On Monday, April 04, 2011, Laurence Rowe wrote:
The authenticator is described on http://pypi.python.org/pypi/plone.protect, but basically it adds an HMAC-SHA signed token into the form submission. By validating this you know that the submission came from a form that your site rendered, rather than an opportunistic 'drive-by' attack from another site.
So why don't we make this a built-in feature then? The token manager (I think you call it the authenticator) needs to be smart, since it needs to deal with stale tokens and similar issues, but otherwise we could just add an authentication mechanism into z3c.form. Mmh, if the token gets stored in the session variable, then we do not even have to worry about token management, since the session container has already that logic. I have a feeling I am missing a level of complexity here...
I'm happy to go with (3). I assume it is not common for z3c.form users to have non-button actions or customize the ButtonActionHandler?
Not in my experience. Regards, Stephan -- Entrepreneur and Software Geek Google me. "Zope Stephan Richter"