- Disable ZMI CSRF check and log it if sessioning is not available

zopefoundation · Aug 21, 2020 · 448efd2 · 448efd2 · mauritsvanrees · Aug 21, 2020
1 parent b5d2b8f
commit 448efd2
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 0 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -4,6 +4,9 @@ Change Log
 2.5 (unreleased)
 ----------------
 
+- Disable ZMI CSRF check and log it if sessioning is not available
+  instead of breaking ZMI interactions
+
 - Clear caches before sending group user added/removed events
   (`#71
    <https://github.com/zopefoundation/Products.PluggableAuthService/issues/71>`_)

diff --git a/Products/PluggableAuthService/utils.py b/Products/PluggableAuthService/utils.py
@@ -14,6 +14,7 @@
 import binascii
 import functools
 import inspect
+import logging
 import os
 from hashlib import sha1
 
@@ -28,6 +29,9 @@
 from zope.publisher.interfaces.browser import IBrowserRequest  # noqa
 
 
+logger = logging.getLogger('PluggableAuthService')
+
+
 def directlyProvides(obj, *interfaces):
     normalized_interfaces = []
     for i in interfaces:
@@ -110,6 +114,12 @@ def checkCSRFToken(request, token='csrf_token', raises=True):
 
     If the values match, return True.
     """
+    if getattr(request, 'SESSION', None) is None:
+        # Sessioning is not available at all, just give up
+        logger.warning(
+            'Built-in CSRF check disabled - sessioning not available')
+        return True
+
     if request.form.get(token) != getCSRFToken(request):
         if raises:
             raise Forbidden('incorrect CSRF token')