Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Interaction of plone.api (any version) with plone.app.multilingual -> CSRF issues #527

Closed
zopyx opened this issue May 29, 2018 · 3 comments
Closed

Interaction of plone.api (any version) with plone.app.multilingual -> CSRF issues #527

zopyx opened this issue May 29, 2018 · 3 comments
Assignees
@buchi
Labels
01 type: bug
Projects
Beethoven Sprint 2018

Comments

@zopyx
Copy link
Member

zopyx commented May 29, 2018
edited by jaroel

Content created through plone.restapi lacks the _plone.tg attribute that is added by plone.app.multilingual on the fly during GET requests which causes CSRF protection errors.

Complete discussion here:

https://community.plone.org/t/csrf-issues-with-plone-5-1-2-1/6570

The behavior exists with an early 1.1.0 version and 2.0 version of plone.restapi.

Looks as if addAttributeTG() of plone.app.multilingual.itg is never called through plone.restapi invocations.
@zopyx zopyx added this to the 2.0.0 milestone May 29, 2018
@zopyx
Copy link
Member Author

zopyx commented May 29, 2018

The interesting part is the default front-page of Plone is also affected by the issue. The Plone site itself is created using a custom HTTP endpoint and not manually through the ZMI.

@zopyx zopyx mentioned this issue May 29, 2018
Closed
@jaroel
Copy link
Member

jaroel commented May 29, 2018

Maybe we are lacking the IObjectCreated events

@tisto tisto added this to To do in Beethoven Sprint 2018 via automation Jun 19, 2018
@buchi buchi moved this from To do to In progress in Beethoven Sprint 2018 Jun 22, 2018
@buchi buchi self-assigned this Jun 22, 2018
@buchi
Copy link
Member

buchi commented Jun 23, 2018

This seems not to be plone.restapi related. I've verified that IObjectCreated is fired and that addAttributeTG() is called when creating content through plone.restapi.

Seems to be an issue in p.a.multilingual with Plone 5.1 and should be tracked in plone/plone.app.multilingual#315.

@buchi buchi closed this as completed Jun 23, 2018
Beethoven Sprint 2018 automation moved this from In progress to Done Jun 23, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@buchi buchi

Labels
01 type: bug
Projects
No open projects
Beethoven Sprint 2018
  
Done
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jaroel @buchi @zopyx