-
-
Notifications
You must be signed in to change notification settings - Fork 73
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disable plone.protect for all API calls #155
Comments
@sneridagh can you give a specific example of which REST API service causes this problem? An existing one or a new one you're trying to implement? I feel disabling it completely for |
@lukasgraf The existing ones have to disable it on write requests, I just wonder if there was a discussion about the subject at some point. It's true that may be a security issue, but we are already disabling it when the operation require a write request, otherwise plone.protect does not allow to do the write operation. Regarding the case that you mentioned, if it would be done through JS, CORS wouldn't be able to prevent it from happening? |
@vangheem do you have an opinion on that matter? ^^^ |
What we decided is as long as these requests can not be created with normal web url/form posts, then it's fine to completely drop CSRF protection. From what I remember, the only way the endpoints match and are used is if the You'll want to double check that this is true though. |
Just want to mention that the AutoUserMakerPASPlugin had a similar problem and solved it by declaring the intended changes within a Not sure this makes sense to be considered in the situation here. Just want to mention this anyway. Maybe someone more knowledgeable than me can provide an opinion? |
There is a way to disable it always for all restapi calls? Or it is required to disable it manually always?
If so, maybe we can provide a convenience decorator for that...
@tisto @lukasgraf @buchi any insights?
The text was updated successfully, but these errors were encountered: