On 9/18/13 5:26 PM, Leonardo Rochael Almeida wrote:
+1 for implementing convenient CSRF.

I wonder if you could make your implementation more orthogonal by
implementing a CSRF "field/widget", and make your `protected` attribute
simply trigger the inclusion of this field implicitly.

This way you wouldn't need to change the `*pageform.pt
<http://pageform.pt>` templates like you do now, and
`setupToken()`/`checkToken()` would move to the widget code.

I've considered and experimented with that approach. However, as soon as you do more complex things with setting up fields in your own form component, things potentially get hairy.

Furthermore, the form machinery tries to get values from the context object (in edit forms for example), for each field and tries to set values for this field on the context object when handling the submit. This would make handling this field special in way I didn't like.

But yes, the compromise in my implementation is, that you need to render the hidden input field "yourself" if you overwrite the default templates - and you most probably do.

For example, grok.formlib does bring its own "default" templates for forms. I'd need to update that package in case this implementation is accepted and lands.

regards, jw

Zope-Dev maillist  -  Zope-Dev@zope.org
**  No cross posts or HTML encoding!  **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope )

Reply via email to