Missing plone.protect in migrated site

I'm migrating a site from Plone 5.2 to 6.0.4. I was able to run the main Plone migration but when I tried to run the upgrade steps for package profiles in portal_setup they failed silently. I was able to confirm this is because no authenticator form field is being passed. I do have plone.protect==5.0.0 in the venv so I'm not sure why these aren't being automatically to Plone or ZMI forms. I don't have a problem with a new site created on the same ZODB, just the migrated one.

To be clear, there's no failed request to get the protect.js - I can see in the source code it's not requested at all.

You might need to step through the code in plone.protect/plone/protect/auto.py at 711a796785ed24d2cd44eb642a40610bff32a970 · plone/plone.protect · GitHub to see why it's not working.

You can try temporarily disabling CSRF protection by setting the PLONE_CSRF_DISABLED environment variable to true, in order to run the upgrade steps, in case there is some upgrade step that makes a change which fixes the problem.

Thanks, I was able to figure it out from this. The problem was that I had a theme for this site that was not in the venv. This caused an error which presumably led to plone.protect's traversal failing - even in the ZMI. This is a slight gotcha because the error only shows up in the logs, while the page returns a 200.

OSError: Error reading file '/++theme++srp/rules.xml': failed to load external entity "/++theme++srp/rules.xml"

The solution was to set PLONE_CSRF_DISABLED in the zope.conf, restart, and set the site's theme to anything valid. Then I was able to remove the PLONE_CSRF_DISABLED env var and do business as usual.