Ignore CSRF protect for subscriber event

terapyon · April 8, 2022, 2:52am

I'm trying to make a MembaerArea and Published the folder in my original PAS product.

It seems the below code.

membershipTool.createMemberArea(userId)
member_folder = plone.api.portal.get("Members")
home_folder = member_folder.get(usersId)
workflow_tool.doActionFor(home_folder, "publish")

collective/Products.AutoUserMakerPASPlugin/blob/master/Products/AutoUserMakerPASPlugin/auth.py#L156

      
        
            # Add the user to the first IUserAdderPlugin that works:
            user = None
            for _, curAdder in userAdders:
                if curAdder.doAddUser(userId, self._generatePassword()):
                    # Assign a dummy password. It'll never be used;.
                    user = self._getPAS().getUser(userId)
                    try:
                        membershipTool = getToolByName(self,
                                                    'portal_membership')
                        if not membershipTool.getHomeFolder(userId):
                            membershipTool.createMemberArea(userId)
                    except (ConflictError, KeyboardInterrupt):
                        raise
                    except Exception:
                        pass
                    self._updateUserProperties(user, credentials)
                    break
            
            
# Build a list of roles to assign to the user, starting with the
            # default roles (usually at least Member)
            roles = {}

But I got protect error, it is:

...
  File "/usr/local/lib/python3.8/contextlib.py", line 120, in __exit__
    next(self.gen)
  File "/plone/buildout-cache/eggs/cp38/Zope-4.6.3-py3.8.egg/ZPublisher/WSGIPublisher.py", line 164, in transaction_pubevents
    notify(pubevents.PubBeforeCommit(request))
  File "/plone/buildout-cache/eggs/cp38/zope.event-4.5.0-py3.8.egg/zope/event/__init__.py", line 32, in notify
    subscriber(event)
  File "/plone/buildout-cache/eggs/cp38/zope.component-4.6.2-py3.8.egg/zope/component/event.py", line 27, in dispatch
    component_subscribers(event, None)
  File "/plone/buildout-cache/eggs/cp38/zope.component-4.6.2-py3.8.egg/zope/component/_api.py", line 134, in subscribers
    return sitemanager.subscribers(objects, interface)
  File "/plone/buildout-cache/eggs/cp38/zope.interface-5.4.0-py3.8-linux-x86_64.egg/zope/interface/registry.py", line 448, in subscribers
    return self.adapters.subscribers(objects, provided)
  File "/plone/buildout-cache/eggs/cp38/zope.interface-5.4.0-py3.8-linux-x86_64.egg/zope/interface/adapter.py", line 899, in subscribers
    subscription(*objects)
  File "/plone/buildout-cache/eggs/cp38/plone.transformchain-2.0.2-py3.8.egg/plone/transformchain/zpublisher.py", line 86, in applyTransformOnSuccess
    transformed = applyTransform(event.request)
  File "/plone/buildout-cache/eggs/cp38/plone.transformchain-2.0.2-py3.8.egg/plone/transformchain/zpublisher.py", line 75, in applyTransform
    transformed = transformer(request, result, encoding)
  File "/plone/buildout-cache/eggs/cp38/plone.transformchain-2.0.2-py3.8.egg/plone/transformchain/transformer.py", line 59, in __call__
    newResult = handler.transformIterable(result, encoding)
  File "/plone/buildout-cache/eggs/cp38/plone.protect-4.1.6-py3.8.egg/plone/protect/auto.py", line 191, in transformIterable
    if not self.check():
  File "/plone/buildout-cache/eggs/cp38/plone.protect-4.1.6-py3.8.egg/plone/protect/auto.py", line 216, in check
    return self._check()
  File "/plone/buildout-cache/eggs/cp38/plone.protect-4.1.6-py3.8.egg/plone/protect/auto.py", line 288, in _check
    '\n'.join(traceback.format_stack()),

I think it related subscribers notify not in same Request.
Can you have any advice?

dieter · April 8, 2022, 5:14am

Manabu TERADA via Plone Community wrote at 2022-4-8 03:02 +0000:

...
I'm trying to make a MembaerArea and Published the folder in my original PAS product.
...
But I got protect error, it is:
...
I think it related subscribers notify not in same Request.
Can you have any advice?

All subscribers are executed in the same request.

The CSRF protection subscriber is activated for the handling
of the ZPublisher.interfaces.IPubEnd event (it signals the end
of "normal" request processing).

plone.protect allows you to deactivate the check for the current
request or specific objects modified by the current request.
You could use one of those features.

terapyon · April 15, 2022, 1:24am

We are trying to ignore protect after creating home_folder the below:

alsoProvides(getRequest(), IDisableCSRFProtection)  
api.content.transition(obj=home_folder, transition="publish")

But we got the same error. we don't find the error, if no workflow action,

dieter · April 15, 2022, 5:43am

Manabu TERADA via Plone Community wrote at 2022-4-15 01:34 +0000:

We are trying to ignore protect after creating home_folder the below:
alsoProvides(getRequest(), IDisableCSRFProtection)
api.content.transition(obj=home_folder, transition="publish")
But we got the same error. we don't find the error, if no workflow action,

Looks like it should work.

Whenever unexpected things happen I try to debug in order to find
out what goes on.
In your case, I would put 2 (code) breakpoints into the code:
one into the code above to verify that getRequest returns the right
request, one into the plone.protect code to find out why
the protection is triggered (even though it should be disabled).

jensens · April 19, 2022, 11:10am

It looks like the error is truncated. Can you provide us the full traceback?

terapyon · April 19, 2022, 12:30pm

@jensens

My error is this:

2022-04-07 11:28:39,462 INFO    [plone.protect:285][waitress-2]   File "/usr/local/lib/python3.8/threading.py", line 890, in _bootstrap
    self._bootstrap_inner()

  File "/usr/local/lib/python3.8/threading.py", line 932, in _bootstrap_inner
    self.run()
  File "/usr/local/lib/python3.8/threading.py", line 870, in run
    self._target(*self._args, **self._kwargs)
  File "/plone/buildout-cache/eggs/cp38/waitress-1.4.4-py3.8.egg/waitress/task.py", line 86, in handler_thread
    task.service()
  File "/plone/buildout-cache/eggs/cp38/waitress-1.4.4-py3.8.egg/waitress/channel.py", line 350, in service
    task.service()
  File "/plone/buildout-cache/eggs/cp38/waitress-1.4.4-py3.8.egg/waitress/task.py", line 171, in service
    self.execute()
  File "/plone/buildout-cache/eggs/cp38/waitress-1.4.4-py3.8.egg/waitress/task.py", line 441, in execute
    app_iter = self.channel.server.application(environ, start_response)
  File "/plone/buildout-cache/eggs/cp38/Paste-3.5.0-py3.8.egg/paste/translogger.py", line 69, in __call__
    return self.application(environ, replacement_start_response)
  File "/plone/buildout-cache/eggs/cp38/Zope-4.6.3-py3.8.egg/ZPublisher/httpexceptions.py", line 30, in __call__
    return self.application(environ, start_response)
  File "/plone/buildout-cache/eggs/cp38/Zope-4.6.3-py3.8.egg/ZPublisher/WSGIPublisher.py", line 376, in publish_module
    environ['REMOTE_USER'] = user.getUserName()
  File "/usr/local/lib/python3.8/contextlib.py", line 120, in __exit__
    next(self.gen)
  File "/plone/buildout-cache/eggs/cp38/Zope-4.6.3-py3.8.egg/ZPublisher/WSGIPublisher.py", line 164, in transaction_pubevents
    notify(pubevents.PubBeforeCommit(request))
  File "/plone/buildout-cache/eggs/cp38/zope.event-4.5.0-py3.8.egg/zope/event/__init__.py", line 32, in notify
    subscriber(event)
  File "/plone/buildout-cache/eggs/cp38/zope.component-4.6.2-py3.8.egg/zope/component/event.py", line 27, in dispatch
    component_subscribers(event, None)
  File "/plone/buildout-cache/eggs/cp38/zope.component-4.6.2-py3.8.egg/zope/component/_api.py", line 134, in subscribers
    return sitemanager.subscribers(objects, interface)
  File "/plone/buildout-cache/eggs/cp38/zope.interface-5.4.0-py3.8-linux-x86_64.egg/zope/interface/registry.py", line 448, in subscribers
    return self.adapters.subscribers(objects, provided)
  File "/plone/buildout-cache/eggs/cp38/zope.interface-5.4.0-py3.8-linux-x86_64.egg/zope/interface/adapter.py", line 899, in subscribers
    subscription(*objects)
  File "/plone/buildout-cache/eggs/cp38/plone.transformchain-2.0.2-py3.8.egg/plone/transformchain/zpublisher.py", line 86, in applyTransformOnSuccess
    transformed = applyTransform(event.request)
  File "/plone/buildout-cache/eggs/cp38/plone.transformchain-2.0.2-py3.8.egg/plone/transformchain/zpublisher.py", line 75, in applyTransform
    transformed = transformer(request, result, encoding)
  File "/plone/buildout-cache/eggs/cp38/plone.transformchain-2.0.2-py3.8.egg/plone/transformchain/transformer.py", line 59, in __call__
    newResult = handler.transformIterable(result, encoding)
  File "/plone/buildout-cache/eggs/cp38/plone.protect-4.1.6-py3.8.egg/plone/protect/auto.py", line 191, in transformIterable
    if not self.check():
  File "/plone/buildout-cache/eggs/cp38/plone.protect-4.1.6-py3.8.egg/plone/protect/auto.py", line 216, in check
    return self._check()
  File "/plone/buildout-cache/eggs/cp38/plone.protect-4.1.6-py3.8.egg/plone/protect/auto.py", line 288, in _check
    '\n'.join(traceback.format_stack()),
aborting transaction due to no CSRF protection on url http://localhost:8080/Plone/listing_view

