On 9/18/13 5:26 PM, Leonardo Rochael Almeida wrote:
+1 for implementing convenient CSRF.
I wonder if you could make your implementation more orthogonal by
implementing a CSRF "field/widget", and make your `protected` attribute
simply trigger the inclusion of this field implicitly.
This way you wouldn't need to change the `*pageform.pt
<http://pageform.pt>` templates like you do now, and
`setupToken()`/`checkToken()` would move to the widget code.
I've considered and experimented with that approach. However, as soon as
you do more complex things with setting up fields in your own form
component, things potentially get hairy.
Furthermore, the form machinery tries to get values from the context
object (in edit forms for example), for each field and tries to set
values for this field on the context object when handling the submit.
This would make handling this field special in way I didn't like.
But yes, the compromise in my implementation is, that you need to render
the hidden input field "yourself" if you overwrite the default templates
- and you most probably do.
For example, grok.formlib does bring its own "default" templates for
forms. I'd need to update that package in case this implementation is
accepted and lands.
regards, jw
_______________________________________________
Zope-Dev maillist - Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope )
