From b2ee16478c489f3650a7a23b927b424da7453810 Mon Sep 17 00:00:00 2001
From: Rodrigo Ferreira de Souza <rodfersou@gmail.com>
Date: Tue, 1 Mar 2016 18:15:34 -0300
Subject: [PATCH 1/3] Implement CSRF protection

---
 CHANGES.rst                                         |  4 ++++
 buildout.cfg                                        |  3 +++
 src/collective/cover/browser/templates/compose.pt   |  1 +
 .../cover/browser/templates/layoutedit.pt           |  2 +-
 src/collective/cover/static/js/compose.js           |  4 ++++
 src/collective/cover/static/js/contentchooser.js    | 13 +++++++++++++
 .../cover/static/js/galleria.cover_theme.js         |  2 ++
 src/collective/cover/static/js/layout_base.js       |  2 ++
 src/collective/cover/static/js/layout_edit.js       |  8 +++++++-
 src/collective/cover/testing.py                     |  3 +++
 src/collective/cover/tests/cover.robot              |  8 +++++++-
 src/collective/cover/tests/test_banner_tile.robot   |  1 +
 src/collective/cover/tests/test_basic_tile.robot    |  1 +
 src/collective/cover/tests/test_carousel_tile.robot |  1 +
 .../cover/tests/test_collection_tile.robot          |  1 +
 .../cover/tests/test_contentbody_tile.robot         |  3 +++
 .../cover/tests/test_contentchooser.robot           |  4 +++-
 src/collective/cover/tests/test_cover.robot         |  2 ++
 src/collective/cover/tests/test_css_class.robot     |  1 +
 .../tests/test_drag_and_drop_among_tiles.robot      |  1 +
 src/collective/cover/tests/test_embed_tile.robot    |  1 +
 src/collective/cover/tests/test_file_tile.robot     |  1 +
 src/collective/cover/tests/test_layout.robot        |  1 +
 src/collective/cover/tests/test_list_tile.robot     |  1 +
 src/collective/cover/tests/test_locked_cover.robot  |  2 ++
 src/collective/cover/tests/test_reverse_proxy.robot |  1 +
 src/collective/cover/tests/test_richtext_tile.robot |  1 +
 .../cover/tests/test_searchabletext_indexer.robot   |  3 +++
 versions-4.2.x.cfg                                  |  6 ++++++
 versions-4.3.x.cfg                                  |  6 ++++++
 30 files changed, 84 insertions(+), 4 deletions(-)

diff --git a/CHANGES.rst b/CHANGES.rst
index 8b84e3e64..5b3c5e87d 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -6,6 +6,9 @@ There's a frood who really knows where his towel is.
 1.1b2 (unreleased)
 ^^^^^^^^^^^^^^^^^^
 
+- Implement CSRF protection (closes `#590`_).
+  [rodfersou]
+
 - Handle `AssertionError` on upgrade step to profile 13 to avoid failures when a cover object has duplicated tiles on it.
   Now, an error message will be logged and the object will be skipped;
   you must manually remove the duplicated tiles (closes #619).
@@ -86,4 +89,5 @@ Previous entries can be found in the HISTORY.rst file.
 .. _`#578`: https://github.com/collective/collective.cover/issues/578
 .. _`#581`: https://github.com/collective/collective.cover/issues/581
 .. _`#584`: https://github.com/collective/collective.cover/issues/584
+.. _`#590`: https://github.com/collective/collective.cover/issues/590
 .. _`#608`: https://github.com/collective/collective.cover/issues/608
diff --git a/buildout.cfg b/buildout.cfg
index d67217f97..f9a787a39 100644
--- a/buildout.cfg
+++ b/buildout.cfg
@@ -18,6 +18,9 @@ parts +=
     rebuild_i18n-sh
     robot
 
+test-eggs +=
+    plone4.csrffixes
+
 [checkversions]
 recipe = zc.recipe.egg
 eggs = z3c.checkversions [buildout]
diff --git a/src/collective/cover/browser/templates/compose.pt b/src/collective/cover/browser/templates/compose.pt
index 22e8a999f..ee7814033 100644
--- a/src/collective/cover/browser/templates/compose.pt
+++ b/src/collective/cover/browser/templates/compose.pt
@@ -34,6 +34,7 @@
         tal:replace="structure layout/render_compose" />
     <div class="content-contentchooser"
         tal:replace="structure context/@@select-content-contentchooser" />
+    <form id="cover-compose-form" method="POST"></form>
 </metal:main>
 
 </body>
diff --git a/src/collective/cover/browser/templates/layoutedit.pt b/src/collective/cover/browser/templates/layoutedit.pt
index 11cf53cac..57ca0ac39 100644
--- a/src/collective/cover/browser/templates/layoutedit.pt
+++ b/src/collective/cover/browser/templates/layoutedit.pt
@@ -69,7 +69,7 @@
                 <div id="export-layout" class="modal hide" tal:condition="can_export_layout">
                     <h1 class="documentFirstHeading">Export Layout</h1>
                     <p class="discreen">Save a copy of this layout under a new name</p>
-                    <form action="." tal:attributes="action request/URL" method="post"
+                    <form id="cover-layout-form" tal:attributes="action request/URL" method="post"
                           enctype="multipart/form-data">
                         <div class="modal-fields">
                             <label for="layout-name" i18n:translate="">Layout name</label>
diff --git a/src/collective/cover/static/js/compose.js b/src/collective/cover/static/js/compose.js
index 81e3f0a3d..6a7706862 100644
--- a/src/collective/cover/static/js/compose.js
+++ b/src/collective/cover/static/js/compose.js
@@ -26,9 +26,11 @@ function removeObjFromTile() {
     tile.find('.loading-mask').addClass('show remove-tile');
     var tile_type = tile.attr("data-tile-type");
     var tile_id = tile.attr("id");
+    var authenticator = $('#cover-compose-form input[name="_authenticator"]').val();
     $.ajax({
       url: "@@removeitemfromlisttile",
       data: {
+        '_authenticator': authenticator,
         'tile-type': tile_type,
         'tile-id': tile_id,
         'uuid': uuid
@@ -73,9 +75,11 @@ $(document).ready(function() {
       var tile = $(this).closest('.tile');
       var tile_type = tile.attr("data-tile-type");
       var tile_id = tile.attr("id");
+      var authenticator = $('#cover-compose-form input[name="_authenticator"]').val();
       $.ajax({
         url: "@@updatelisttilecontent",
         data: {
+          '_authenticator': authenticator,
           'tile-type': tile_type,
           'tile-id': tile_id,
           'uuids': uuids
diff --git a/src/collective/cover/static/js/contentchooser.js b/src/collective/cover/static/js/contentchooser.js
index 17211ffd7..06294d8d9 100644
--- a/src/collective/cover/static/js/contentchooser.js
+++ b/src/collective/cover/static/js/contentchooser.js
@@ -226,7 +226,9 @@ var coveractions = {
     var url = $("#contentchooser-content-search-button").attr("data-url");
     var queryVal = $("#contentchooser-content-search-input").val();
     var nextpage = parseInt($ul.attr('data-nextpage'), 10);
+    var authenticator = $('#cover-compose-form input[name="_authenticator"]').val();
     var data = {
+      '_authenticator': authenticator,
       'q': queryVal,
       'page': nextpage
     };
@@ -263,7 +265,9 @@ var coveractions = {
     timeoutIDs = [];
     $('#ajax-spinner').hide();
     var timeoutID = setTimeout(function() {
+      var authenticator = $('#cover-compose-form input[name="_authenticator"]').val();
       var data = {
+        '_authenticator': authenticator,
         'q': queryVal,
         'page': page
       };
@@ -329,8 +333,12 @@ var coveractions = {
 
