[Zope-dev] (optional) CSRF protection in zope.formlib

Jan-Wijbrand Kolman janwijbrand at gmail.com
Wed Sep 18 18:00:34 CEST 2013


On 9/18/13 5:26 PM, Leonardo Rochael Almeida wrote:
> +1 for implementing convenient CSRF.
>
> I wonder if you could make your implementation more orthogonal by
> implementing a CSRF "field/widget", and make your `protected` attribute
> simply trigger the inclusion of this field implicitly.
>
> This way you wouldn't need to change the `*pageform.pt
> <http://pageform.pt>` templates like you do now, and
> `setupToken()`/`checkToken()` would move to the widget code.

I've considered and experimented with that approach. However, as soon as 
you do more complex things with setting up fields in your own form 
component, things potentially get hairy.

Furthermore, the form machinery tries to get values from the context 
object (in edit forms for example), for each field and tries to set 
values for this field on the context object when handling the submit. 
This would make handling this field special in way I didn't like.

But yes, the compromise in my implementation is, that you need to render 
the hidden input field "yourself" if you overwrite the default templates 
- and you most probably do.

For example, grok.formlib does bring its own "default" templates for 
forms. I'd need to update that package in case this implementation is 
accepted and lands.

regards, jw



More information about the Zope-Dev mailing list