Do not bother additional CRSF protection for addMember since all public

users get same CSRF token and the method should be unpublished. See https://pypi.python.org/pypi/Products.PloneHotfix20150910
plone · Sep 10, 2015 · 43a10d9 · 43a10d9
1 parent 0ad8a63
commit 43a10d9
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 8 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -8,6 +8,11 @@ Changelog
 5.0rc2 (unreleased)
 -------------------
 
+- Do not bother additional CRSF protection for addMember since all public
+  users get same CSRF token and the method should be unpublished.
+  See https://pypi.python.org/pypi/Products.PloneHotfix20150910
+  [vangheem]
+
 - Remove site properties that have been migrated to the registry.
   [esteele]
 

diff --git a/Products/CMFPlone/patches/csrf.py b/Products/CMFPlone/patches/csrf.py
@@ -15,9 +15,6 @@ def applyPatches():
     PT.transitionObjectsByPaths = patch(PT.transitionObjectsByPaths)
     PT.renameObjectsByPaths = patch(PT.renameObjectsByPaths)
 
-    from Products.CMFCore.RegistrationTool import RegistrationTool
-    RegistrationTool.addMember = patch(RegistrationTool.addMember)
-
     from Products.CMFCore.MembershipTool import MembershipTool as MT
     from Products.PlonePAS.tools.membership import MembershipTool as PMT
     MT.setPassword = patch(MT.setPassword)

diff --git a/Products/CMFPlone/tests/testCSRFProtection.py b/Products/CMFPlone/tests/testCSRFProtection.py
@@ -57,11 +57,6 @@ def test_PloneTool_renameObjectsByPaths(self):
             'paths:list=events&new_ids:list=foo&new_titles:list=Foo')
         self.assertTrue(self.portal.get('foo', None))
 
-    def test_RegistrationTool_addMember(self):
-        self.checkAuthenticator(
-            '/portal_registration/addMember',
-            'id=john&password=y0d4Wg')
-
     def test_RegistrationTool_editMember(self):
         self.checkAuthenticator(
             '/portal_registration/editMember',