Skip to content

Commit

Permalink
- added the indirect dependency Products.Sessions for the CSRF-su…
Browse files Browse the repository at this point in the history 
…pport
  • Loading branch information
@dataflake
dataflake committed Apr 7, 2019
1 parent 378c108 commit acc6571
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 0 deletions.
1 change: 1 addition & 0 deletions CHANGES.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ Change Log

2.0 (unreleased)
----------------
- added the indirect dependency ``Products.Sessions`` for the CSRF-support


2.0b4 (2019-04-04)
Expand Down
1 change: 1 addition & 0 deletions setup.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ def _package_doc(name):
'AccessControl >= 4.0a1',
'Products.PluginRegistry >= 1.6',
'Products.GenericSetup >= 2.0b1',
'Products.Sessions',
'Products.StandardCacheManagers',
],
extras_require={
Expand Down

3 comments on commit acc6571

@icemac
Copy link
Member

@icemac icemac commented on acc6571 Apr 9, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hm, we used PluggableAuthService without Products.Sessions and without any problems. (We do not use any server side sessions.)
Could this dependency be moved to an extra in setup.py?

@dataflake
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All ZMI form targets that use the csrf_only decorator will fail without some working session support. That's a terrible user experience who installs the package and tries to use the ZMI views for the standard plugins, and many just won't work without any clue why. From a non-expert standpoint the software looks just broken.

We can't predict if a user already had some other session package installed so that REQUEST.SESSION is there. Requiring Products.Sessions is one solution, there could be others. Most other session packages, if they are in use, will already require Products.Sessions themselves, so it's not a big imposition.

@icemac
Copy link
Member

@icemac icemac commented on acc6571 Apr 11, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dataflake Okay, you convinced me: the default installation should just work.

Please sign in to comment.