     $(document).on("click", "#recent .contentchooser-clear", function(e) {
       $(e.currentTarget).prev().children("input").val("");
+      var authenticator = $('#cover-compose-form input[name="_authenticator"]').val();
       ajaxSearchRequest.push($.ajax({
         url: portal_url + "/@@content-search",
+        data: {
+          '_authenticator': authenticator
+        },
         success: function(info) {
           $("#contentchooser-content-search #recent .item-list").html(info);
           $('#recent .filter-count').text("");
@@ -414,6 +422,7 @@ var coveractions = {
         var origin_has_subitem = $origin.attr('data-has-subitem') === 'True';
         var draggable_uuid = $draggable.attr('data-content-uuid');
         var draggable_type = $draggable.attr('data-content-type');
+        var authenticator = $('#cover-compose-form input[name="_authenticator"]').val();
         if (target_id === draggable_id) {
           return false;
         }
@@ -426,6 +435,7 @@ var coveractions = {
               $.ajax({
                 url: "@@removeitemfromlisttile",
                 data: {
+                  '_authenticator': authenticator,
                   'tile-type': origin_type,
                   'tile-id': draggable_id,
                   'uuid': draggable_uuid
@@ -452,6 +462,7 @@ var coveractions = {
           $.ajax({
             url: '@@movetilecontent',
             data: {
+              '_authenticator': authenticator,
               'origin-type': origin_type,
               'origin-id': draggable_id,
               'target-type': target_type,
@@ -468,6 +479,7 @@ var coveractions = {
               $.ajax({
                 url: '@@updatetile',
                 data: {
+                  '_authenticator': authenticator,
                   'tile-type': origin_type,
                   'tile-id': draggable_id,
                 },
@@ -499,6 +511,7 @@ var coveractions = {
           $.ajax({
             url: '@@updatetilecontent',
             data: {
+              '_authenticator': authenticator,
               'tile-type': target_type,
               'tile-id': target_id,
               'uuid': draggable_uuid
diff --git a/src/collective/cover/static/js/galleria.cover_theme.js b/src/collective/cover/static/js/galleria.cover_theme.js
index 8b186524c..8680afb27 100644
--- a/src/collective/cover/static/js/galleria.cover_theme.js
+++ b/src/collective/cover/static/js/galleria.cover_theme.js
@@ -93,9 +93,11 @@ var rm_button = function(data) {
             tile.find('.loading-mask').addClass('show remove-tile');
             var tile_type = "collective.cover.carousel";
             var tile_id = tile.attr("id");
+            var authenticator = $('#cover-compose-form input[name="_authenticator"]').val();
             $.ajax({
               url: "@@removeitemfromlisttile",
               data: {
+                '_authenticator': authenticator,
                 'tile-type': tile_type,
                 'tile-id': tile_id,
                 'uuid': uuid
diff --git a/src/collective/cover/static/js/layout_base.js b/src/collective/cover/static/js/layout_base.js
index 98c23952c..e288beb82 100644
--- a/src/collective/cover/static/js/layout_base.js
+++ b/src/collective/cover/static/js/layout_base.js
@@ -8,6 +8,7 @@ $(document).ready(function() {
       event.preventDefault();
       json = layout.layoutmanager().html2json(layout);
       var $this = $(this);
+      var authenticator = $('#cover-layout-form input[name="_authenticator"]').val();
       $this.removeClass(function(index, css) {
         return (css.match(/\bbtn-\S+/g) || []).join(' ');
       });
@@ -15,6 +16,7 @@ $(document).ready(function() {
       $.ajax({
         'url': '@@save_layout',
         'data': {
+          '_authenticator': authenticator,
           'cover_layout': JSON.stringify(json)
         },
         'type': 'POST',
diff --git a/src/collective/cover/static/js/layout_edit.js b/src/collective/cover/static/js/layout_edit.js
index dda09b05e..f8dead9bf 100644
--- a/src/collective/cover/static/js/layout_edit.js
+++ b/src/collective/cover/static/js/layout_edit.js
@@ -306,10 +306,12 @@
           //XXX are you sure
           tiles_to_delete.each(function() {
             var $this = $(this);
+            var authenticator = $('#cover-compose-form input[name="_authenticator"]').val();
 
             $.ajax({
               url: 'deletetile',
               data: {
+                '_authenticator': authenticator,
                 'tile-type': $this.data('tileType'),
                 'tile-id': $(this).attr('id')
               },
@@ -502,7 +504,9 @@
           e.preventDefault();
           var url = $("#configure_tile").attr("action");
           var data = $("#configure_tile").serialize();
-          data = data + '&buttons.save=Save&ajax_load=true';
+          var authenticator = $('#cover-compose-form input[name="_authenticator"]').val();
+          data += '&buttons.save=Save&ajax_load=true';
+          data += '&_authenticator=' + authenticator;
           $.ajax({
             type: 'POST',
             url: url,
@@ -525,11 +529,13 @@
         $(document).on("click", ".config-tile-link", function(e) {
           e.preventDefault();
           var url = $(this).attr("href");
+          var authenticator = $('#cover-compose-form input[name="_authenticator"]').val();
           $('#tile-configure').modal();
           $.ajax({
             type: 'GET',
             url: url,
             data: {
+              '_authenticator': authenticator,
               'ajax_load': true
             },
             success: function(data) {
diff --git a/src/collective/cover/testing.py b/src/collective/cover/testing.py
index 27e69d51c..61b984bd0 100644
--- a/src/collective/cover/testing.py
+++ b/src/collective/cover/testing.py
@@ -136,6 +136,9 @@ def setUpZope(self, app, configurationContext):
                 self.loadZCML(package=Products.PloneFormGen)
                 z2.installProduct(app, 'Products.PloneFormGen')
 
+            import plone4.csrffixes
+            self.loadZCML(package=plone4.csrffixes)
+
         import collective.cover
         self.loadZCML(package=collective.cover)
 
diff --git a/src/collective/cover/tests/cover.robot b/src/collective/cover/tests/cover.robot
index 78999fea0..10e4aefd2 100644
--- a/src/collective/cover/tests/cover.robot
+++ b/src/collective/cover/tests/cover.robot
@@ -22,6 +22,7 @@ ${column_drop_area_selector} =  div.cover-row
 ${tile_drop_area_selector} =  div.cover-column
 ${tile_cancel_area_selector} =  div.modal-backdrop
 ${delete_tile_selector} =  button.close
+${confirm_action_selector} =  input.standalone
 ${CONTENT_CHOOSER_SELECTOR} =  div#contentchooser-content-search
 
 *** Keywords ***
@@ -37,9 +38,14 @@ Start Browser and Log In as Site Owner
     Log In As Site Owner
     Click Link  link=Home
 
+Go to homepage
+    Go to  ${PLONE_URL}
+    Wait Until Page Contains Element  css=${confirm_action_selector}
+    Click Element  css=${confirm_action_selector}
+    Page Should Contain  Plone site
+
 Setup Cover Test Case
     Start Browser and Log In as Site Owner
-    Go to Homepage
 
 Click Add Cover
     Open Add New Menu
diff --git a/src/collective/cover/tests/test_banner_tile.robot b/src/collective/cover/tests/test_banner_tile.robot
index 076ad1ada..c2d3d54ed 100644
--- a/src/collective/cover/tests/test_banner_tile.robot
+++ b/src/collective/cover/tests/test_banner_tile.robot
@@ -27,6 +27,7 @@ Test Banner Tile
     # XXX: test is randomly failing under Plone 4.2 only
     Run keyword if  '${CMFPLONE_VERSION}' >= '4.3'  Remove Tags  Mandelbug
 
+    Set Library Search Order  cover
     Enable Autologin as  Site Administrator
     Go to Homepage
     Create Cover  Title  Description
diff --git a/src/collective/cover/tests/test_basic_tile.robot b/src/collective/cover/tests/test_basic_tile.robot
index c69ce868c..bc34180a2 100644
--- a/src/collective/cover/tests/test_basic_tile.robot
+++ b/src/collective/cover/tests/test_basic_tile.robot
@@ -31,6 +31,7 @@ Test Basic Tile
     # XXX: test is randomly failing under Plone 4.2 only
     Run keyword if  '${CMFPLONE_VERSION}' >= '4.3'  Remove Tags  Mandelbug
 
