Merge branch '6-dev' into install-reorg-1

stevepiercy · web-flow · commit 539f1faf4302 · 2023-01-05T14:57:11.000-08:00
diff --git a/docs/backend/behaviors.md b/docs/backend/behaviors.md
@@ -332,6 +332,10 @@ If we were to represent the behavior of choosing the correct outlet adapter in P
 
 This process of choosing the right adapter based on the information of the context and the requested interface implements the design pattern of an abstract factory.
 
+```{hint} The notation `ISchuko(context)` is a shortcut for `getAdapter(context, ISchuko)`. 
+It executes exactly the same logic behind the scenes with the same result.
+```
+
 Similarly, using the {ref}`behavior code example <behavior-code-example>` above:
 
 -   You would call an abstract factory with `getAdapter(context, IPriceBehavior)` to get an adapter, `price_for_context`.
diff --git a/docs/classic-ui/csrf.md b/docs/classic-ui/csrf.md
@@ -1,13 +1,182 @@
 ---
 myst:
   html_meta:
-    "description": ""
-    "property=og:description": ""
-    "property=og:title": ""
-    "keywords": ""
+    "description": "How to protect Plone against CSRF attacks."
+    "property=og:description": "How to protect Plone against CSRF attacks."
+    "property=og:title": "Cross-Site Request Forgery protection in Plone"
+    "keywords": "CSRF, security, token, protection, Cross-Site Request Forgery"
 ---
 
 (classic-ui-csrf-label)=
 
 # Cross-Site Request Forgery (CSRF)
 
+Cross-Site Request Forgery (CSRF or XSRF) is a type of web attack that allows an attacker to send malicious requests to a web application on behalf of a legitimate user.
+The attack works by tricking the user's web browser into sending a request to the web application that the user did not intentionally make.
+This can allow an attacker to perform actions on the web application without the user's knowledge or consent.
+
+For example, consider a web application that allows users to transfer money between accounts.
+An attacker could craft a malicious link or form that, when clicked or submitted by a victim, would transfer money from the victim's account to the attacker's account.
+If the victim is logged into the web application and clicks the link or form, the web application would receive a request to transfer the money, and it would comply with the request because it appears to come from a legitimate user.
+
+To protect against CSRF attacks, Plone uses CSRF tokens to verify the authenticity of requests.
+CSRF tokens are unique, secret values that are generated by the web application and included in forms and links.
+When a form or link with a valid CSRF token is submitted, the web application can verify the authenticity of the request by checking the token.
+If the token is missing or invalid, the request is rejected.
+
+## Auto protection
+
+In Plone, CSRF protection is done almost transparently by [`plone.protect`](https://pypi.org/project/plone.protect/).
+One important aspect of `plone.protect` is that it performs the CSRF token validation at the database transaction commit time (at the end of the request), rather than at the beginning of the request.
+This means that the view can execute and make changes to the database, but the changes will not be persisted unless a valid CSRF token is present in the request.
+
+When a logged-in user requests a page, Plone automatically includes the CSRF token in all forms by applying a transform (using `plone.transformchain`) that adds a hidden input with its value set to the token.
+This includes, but is not limited to the following:
+
+- add and edit forms
+- control panels
+- custom z3c forms
+
+## Manual protection
+
+To ensure that code that is not part of a database transaction—such as code that writes to an external API or a service that is not automatically included in the transaction mechanism—is protected, you will need to manually implement protection for that code.
+
+`plone.protect` offers the `@protect` decorator.
+The decorator expects a callable to perform the check.
+There are two checks implemented in `plone.protect`:
+
+### CSRF token check with `CheckAuthenticator`
+
+Checks whether a valid CSRF token is present in the request and raises `Unauthorized` if not.
+
+Usage example:
+
+```python
+from plone.protect import CheckAuthenticator
+from plone.protect import protect
+
+@protect(CheckAuthenticator)
+def write_to_api_or_service(self):
+    # code here
+    ...
+```
+
+### HTTP POST check with `PostOnly`
+
+Checks whether the request is an HTTP POST request, and raises `Unauthorized` if not.
+This helps to mitigate clicks on malicious links.
+
+Usage example:
+
+```python
+from plone.protect import PostOnly
+from plone.protect import protect
+
+@protect(PostOnly)
+def write_to_api_or_service(self):
+    # code here
+    ...
+```
+
+## How to add a CSRF token to a link or form
+
+To pass a CSRF token you need either to:
+
+- pass an HTTP GET parameter name `_authenticator` with the token as the value,
+- include a form field named `_authenticator` with the token as the value and submit it with the form, or
+- add an HTTP header named `X-CSRF-TOKEN` with the token as the value.
+
+To add a token as an HTTP GET parameter to a link in a template, you can utilize the authenticator view:
+
+```html
+<tal:authenticator tal:define="token context/@@authenticator/token">
+  <a href="${python:context.absolute_url()}/myprotected_view?_authenticator=${token}" >Link to some view</a>
+</tal:authenticator>
+```
+
+To add a hidden field with a token to a form in a template, the above view can be used as follows:
+
+```html
+<span tal:replace="structure context/@@authenticator/authenticator"/>
+```
+
+In Python code, a helper function can be used:
+
+```python
+from plone.protect.authenticator import createToken
+
+token = createToken()
+```
+
+To add an authenticator token to an existing URL with query parameters:
+
+```python
+from plone.protect.authenticator import createToken
+from urllib.parse import urlencode
+from urllib.parse import urlparse
+from urllib.parse import urlunparse
+
+# The existing URL that you want to add a query parameter to
+url = f"https://www.example.com?param1=value1"
+
+# Parse the URL into its component parts
+parsed_url = urlparse(url)
+
+# Add the new query parameters to the 'query' component of the URL
+token_query = urlencode({"_authenticator": createToken()})
+new_query = f"{parsed_url.query}&{token_query}"
+
+# Reassemble the URL with the updated query string
+final_url = urlunparse(
+    (
+        parsed_url.scheme,
+        parsed_url.netloc,
+        parsed_url.path,
+        parsed_url.params,
+        new_query,
+        parsed_url.fragment)
+)
+```
+
+
+## How to allow writes in absence of a protecting token
+
+To allow certain objects to be modified and written to the database without protection, follow these steps:
+
+1. Identify the modified object as a single object in the database.
+2. If an attribute of the object is a "persistent" attribute (for example, a `PersistentDict` or `PersistentList` instance, a `BTree`, or an `annotation`), use this instead.
+3. Use the `safeWrite` function to mark the object as safe for writing.
+
+```{note}
+This is the preferred method for allowing modification and writing of specific objects to the database.
+```
+
+```python
+from plone.protect.utils import safeWrite
+
+def some_function(obj, request):
+    safeWrite(obj, request)
+    obj.foo = "bar"  # modify obj
+```
+
+If there are lots of modifications or it is not possible to identify the boundaries of the writes, the protection can be disabled for the whole current request.
+Then the request can be marked with the `IDisableCSRFProtection` marker interface.
+
+```python
+from plone.protect.interfaces import IDisableCSRFProtection
+from zope.interface import alsoProvides
+
+def some_function(request):
+    alsoProvides(request, IDisableCSRFProtection)
+    # modify the database here
+```
+
+Disabling all CSRF protection for the whole Plone instance is possible by starting Plone with the environment variable `PLONE_CSRF_DISABLED=true` set.
+This is not recommended but can be handy temporarily in special situations.
+
+
+## Further reading
+
+```{seealso}
+The [README file of `plone.protect`](https://github.com/plone/plone.protect/blob/master/README.rst) explains the usage and also validation in detail.
+```
diff --git a/docs/glossary.md b/docs/glossary.md
@@ -34,6 +34,13 @@ cookiecutter-plone-starter
 cookiecutter-zope-instance
     [cookiecutter-zope-instance](https://github.com/plone/cookiecutter-zope-instance) is a cookiecutter template to create a full and complex configuration of a Zope WSGI instance.
 
