Problem with CSRF protection inside the folder_contents view

Hello everybody,

I'm in the middle of a migration from Plone 4 to Plone 5.2.4. Lots of bigger or smaller issues, but most of them are behind me now :slight_smile:

Right now I'm trying to understand why I get the CSRF / plone.protect message "Confirm that you'd like to perform this action" when I click on certain objects in the folder_contents view.

Disabling the CSRF protection globally doesn't seem to help (I know, I shouldn't do it anyway ;)), so I'm trying another approach, i.e., adding the _authenticator param to the URLs. I'm trying to find the right place in the source code (staticresources? patterns? mockups? ...). Any pointer would be appreciated :slight_smile:

Thanks in advance,
Laurent.

Strange. After you have disabled CSRF protection, you should no longer get any CSRF related messages.

An "output transform" adds it automatically to forms. Thus, it is usually not necessary to add an authenticator token manually.When GET requests trigger CSRF protection, then this usually means that they modified persistent data unintentially (GET requests should not have side effects). Then it may be appropriate to find out which objects are modified and determine whether this is okay or a bug. In the former case, plone.protect has a function to declare that a modification is expected.

To find out which objects have been modified, on can look at the transaction. It has an attribute with resources in its name.Its value is a list of resource managers, among them ZODB connections. A ZODB connection has an attribute which has information about all modified objects (I forgot its name: look at the source code for tpc_begin/tpc_vote to find out).

Thank you Dieter,

I thought so, too. But the plone.protect docs do state that even then, not all checks are disabled.

And I think that's the case for folder_contents, and it's taken into account for form-related activities (check boxes + select an action on the checked object). The problem is that the CSRF check is fired when I want to open the objects themselves (incidentally, GET requests).

The difficulty, in my case, is that I don't know where to inject my code, e.g., where to declare that the request is safe. But I will explore your suggestions a,d; hopefully, come to a solution :slight_smile:

Thanks a lot,
Laurent.

OK, think I got it. After adding an export PLONE_CSRF_DISABLED=true in bash, and checking that the variable was there, I simply did a bin/client1 restart.

I guess I should have used bin/client1 stop;bin/client1 start. The "restart" variant probably remains in the same process, and doesn't read the new environment variable. At least I have a Plan B now.

Again, thanks a lot for your help, Dieter :slight_smile:

Laurent.