Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable plone.protect for all API calls #155

Open
sneridagh opened this issue Nov 3, 2016 · 5 comments
Open

Disable plone.protect for all API calls #155

sneridagh opened this issue Nov 3, 2016 · 5 comments
Labels
05 type: question

Comments

@sneridagh
Copy link
Member

There is a way to disable it always for all restapi calls? Or it is required to disable it manually always?

        # Disable CSRF protection
        if 'IDisableCSRFProtection' in dir(plone.protect.interfaces):
            alsoProvides(self.request,
                         plone.protect.interfaces.IDisableCSRFProtection)

If so, maybe we can provide a convenience decorator for that...

@tisto @lukasgraf @buchi any insights?
@lukasgraf
Copy link
Member

@sneridagh can you give a specific example of which REST API service causes this problem? An existing one or a new one you're trying to implement?

I feel disabling it completely for plone.restapi requests might be a security issue, at least in cases where a user is authenticated with basic auth and has an existing webbrowser-session.

@sneridagh
Copy link
Member Author

@lukasgraf The existing ones have to disable it on write requests, I just wonder if there was a discussion about the subject at some point. It's true that may be a security issue, but we are already disabling it when the operation require a write request, otherwise plone.protect does not allow to do the write operation.

Regarding the case that you mentioned, if it would be done through JS, CORS wouldn't be able to prevent it from happening?

@tisto
Copy link
Sponsor Member

tisto commented Nov 14, 2016

@vangheem do you have an opinion on that matter? ^^^

@vangheem
Copy link
Member

What we decided is as long as these requests can not be created with normal web url/form posts, then it's fine to completely drop CSRF protection.

From what I remember, the only way the endpoints match and are used is if the Content-Type header is provided with application/json. AFAIK, there is no way to spoof that without javascript running on the client making the request. So in that scenario, it is fine to drop CSRF protection because those views would not be vulnerable.

You'll want to double check that this is true though.

@tisto tisto changed the title plone.protect gets in the middle of all write operations Disable plone.protect for all API calls Nov 26, 2016
@raphael-ritz
Copy link

Just want to mention that the AutoUserMakerPASPlugin had a similar problem and solved it by declaring the intended changes within a safe_write context. See collective/Products.AutoUserMakerPASPlugin@a20e182 for the concrete implementation in that case.

Not sure this makes sense to be considered in the situation here. Just want to mention this anyway. Maybe someone more knowledgeable than me can provide an opinion?

@tisto tisto mentioned this issue Feb 27, 2017
Closed
56 tasks
@tisto tisto mentioned this issue Jun 19, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
05 type: question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@lukasgraf @sneridagh @vangheem @tisto @raphael-ritz