On Monday, April 04, 2011, Laurence Rowe wrote:
> The authenticator is described on
> http://pypi.python.org/pypi/plone.protect, but basically it adds an
> HMAC-SHA signed token into the form submission. By validating this you
> know that the submission came from a form that your site rendered,
> rather than an opportunistic 'drive-by' attack from another site.
So why don't we make this a built-in feature then? The token manager (I think
you call it the authenticator) needs to be smart, since it needs to deal with
stale tokens and similar issues, but otherwise we could just add an
authentication mechanism into z3c.form.
Mmh, if the token gets stored in the session variable, then we do not even
have to worry about token management, since the session container has already
I have a feeling I am missing a level of complexity here...
> I'm happy to go with (3). I assume it is not common for z3c.form users
> to have non-button actions or customize the ButtonActionHandler?
Not in my experience.
Entrepreneur and Software Geek
Google me. "Zope Stephan Richter"
Zope-Dev maillist - Zope-Dev@zope.org
** No cross posts or HTML encoding! **
(Related lists -