fix auto csrf protection integration

plone/app/portlets/browser/manage.py

@@ -32,6 +32,7 @@
 
 from plone.app.portlets import utils
 from plone.memoize.view import memoize
+from plone.protect.authenticator import createToken
 
 
 class ManageContextualPortlets(BrowserView):
@@ -111,6 +112,10 @@ class ManageDashboardPortlets(BrowserView):
 
     # IManagePortletsView implementation
 
+    @property
+    def auth_token(self):
+        return createToken()
+
     @property
     def macros(self):
         return self.index.macros

plone/app/portlets/browser/templates/manage-dashboard.pt

@@ -45,7 +45,7 @@
                   </li>
                   <li class="selected">
                     <a href=""
-                       tal:attributes="href string:${context/@@plone_portal_state/navigation_root_url}/@@manage-dashboard"
+                       tal:attributes="href string:${context/@@plone_portal_state/navigation_root_url}/@@manage-dashboard?_authenticator=${view/auth_token}"
                        i18n:translate="label_edit">Edit</a>
                   </li>
                 </ul>

plone/app/portlets/tests/testMemberDashboard.txt

@@ -6,6 +6,7 @@ Setup::
     >>> uf.userFolderAddUser(user1, pass1, ['Member'], [])
     >>> uf.userFolderAddUser(user2, pass2, ['Member'], [])
     >>> import re
+    >>> from plone.protect.authenticator import createToken
 
 
 bug: 11174: Portal Members can't add portlets to their dashboard
@@ -22,7 +23,8 @@ Login as the 'user1' user
 
 Go to the dashboard and check that portlets are addable here
 
-    >>> browser.open(portal.absolute_url()+'/@@manage-dashboard')
+    >>> browser.open(portal.absolute_url()+'/@@dashboard')
+    >>> browser.getLink('Edit').click()
     >>> 'Add portlet' in browser.contents
     True
 
@@ -66,25 +68,27 @@ Using the addview, let's see that we cannot add a portlet for another user
     >>> browser.getControl(name='__ac_password').value = 'pass2'
     >>> browser.getControl(name='submit').click()
 
-    >>> browser.open(portalURL+'/@@manage-dashboard')
+    >>> self.login('user2')
+
+    >>> browser.open(portalURL+'/@@manage-dashboard?_authenticator=' + createToken())
     >>> bool(re.search('\<\/span\>\s+Search\s+\<\/div\>', browser.contents))
     False
 
 Now, we try to open the @@manage-portlets view and also try to call the addview
 for a portlet. We shouldn't be able to do any of this
 
-    >>> browser.open(portalURL+'/@@manage-portlets')
+    >>> browser.open(portalURL+'/@@manage-portlets?_authenticator=' + createToken())
     >>> "Insufficient Privileges" in browser.contents
     True
-    >>> browser.open(portalURL + "/++contextportlets++plone.leftcolumn/+/portlets.Search")
+    >>> browser.open(portalURL + "/++contextportlets++plone.leftcolumn/+/portlets.Search?_authenticator=" + createToken())
     >>> "Insufficient Privileges" in browser.contents
     True
 
 Finally, if we add the "Member" role to the "Portlets: Manage portlets" permission, we should be able to call
 those views
 
     >>> portal.manage_permission('Portlets: Manage portlets', roles=['Manager', 'Member'], acquire=0)
-    >>> browser.open(portalURL+'/@@manage-portlets')
+    >>> browser.open(portalURL+'/@@manage-portlets?_authenticator=' + createToken())
     >>> "Insufficient Privileges" in browser.contents
     False
     >>> bool(re.search('\<\/span\>\s+Search\s+\<\/div\>', browser.contents))

plone/app/portlets/tests/testViewName.txt

@@ -108,7 +108,8 @@ Now customize the manage dashboard view and check the name is in place too::
 
 Add a portlet in the dashboard and try to delete it::
 
-    >>> browser.open(portal.absolute_url()+'/@@manage-dashboard')
+    >>> browser.open(portal.absolute_url()+'/dashboard')
+    >>> browser.getLink('Edit').click()
     >>> browser.getControl(name=':action',index=0).value = ['/++dashboard++plone.dashboard1+test_user_1_/+/portlets.Search']
     >>> browser.getForm(index=1).submit()
     >>> browser.getControl('Save').click()  # This submits the now shown add form.