[Zope-dev] (optional) CSRF protection in zope.formlib
Jan-Wijbrand Kolman
janwijbrand at gmail.com
Wed Sep 18 18:00:34 CEST 2013
On 9/18/13 5:26 PM, Leonardo Rochael Almeida wrote:
> +1 for implementing convenient CSRF.
>
> I wonder if you could make your implementation more orthogonal by
> implementing a CSRF "field/widget", and make your `protected` attribute
> simply trigger the inclusion of this field implicitly.
>
> This way you wouldn't need to change the `*pageform.pt
> <http://pageform.pt>` templates like you do now, and
> `setupToken()`/`checkToken()` would move to the widget code.
I've considered and experimented with that approach. However, as soon as
you do more complex things with setting up fields in your own form
component, things potentially get hairy.
Furthermore, the form machinery tries to get values from the context
object (in edit forms for example), for each field and tries to set
values for this field on the context object when handling the submit.
This would make handling this field special in way I didn't like.
But yes, the compromise in my implementation is, that you need to render
the hidden input field "yourself" if you overwrite the default templates
- and you most probably do.
For example, grok.formlib does bring its own "default" templates for
forms. I'd need to update that package in case this implementation is
accepted and lands.
regards, jw
More information about the Zope-Dev
mailing list