Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix publishing to receiver on plone 5 #14

Merged
merged 1 commit into from Nov 5, 2019

Conversation

@Nachtalb
Copy link
Member

Nachtalb commented Nov 5, 2019

The plone.protect autoprotection feature on plone 5 hinders us from
publishing to the receiver because we can't easily get CSRF token from
the sender side. Disabling the CSRF Protection on this view solves the
problem.

The plone.protect autoprotection feature on plone 5 hinders us from
publishing to the receiver because we can't easily get CSRF token from
the sender side. Disabling the CSRF Protection on this view solves the
problem.
@Nachtalb Nachtalb requested a review from 4teamwork/plone Nov 5, 2019
@Nachtalb Nachtalb self-assigned this Nov 5, 2019
@Nachtalb

This comment has been minimized.

Copy link
Member Author

Nachtalb commented Nov 5, 2019

@jone can you elaborate on why it isn't a big security issue.

@jone
jone approved these changes Nov 5, 2019
Copy link
Member

jone left a comment

👍

  • In a publisher setup, we usually have an editing site and a public facing site. On the public facing site no user is logged in; the publisher publishes content. Since no users are logged in there, there are no victims to attack.
  • The publisher itself does not have a session - it just sends requests with data. So it does not make to first retrieve a CSRF token.
  • On the sender-side, the CSRF token is already verified.
@Nachtalb Nachtalb merged commit 847ae0f into master Nov 5, 2019
@Nachtalb Nachtalb deleted the ne/fix-csrf-publishing-error branch Nov 5, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.