+CSRF
+Cross-Site Request Forgery
+    Cross-Site Request Forgery (CSRF or XSRF) is a type of web attack that allows an attacker to send malicious requests to a web application on behalf of a legitimate user.
+    The attack works by tricking the user's web browser into sending a request to the web application that the user did not intentionally make.
+    This can allow an attacker to perform actions on the web application without the user's knowledge or consent.
+    In Plone, CSRF protection is done almost transparently by [`plone.protect`](https://pypi.org/project/plone.protect/).
+
 CSS
     Cascading Style Sheets (CSS) is a stylesheet language used for describing the (most of the times visual) representation of web pages.
 
@@ -411,7 +418,7 @@ Internationalization
     Developers and template authors usually internationalize the application.
     "i18n" is shorthand for "internationalization" (the letter "I", 18 letters, the letter "N").
     Plone is fully internationalized.
-    
+
     ```{seealso}
     {term}`localization`
     ```
@@ -436,7 +443,7 @@ language tag
     A language tag is a string used as an identifier for a language.
     A language tag may have one or more subtags.
     The basic form of a language tag is `LANGUAGE-[SUBTAG]`.
-    
+
     ```{seealso}
     -   W3C article [Language tags in HTML and XML](https://www.w3.org/International/articles/language-tags/)
     -   W3C Working Draft [Language Tags and Locale Identifiers for the World Wide Web](https://www.w3.org/TR/ltli/)
@@ -480,7 +487,7 @@ react-intl
     A library that is part of [Format.JS](https://formatjs.io/docs/getting-started/installation) which helps developers set up their applications for internationalization.
 
 WSGI
-    The Web Server Gateway Interface (WSGI, pronounced _WIZ-ghee_) is a simple calling convention for web servers to forward requests to web applications or frameworks written in the Python programming language. 
+    The Web Server Gateway Interface (WSGI, pronounced _WIZ-ghee_) is a simple calling convention for web servers to forward requests to web applications or frameworks written in the Python programming language.
 
 ZEO
     [ZEO](https://zeo.readthedocs.io/en/latest/) is a client-server storage for ZODB for sharing a single storage among many clients.
@@ -565,7 +572,7 @@ Factory Type Information
     -   Whether discussion is enabled.
     -   Providing the `factory_type_information` dictionary.
         This is used elsewhere in the code (often in `__init__.py` of a product) to set the initial values for a ZODB Factory Type Information object (an object in the `portal_types` tool).
-    
+
     ```{seealso}
     [`FactoryTypeInformation` class source code](https://github.com/zopefoundation/Products.CMFCore/blob/361a30e0c72a15a21f88433b8d5fc49331f36728/src/Products/CMFCore/TypesTool.py#L431)
     ```
