dispatch
    component_subscribers(event, None)
  File "/plone/buildout-cache/eggs/cp38/zope.component-4.6.2-py3.8.egg/zope/component/_api.py", line 134, in subscribers
    return sitemanager.subscribers(objects, interface)
  File "/plone/buildout-cache/eggs/cp38/zope.interface-5.4.0-py3.8-linux-x86_64.egg/zope/interface/registry.py", line 448, in subscribers
    return self.adapters.subscribers(objects, provided)
  File "/plone/buildout-cache/eggs/cp38/zope.interface-5.4.0-py3.8-linux-x86_64.egg/zope/interface/adapter.py", line 899, in subscribers
    subscription(*objects)
  File "/plone/buildout-cache/eggs/cp38/plone.transformchain-2.0.2-py3.8.egg/plone/transformchain/zpublisher.py", line 86, in applyTransformOnSuccess
    transformed = applyTransform(event.request)
  File "/plone/buildout-cache/eggs/cp38/plone.transformchain-2.0.2-py3.8.egg/plone/transformchain/zpublisher.py", line 75, in applyTransform
    transformed = transformer(request, result, encoding)
  File "/plone/buildout-cache/eggs/cp38/plone.transformchain-2.0.2-py3.8.egg/plone/transformchain/transformer.py", line 59, in __call__
    newResult = handler.transformIterable(result, encoding)
  File "/plone/buildout-cache/eggs/cp38/plone.protect-4.1.6-py3.8.egg/plone/protect/auto.py", line 191, in transformIterable
    if not self.check():
  File "/plone/buildout-cache/eggs/cp38/plone.protect-4.1.6-py3.8.egg/plone/protect/auto.py", line 216, in check
    return self._check()
  File "/plone/buildout-cache/eggs/cp38/plone.protect-4.1.6-py3.8.egg/plone/protect/auto.py", line 288, in _check
    '\n'.join(traceback.format_stack()),
aborting transaction due to no CSRF protection on url http://localhost:8080/Plone/listing_view

