Welcome, guest | Sign In | My Account | Store | Cart

Notice! PyPM is being replaced with the ActiveState Platform, which enhances PyPM’s build and deploy capabilities. Create your free Platform account to download ActivePython or customize Python with the packages you require and get automatic updates.

Download
ActivePython

plone.app.protect 1.0b1
Security for browser forms

INSTALL>
pypm install plone.app.protect

How to install plone.app.protect

  1. Download and install ActivePython
  2. Open Command Prompt
  3. Type pypm install plone.app.protect
 Python 2.7Python 3.2Python 3.3
Windows (32-bit)
1.0b1 Available View build log
Windows (64-bit)
1.0b1 Available View build log
Mac OS X (10.5+)
1.0b1 Available View build log
Linux (32-bit)
1.0b1 Available View build log
Linux (64-bit)
1.0b1 Available View build log
 
Links
Author
License
GPL
Dependencies
Depended by
Lastest release
version 1.0b1 on Jan 5th, 2011

Introduction

This package contains utilities that can help to protect parts of Plone or applications build on top of the Plone framework.

protect decorator

The most common way to use plone.app.protect is through the protect decorator. This decorator takes a list of checkers as parameters: each checker will check a specific security aspect of the request. For example:

System Message: WARNING/2 (<string>, line 15)

Literal block expected; none found.

from plone.app.protect import protect from plone.app.protect import PostOnly

@protect(PostOnly) def SensitiveMethod(self, REQUEST=None): # This is only allowed with HTTP POST requests.

This relies on the protected method having a parameter called REQUEST.

HTTP POST

If you only need to allow HTTP POST requests you can use the PostOnly checker:

System Message: WARNING/2 (<string>, line 30)

Literal block expected; none found.

from plone.app.protect import PostOnly from plone.app.protect import protect

@protect(PostOnly) def manage_doSomething(self, param, REQUEST=None): pass

This checker only operators on HTTP requests; other types of requests are not checked.

Form authentication

A common problem in web applications is Cross Site Request Forgery or CSRF. This is an attack method in which an attacker tricks a browser to do a HTTP form submit to another site. To do this the attacker needs to know the exact form parameters. Form authentication is a method to make it impossible for an attacker to predict those parameters by adding an extra authenticator which can be verified.

To use the form authenticator you first need to insert it into your form. This can be done using a simple TAL statement inside your form:

<span tal:replace="structure context/@@authenticator/authenticator"/>

this will produce a HTML input element with the authentication information. Next you need to add logic somewhere to verify the authenticator. This can be done using a call to the authenticator view. For example:

System Message: WARNING/2 (<string>, line 60)

Literal block expected; none found.

authenticator=getMultiAdapter((request, context), name=u"authenticator") if not authenticator.verify(): raise Unauthorized

You can do the same thing more conveniently using the protect decorator:

System Message: WARNING/2 (<string>, line 66)

Literal block expected; none found.

from plone.app.protect import CheckAuthenticator from plone.app.protect import protect

@protect(CheckAuthenticator) def manage_doSomething(self, param, REQUEST=None): pass

Changelog

1.0b1 - March 7, 2008
  • Refactor the code to offer a generic protect decorator for methods

System Message: WARNING/2 (<string>, line 83)

Bullet list ends without a blank line; unexpected unindent.

which takes a list of checkers as options. Add checkers for both the authenticator verification and HTTP POST-only. [wichert]

1.0a1 - January 27, 2008
  • Initial release

System Message: WARNING/2 (<string>, line 92)

Bullet list ends without a blank line; unexpected unindent.

[wichert]

Subscribe to package updates

Last updated Jan 5th, 2011

Download Stats

Last month:1

What does the lock icon mean?

Builds marked with a lock icon are only available via PyPM to users with a current ActivePython Business Edition subscription.

Need custom builds or support?

ActivePython Enterprise Edition guarantees priority access to technical support, indemnification, expert consulting and quality-assured language builds.

Plan on re-distributing ActivePython?

Get re-distribution rights and eliminate legal risks with ActivePython OEM Edition.