Hi Laurence, Stephan Just because you can write login forms with z3c.form this package has nothing to do with authentication. That's just a form framework!
Authentication is defently not a part of our z3c.form framework and should not become one. Why do you think authentication has something to do with the z3c.form library? Did I miss something? Regards Roger Ineichen > -----Ursprüngliche Nachricht----- > Von: zope-dev-boun...@zope.org > [mailto:zope-dev-boun...@zope.org] Im Auftrag von Laurence Rowe > Gesendet: Montag, 4. April 2011 15:37 > An: zope-dev > Betreff: [Zope-dev] CSRF protection for z3c.form > > I've been looking into how we might add CSRF protection to > z3c.form forms as we will be including z3c.form in Plone 4.1. > Currently in Plone, we use plone.protect to add an > authentication token to our forms and then check the token in > the methods that get called. (plone.protect is BSD licensed, but is > Zope2 specific.) > > I think it's important for the integrator to be able to add > an authentication policy to all z3c.form forms on a site, so > I'd rather not rely on having all forms subclass some > AuthenticatedForm. > > I can see a number of possible ways to implement this > > 1. Add a hook into z3c.form.form.Form along the lines of:: > > def update(self): > super(Form, self).update() > self.updateActions() > self.authenticateSubmission() > self.actions.execute() > if self.refreshActions: > self.updateActions() > > def authenticateSubmission(self): > if self.actions.executedActions: > authenticator = zope.component.queryMultiAdapter( > (self, self.request, self.getContent()), > interfaces.ISubmissionAuthenticator) > if authenticator is not None: > authenticator.authenticate() > > This would allow integrators to register an > ISubmissionAuthenticator that would be called when there are > actions to execute (so not when a form is just > displayed.) > > 2. Similar to (1) but fire an event. This would allow > multiple submission authenticators to be registered (e.g. for > post-only as well as check-authenticator), but this makes it > more difficult to restrict authenticators to only certain > forms / requests / contexts. > > 3. Register a more specific version of > z3c.form.button.ButtonActionsHandler > which performs the check before executing the handler. This > has the advantage of not requiring any changes to z3c.form, > but the disadvantages that: only button actions are > protected, and would be executed per action handler execution > instead of once per submission. > > I'd be interested to know how other z3c.form users approach > CSRF protection and what approach they would recommend. > > Laurence > _______________________________________________ > Zope-Dev maillist - Zope-Dev@zope.org > https://mail.zope.org/mailman/listinfo/zope-dev > ** No cross posts or HTML encoding! ** (Related lists - > https://mail.zope.org/mailman/listinfo/zope-announce > https://mail.zope.org/mailman/listinfo/zope ) > _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )