[Zope-dev] CSRF protection for z3c.form

Roger dev at projekt01.ch
Mon Apr 4 12:22:02 EDT 2011 

Hi Laurence, Stephan

Just because you can write login forms with
z3c.form this package has nothing to do with
authentication. That's just a form framework!

Authentication is defently not a part
of our z3c.form framework and should not
become one.

Why do you think authentication has something
to do with the z3c.form library? Did I miss
something?


Regards
Roger Ineichen 

> -----Ursprüngliche Nachricht-----
> Von: zope-dev-bounces at zope.org 
> [mailto:zope-dev-bounces at zope.org] Im Auftrag von Laurence Rowe
> Gesendet: Montag, 4. April 2011 15:37
> An: zope-dev
> Betreff: [Zope-dev] CSRF protection for z3c.form
> 
> I've been looking into how we might add CSRF protection to 
> z3c.form forms as we will be including z3c.form in Plone 4.1. 
> Currently in Plone, we use plone.protect to add an 
> authentication token to our forms and then check the token in 
> the methods that get called. (plone.protect is BSD licensed, but is
> Zope2 specific.)
> 
> I think it's important for the integrator to be able to add 
> an authentication policy to all z3c.form forms on a site, so 
> I'd rather not rely on having all forms subclass some 
> AuthenticatedForm.
> 
> I can see a number of possible ways to implement this
> 
> 1. Add a hook into z3c.form.form.Form along the lines of::
> 
>     def update(self):
>         super(Form, self).update()
>         self.updateActions()
>         self.authenticateSubmission()
>         self.actions.execute()
>         if self.refreshActions:
>             self.updateActions()
> 
>     def authenticateSubmission(self):
>         if self.actions.executedActions:
>             authenticator = zope.component.queryMultiAdapter(
>                     (self, self.request, self.getContent()),
>                     interfaces.ISubmissionAuthenticator)
>             if authenticator is not None:
>                 authenticator.authenticate()
> 
> This would allow integrators to register an 
> ISubmissionAuthenticator that would be called when there are 
> actions to execute (so not when a form is just
> displayed.)
> 
> 2. Similar to (1) but fire an event. This would allow 
> multiple submission authenticators to be registered (e.g. for 
> post-only as well as check-authenticator), but this makes it 
> more difficult to restrict authenticators to only certain 
> forms / requests / contexts.
> 
> 3. Register a more specific version of 
> z3c.form.button.ButtonActionsHandler
> which performs the check before executing the handler. This 
> has the advantage of not requiring any changes to z3c.form, 
> but the disadvantages that: only button actions are 
> protected, and would be executed per action handler execution 
> instead of once per submission.
> 
> I'd be interested to know how other z3c.form users approach 
> CSRF protection and what approach they would recommend.
> 
> Laurence
> _______________________________________________
> Zope-Dev maillist  -  Zope-Dev at zope.org
> https://mail.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  ** (Related lists -  
> https://mail.zope.org/mailman/listinfo/zope-announce
>  https://mail.zope.org/mailman/listinfo/zope )
>

More information about the Zope-Dev mailing list