2022-04-07 11:28:39,462 INFO    [plone.protect:285][waitress-2]   File "/usr/local/lib/python3.8/threading.py", line 890, in _bootstrap
    self._bootstrap_inner()
  File "/usr/local/lib/python3.8/threading.py", line 932, in _bootstrap_inner
    self.run()
  File "/usr/local/lib/python3.8/threading.py", line 870, in run
    self._target(*self._args, **self._kwargs)
  File "/plone/buildout-cache/eggs/cp38/waitress-1.4.4-py3.8.egg/waitress/task.py", line 86, in handler_thread
    task.service()
  File "/plone/buildout-cache/eggs/cp38/waitress-1.4.4-py3.8.egg/waitress/channel.py", line 350, in service
    task.service()
  File "/plone/buildout-cache/eggs/cp38/waitress-1.4.4-py3.8.egg/waitress/task.py", line 171, in service
    self.execute()
  File "/plone/buildout-cache/eggs/cp38/waitress-1.4.4-py3.8.egg/waitress/task.py", line 441, in execute
    app_iter = self.channel.server.application(environ, start_response)
  File "/plone/buildout-cache/eggs/cp38/Paste-3.5.0-py3.8.egg/paste/translogger.py", line 69, in __call__
    return self.application(environ, replacement_start_response)
  File "/plone/buildout-cache/eggs/cp38/Zope-4.6.3-py3.8.egg/ZPublisher/httpexceptions.py", line 30, in __call__
    return self.application(environ, start_response)
  File "/plone/buildout-cache/eggs/cp38/Zope-4.6.3-py3.8.egg/ZPublisher/WSGIPublisher.py", line 376, in publish_module
    environ['REMOTE_USER'] = user.getUserName()
  File "/usr/local/lib/python3.8/contextlib.py", line 120, in __exit__
    next(self.gen)
  File "/plone/buildout-cache/eggs/cp38/Zope-4.6.3-py3.8.egg/ZPublisher/WSGIPublisher.py", line 164, in transaction_pubevents
    notify(pubevents.PubBeforeCommit(request))
  File "/plone/buildout-cache/eggs/cp38/zope.event-4.5.0-py3.8.egg/zope/event/__init__.py", line 32, in notify
    subscriber(event)
  File "/plone/buildout-cache/eggs/cp38/zope.component-4.6.2-py3.8.egg/zope/component/event.py", line 27, in dispatch
    component_subscribers(event, None)
  File "/plone/buildout-cache/eggs/cp38/zope.component-4.6.2-py3.8.egg/zope/component/_api.py", line 134, in subscribers
    return sitemanager.subscribers(objects, interface)
  File "/plone/buildout-cache/eggs/cp38/zope.interface-5.4.0-py3.8-linux-x86_64.egg/zope/interface/registry.py", line 448, in subscribers
    return self.adapters.subscribers(objects, provided)
  File "/plone/buildout-cache/eggs/cp38/zope.interface-5.4.0-py3.8-linux-x86_64.egg/zope/interface/adapter.py", line 899, in subscribers
    subscription(*objects)
  File "/plone/buildout-cache/eggs/cp38/plone.transformchain-2.0.2-py3.8.egg/plone/transformchain/zpublisher.py", line 86, in applyTransformOnSuccess
    transformed = applyTransform(event.request)
  File "/plone/buildout-cache/eggs/cp38/plone.transformchain-2.0.2-py3.8.egg/plone/transformchain/zpublisher.py", line 75, in applyTransform
    transformed = transformer(request, result, encoding)
  File "/plone/buildout-cache/eggs/cp38/plone.transformchain-2.0.2-py3.8.egg/plone/transformchain/transformer.py", line 59, in __call__
    newResult = handler.transformIterable(result, encoding)
  File "/plone/buildout-cache/eggs/cp38/plone.protect-4.1.6-py3.8.egg/plone/protect/auto.py", line 191, in transformIterable
    if not self.check():
  File "/plone/buildout-cache/eggs/cp38/plone.protect-4.1.6-py3.8.egg/plone/protect/auto.py", line 216, in check
    return self._check()
  File "/plone/buildout-cache/eggs/cp38/plone.protect-4.1.6-py3.8.egg/plone/protect/auto.py", line 288, in _check
    '\n'.join(traceback.format_stack()),
aborting transaction due to no CSRF protection on url http://localhost:8080/Plone/listing_view
2022-04-07 11:28:39,462 INFO    [plone.protect:285][waitress-2]   File "/usr/local/lib/python3.8/threading.py", line 890, in _bootstrap
    self._bootstrap_inner()
  File "/usr/local/lib/python3.8/threading.py", line 932, in _bootstrap_inner
