You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/classic-ui/csrf.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -26,10 +26,10 @@ If the token is missing or invalid, the request is rejected.
26
26
## Auto protection
27
27
28
28
In Plone, CSRF protection is done almost transparently by [plone.protect](https://pypi.org/project/plone.protect/).
29
-
One important aspect of `plone.protect` is that it performs the CSRF protection check on the database transaction commit, rather than at the beginning of the request.
29
+
One important aspect of `plone.protect` is that it performs the CSRF token validation at the database transaction commit time (at the end of the request), rather than at the beginning of the request.
30
30
This means that the view can execute and make changes to the database, but the changes will not be persisted unless a valid CSRF token is present in the request.
31
31
32
-
When a logged-in user requests a page, Plone automatically includes the auth token in all forms through the application of a transform for the `plone.transformchain` that adds a hidden field with the token.
32
+
When a logged-in user requests a page, Plone automatically includes the CSRF token in all forms by applying a transform (using `plone.transformchain`) that adds a hidden field with the token.
33
33
This includes, but is not limited to the following:
0 commit comments