Can I use plone.protect 3.0 with Plone 4.3?
Starting with version 3, plone.protect provides automatic CSRF protection.
Plone 4.3 includes plone.protect 2.0 by default .
Can I upgrade to use this feature in Plone 4.3?
source to share
I have little experience with it and have been playing with plone.protect 3.x and Plone 4.3.2, but nothing major.
I also had a lot of add-ons, so I can't tell if there were problems with Plone itself or an addon.
Here are my notes:
Yes, you can enable it, but your installation will stop working. So ... No, you can't :-)
The first plone.protect.aut 3.0 by default handles every POST / GET request. For example, handling a session is a write request, so you have to fix it manually wherever it is used!
The second data records in the annotations (IAnnotation) are also protected by default, so you need to find every place where annotations are used (for example, the portlet store) and fix it.
If your test environment is in good shape :-) you get it, but Plone 4.3 isn't ready to use it out of the box.
Output:
The main problem is GET requests that end up changing the database. Now I'm wrong, but Plone 4.3 and / or mostly addons have this behavior.
This will add the plone.protect.auto function to the whitelist.
source to share
I wrote all the auto-csrf files. I would recommend not using it in Plone 4 unless you want to invest a lot of time in it.
The easiest way to fix it with Plone 5 is to add in some javascript that will automatically secure almost everything for you upon login. It won't deal with ZMI and then it depends on javascript working.
JavaScript would do a couple of things:
- add an authentication token to all forms that are submitted back to the site
- add an authentication token to all admin URLs that can potentially write to the database. For example, the Edit button writes to the database because in Plone 4 AT Content Types creates a temporary object in the database. Also, it writes with blocking support.
- add authentication token for all ajax requests. Use https://api.jquery.com/ajaxSend/ to add a token .
source to share