2022-04-07 11:28:39,462 INFO    [plone.protect:285][waitress-2]   File "/usr/local/lib/python3.8/threading.py", line 890, in _bootstrap
    self._bootstrap_inner()
  File "/usr/local/lib/python3.8/threading.py", line 932, in _bootstrap_inner
    self.run()
  File "/usr/local/lib/python3.8/threading.py", line 870, in run
    self._target(*self._args, **self._kwargs)
  File "/plone/buildout-cache/eggs/cp38/waitress-1.4.4-py3.8.egg/waitress/task.py", line 86, in handler_thread
    task.service()
  File "/plone/buildout-cache/eggs/cp38/waitress-1.4.4-py3.8.egg/waitress/channel.py", line 350, in service
    task.service()
  File "/plone/buildout-cache/eggs/cp38/waitress-1.4.4-py3.8.egg/waitress/task.py", line 171, in service
    self.execute()
  File "/plone/buildout-cache/eggs/cp38/waitress-1.4.4-py3.8.egg/waitress/task.py", line 441, in execute
    app_iter = self.channel.server.application(environ, start_response)
  File "/plone/buildout-cache/eggs/cp38/Paste-3.5.0-py3.8.egg/paste/translogger.py", line 69, in __call__
    return self.application(environ, replacement_start_response)
  File "/plone/buildout-cache/eggs/cp38/Zope-4.6.3-py3.8.egg/ZPublisher/httpexceptions.py", line 30, in __call__
    return self.application(environ, start_response)
  File "/plone/buildout-cache/eggs/cp38/Zope-4.6.3-py3.8.egg/ZPublisher/WSGIPublisher.py", line 376, in publish_module
    environ['REMOTE_USER'] = user.getUserName()
  File "/usr/local/lib/python3.8/contextlib.py", line 120, in __exit__
    next(self.gen)
  File "/plone/buildout-cache/eggs/cp38/Zope-4.6.3-py3.8.egg/ZPublisher/WSGIPublisher.py", line 164, in transaction_pubevents
    notify(pubevents.PubBeforeCommit(request))
  File "/plone/buildout-cache/eggs/cp38/zope.event-4.5.0-py3.8.egg/zope/event/__init__.py", line 32, in notify
    subscriber(event)
  File "/plone/buildout-cache/eggs/cp38/zope.component-4.6.2-py3.8.egg/zope/component/event.py", line 27, in dispatch
    component_subscribers(event, None)
  File "/plone/buildout-cache/eggs/cp38/zope.component-4.6.2-py3.8.egg/zope/component/_api.py", line 134, in subscribers
    return sitemanager.subscribers(objects, interface)
  File "/plone/buildout-cache/eggs/cp38/zope.interface-5.4.0-py3.8-linux-x86_64.egg/zope/interface/registry.py", line 448, in subscribers
    return self.adapters.subscribers(objects, provided)
  File "/plone/buildout-cache/eggs/cp38/zope.interface-5.4.0-py3.8-linux-x86_64.egg/zope/interface/adapter.py", line 899, in subscribers
    subscription(*objects)
  File "/plone/buildout-cache/eggs/cp38/plone.transformchain-2.0.2-py3.8.egg/plone/transformchain/zpublisher.py", line 86, in applyTransformOnSuccess
    transformed = applyTransform(event.request)
  File "/plone/buildout-cache/eggs/cp38/plone.transformchain-2.0.2-py3.8.egg/plone/transformchain/zpublisher.py", line 75, in applyTransform
    transformed = transformer(request, result, encoding)
  File "/plone/buildout-cache/eggs/cp38/plone.transformchain-2.0.2-py3.8.egg/plone/transformchain/transformer.py", line 59, in __call__
    newResult = handler.transformIterable(result, encoding)
  File "/plone/buildout-cache/eggs/cp38/plone.protect-4.1.6-py3.8.egg/plone/protect/auto.py", line 191, in transformIterable
    if not self.check():
  File "/plone/buildout-cache/eggs/cp38/plone.protect-4.1.6-py3.8.egg/plone/protect/auto.py", line 216, in check
    return self._check()
  File "/plone/buildout-cache/eggs/cp38/plone.protect-4.1.6-py3.8.egg/plone/protect/auto.py", line 288, in _check
    '\n'.join(traceback.format_stack()),
aborting transaction due to no CSRF protection on url http://localhost:8080/Plone/listing_view
2022-04-07 11:28:39,462 INFO    [plone.protect:285][waitress-2]   File "/usr/local/lib/python3.8/threading.py", line 890, in _bootstrap
    self._bootstrap_inner()
  File "/usr/local/lib/python3.8/threading.py", line 932, in _bootstrap_inner
    self.run()
  File "/usr/local/lib/python3.8/threading.py", line 870, in run
    self._target(*self._args, **self._kwargs)
  File "/plone/buildout-cache/eggs/cp38/waitress-1.4.4-py3.8.egg/waitress/task.py", line 86, in handler_thread
    task.service()
  File "/plone/buildout-cache/eggs/cp38/waitress-1.4.4-py3.8.egg/waitress/channel.py", line 350, in service
    task.service()
  File "/plone/buildout-cache/eggs/cp38/waitress-1.4.4-py3.8.egg/waitress/task.py", line 171, in service
    self.execute()
  File "/plone/buildout-cache/eggs/cp38/waitress-1.4.4-py3.8.egg/waitress/task.py", line 441, in execute
    app_iter = self.channel.server.application(environ, start_response)
  File "/plone/buildout-cache/eggs/cp38/Paste-3.5.0-py3.8.egg/paste/translogger.py", line 69, in __call__
    return self.application(environ, replacement_start_response)
  File "/plone/buildout-cache/eggs/cp38/Zope-4.6.3-py3.8.egg/ZPublisher/httpexceptions.py", line 30, in __call__
    return self.application(environ, start_response)
  File "/plone/buildout-cache/eggs/cp38/Zope-4.6.3-py3.8.egg/ZPublisher/WSGIPublisher.py", line 376, in publish_module
    environ['REMOTE_USER'] = user.getUserName()
  File "/usr/local/lib/python3.8/contextlib.py", line 120, in __exit__
    next(self.gen)
  File "/plone/buildout-cache/eggs/cp38/Zope-4.6.3-py3.8.egg/ZPublisher/WSGIPublisher.py", line 164, in transaction_pubevents
    notify(pubevents.PubBeforeCommit(request))
  File "/plone/buildout-cache/eggs/cp38/zope.event-4.5.0-py3.8.egg/zope/event/__init__.py", line 32, in notify
    subscriber(event)
  File "/plone/buildout-cache/eggs/cp38/zope.component-4.6.2-py3.8.egg/zope/component/event.py", line 27, in dispatch
    component_subscribers(event, None)
  File "/plone/buildout-cache/eggs/cp38/zope.component-4.6.2-py3.8.egg/zope/component/_api.py", line 134, in subscribers
    return sitemanager.subscribers(objects, interface)
  File "/plone/buildout-cache/eggs/cp38/zope.interface-5.4.0-py3.8-linux-x86_64.egg/zope/interface/registry.py", line 448, in subscribers
    return self.adapters.subscribers(objects, provided)
  File "/plone/buildout-cache/eggs/cp38/zope.interface-5.4.0-py3.8-linux-x86_64.egg/zope/interface/adapter.py", line 899, in subscribers
    subscription(*objects)
  File "/plone/buildout-cache/eggs/cp38/plone.transformchain-2.0.2-py3.8.egg/plone/transformchain/zpublisher.py", line 86, in applyTransformOnSuccess
    transformed = applyTransform(event.request)
  File "/plone/buildout-cache/eggs/cp38/plone.transformchain-2.0.2-py3.8.egg/plone/transformchain/zpublisher.py", line 75, in applyTransform
    transformed = transformer(request, result, encoding)
  File "/plone/buildout-cache/eggs/cp38/plone.transformchain-2.0.2-py3.8.egg/plone/transformchain/transformer.py", line 59, in __call__
    newResult = handler.transformIterable(result, encoding)
  File "/plone/buildout-cache/eggs/cp38/plone.protect-4.1.6-py3.8.egg/plone/protect/auto.py", line 191, in transformIterable
    if not self.check():
  File "/plone/buildout-cache/eggs/cp38/plone.protect-4.1.6-py3.8.egg/plone/protect/auto.py", line 216, in check
    return self._check()
  File "/plone/buildout-cache/eggs/cp38/plone.protect-4.1.6-py3.8.egg/plone/protect/auto.py", line 288, in _check
    '\n'.join(traceback.format_stack()),
aborting transaction due to no CSRF protection on url http://localhost:8080/Plone/listing_view

Thanks. As usual difficult to tell. plone.protect does not tell enough and we are already at the end of the request here.

Like Dieter said, are you really sure that you have a request object? Maybe it is a None because you try to do this inside a PAS plugin?

Could you try something like:

request = getRequest()
assert request is not None
alsoProvides(request, IDisableCSRFProtection) 

Plone Foundation Code of Conduct