    self.run()
  File "/usr/local/lib/python3.8/threading.py", line 870, in run
    self._target(*self._args, **self._kwargs)
  File "/plone/buildout-cache/eggs/cp38/waitress-1.4.4-py3.8.egg/waitress/task.py", line 86, in handler_thread
    task.service()
  File "/plone/buildout-cache/eggs/cp38/waitress-1.4.4-py3.8.egg/waitress/channel.py", line 350, in service
    task.service()
  File "/plone/buildout-cache/eggs/cp38/waitress-1.4.4-py3.8.egg/waitress/task.py", line 171, in service
    self.execute()
  File "/plone/buildout-cache/eggs/cp38/waitress-1.4.4-py3.8.egg/waitress/task.py", line 441, in execute
    app_iter = self.channel.server.application(environ, start_response)
  File "/plone/buildout-cache/eggs/cp38/Paste-3.5.0-py3.8.egg/paste/translogger.py", line 69, in __call__
    return self.application(environ, replacement_start_response)
  File "/plone/buildout-cache/eggs/cp38/Zope-4.6.3-py3.8.egg/ZPublisher/httpexceptions.py", line 30, in __call__
    return self.application(environ, start_response)
  File "/plone/buildout-cache/eggs/cp38/Zope-4.6.3-py3.8.egg/ZPublisher/WSGIPublisher.py", line 376, in publish_module
    environ['REMOTE_USER'] = user.getUserName()
  File "/usr/local/lib/python3.8/contextlib.py", line 120, in __exit__
    next(self.gen)
  File "/plone/buildout-cache/eggs/cp38/Zope-4.6.3-py3.8.egg/ZPublisher/WSGIPublisher.py", line 164, in transaction_pubevents
    notify(pubevents.PubBeforeCommit(request))
  File "/plone/buildout-cache/eggs/cp38/zope.event-4.5.0-py3.8.egg/zope/event/__init__.py", line 32, in notify
    subscriber(event)
  File "/plone/buildout-cache/eggs/cp38/zope.component-4.6.2-py3.8.egg/zope/component/event.py", line 27, in dispatch
    component_subscribers(event, None)
  File "/plone/buildout-cache/eggs/cp38/zope.component-4.6.2-py3.8.egg/zope/component/_api.py", line 134, in subscribers
    return sitemanager.subscribers(objects, interface)
  File "/plone/buildout-cache/eggs/cp38/zope.interface-5.4.0-py3.8-linux-x86_64.egg/zope/interface/registry.py", line 448, in subscribers
    return self.adapters.subscribers(objects, provided)
  File "/plone/buildout-cache/eggs/cp38/zope.interface-5.4.0-py3.8-linux-x86_64.egg/zope/interface/adapter.py", line 899, in subscribers
    subscription(*objects)
  File "/plone/buildout-cache/eggs/cp38/plone.transformchain-2.0.2-py3.8.egg/plone/transformchain/zpublisher.py", line 86, in applyTransformOnSuccess
    transformed = applyTransform(event.request)
  File "/plone/buildout-cache/eggs/cp38/plone.transformchain-2.0.2-py3.8.egg/plone/transformchain/zpublisher.py", line 75, in applyTransform
    transformed = transformer(request, result, encoding)
  File "/plone/buildout-cache/eggs/cp38/plone.transformchain-2.0.2-py3.8.egg/plone/transformchain/transformer.py", line 59, in __call__
    newResult = handler.transformIterable(result, encoding)
  File "/plone/buildout-cache/eggs/cp38/plone.protect-4.1.6-py3.8.egg/plone/protect/auto.py", line 191, in transformIterable
    if not self.check():
  File "/plone/buildout-cache/eggs/cp38/plone.protect-4.1.6-py3.8.egg/plone/protect/auto.py", line 216, in check
    return self._check()
  File "/plone/buildout-cache/eggs/cp38/plone.protect-4.1.6-py3.8.egg/plone/protect/auto.py", line 288, in _check
    '\n'.join(traceback.format_stack()),
aborting transaction due to no CSRF protection on url http://localhost:8080/Plone/listing_view

jensens · April 20, 2022, 1:16pm

Thanks. As usual difficult to tell. plone.protect does not tell enough and we are already at the end of the request here.

jaroel · April 22, 2022, 4:04pm

Like Dieter said, are you really sure that you have a request object? Maybe it is a None because you try to do this inside a PAS plugin?

Could you try something like:

request = getRequest()
assert request is not None
alsoProvides(request, IDisableCSRFProtection)