Can I use plone.protect 3.0 with Plone 4.3?

96 views Asked by At

Since version 3, plone.protect provides automatic CSRF protection.

Plone 4.3 includes, by default, plone.protect 2.0.

Can I just upgrade to start using this feature in Plone 4.3?

2

There are 2 answers

3
Mathias On BEST ANSWER

I have only a little experience with it and played around with plone.protect 3.x and Plone 4.3.2, but nothing serious.

I had also a lot of addons installed, so I cannot say if there were problems with Plone itself, or an addon.

Here are my notes:

Yes you can enable it, but your installation will stop work. So... No you cannot :-)

First plone.protect.aut 3.0 handles every POST/GET request by default. For example Session handling is a write request, so you have to fix this manually wherever it's in use!

Second writing data in annotations (IAnnotation), it's also protected by default, so have to find every place where annotations are used (For example Portlets storage) and fix it.

If your testing environment is in a good shape :-) you will get it work, but out of the box Plone 4.3 is not ready to use it.

Conclusion:

The main problem are GET requests, which ends up with a database change. I now this is wrong but Plone 4.3 and/or mainly the addons have this behavior.

You will end up in extending the plone.protect.auto feature by a whitelist.

0
vangheem On

I wrote all the auto-csrf stuff. I would recommend against using it in Plone 4 unless you want to invest a lot of time into it.

Easiest way to fix using it on Plone 5 would be to add in some javascript that automatically protects almost everything for you when logged in. That won't deal with ZMI and then it depends on javascript to work.

JavaScript would do a couple things:

  1. add the authenticator token to all forms that post back to the site
  2. add the authenticator token to all admin urls that potentially do writes to the database. For instance, the "Edit" button does a write to the database because in Plone 4, AT Content Types makes a temporary object in the database. Also, it writes with locking support.
  3. add authenticator token to all ajax requests. Use something like https://api.jquery.com/ajaxSend/ to add the token.