+    Set Library Search Order  cover
     Enable Autologin as  Site Administrator
     Go to Homepage
     Create Cover  Title  Description
diff --git a/src/collective/cover/tests/test_carousel_tile.robot b/src/collective/cover/tests/test_carousel_tile.robot
index 852697e09..677647859 100644
--- a/src/collective/cover/tests/test_carousel_tile.robot
+++ b/src/collective/cover/tests/test_carousel_tile.robot
@@ -30,6 +30,7 @@ Get Total Carousel Images
 *** Test cases ***
 
 Test Carousel Tile
+    Set Library Search Order  cover
     Enable Autologin as  Site Administrator
     Go to Homepage
     Create Cover  Title  Description
diff --git a/src/collective/cover/tests/test_collection_tile.robot b/src/collective/cover/tests/test_collection_tile.robot
index e77c7b873..154e364b4 100644
--- a/src/collective/cover/tests/test_collection_tile.robot
+++ b/src/collective/cover/tests/test_collection_tile.robot
@@ -29,6 +29,7 @@ Test Collection Tile
     # XXX: test is randomly failing under Plone 4.2 only
     Run keyword if  '${CMFPLONE_VERSION}' >= '4.3'  Remove Tags  Mandelbug
 
+    Set Library Search Order  cover
     Enable Autologin as  Site Administrator
     Go to Homepage
     Create Cover  My Cover  Description
diff --git a/src/collective/cover/tests/test_contentbody_tile.robot b/src/collective/cover/tests/test_contentbody_tile.robot
index 820709567..2004097a8 100644
--- a/src/collective/cover/tests/test_contentbody_tile.robot
+++ b/src/collective/cover/tests/test_contentbody_tile.robot
@@ -19,6 +19,9 @@ ${document_body}  body.portaltype-document
 *** Test cases ***
 
 Test Content Body Tile
+    [Tags]  issue_580
+
+    Set Library Search Order  cover
     Enable Autologin as  Site Administrator
     Go to Homepage
     Create Cover  My Cover  Description
diff --git a/src/collective/cover/tests/test_contentchooser.robot b/src/collective/cover/tests/test_contentchooser.robot
index d3462a888..036a3d83c 100644
--- a/src/collective/cover/tests/test_contentchooser.robot
+++ b/src/collective/cover/tests/test_contentchooser.robot
@@ -18,6 +18,7 @@ ${tile_selector}  div.tile-container div.tile
 *** Test cases ***
 
 Test Content Chooser
+    Set Library Search Order  cover
     Enable Autologin as  Site Administrator
     Go to Homepage
     Create Cover  Title  Description
@@ -44,7 +45,7 @@ Test Content Chooser
     Click Element  css=#recent ${contentchooser_search_clear}
 
     Click Element  link=Content tree
-    Wait Until Page Contains  Plone site
+    Sleep  2s  Wait for content tree to load
 
     # make a search on Content tree
     Input Text  css=#content-trees input  file
@@ -53,6 +54,7 @@ Test Content Chooser
     # navigate the tree
     Click Element  css=#content-trees ${contentchooser_search_clear}
     Input Text  css=#content-trees input  file
+    Sleep  2s  Wait for content tree to load
     Wait Until Page Contains  1 Results
     Page Should Contain Element  css=${file_selector}
     # TODO: Refactor this test before https://github.com/collective/collective.cover/issues/508
diff --git a/src/collective/cover/tests/test_cover.robot b/src/collective/cover/tests/test_cover.robot
index e94e87577..13153c358 100644
--- a/src/collective/cover/tests/test_cover.robot
+++ b/src/collective/cover/tests/test_cover.robot
@@ -9,6 +9,7 @@ Test Teardown  Close all browsers
 *** Test cases ***
 
 Test CRUD
+    Set Library Search Order  cover
     Enable Autologin as  Site Administrator
     Go to Homepage
 
@@ -17,6 +18,7 @@ Test CRUD
     Delete
 
 Test renderBase
+    Set Library Search Order  cover
     Enable Autologin as  Site Administrator
     Goto Homepage
 
diff --git a/src/collective/cover/tests/test_css_class.robot b/src/collective/cover/tests/test_css_class.robot
index f0187f3e9..59156eead 100644
--- a/src/collective/cover/tests/test_css_class.robot
+++ b/src/collective/cover/tests/test_css_class.robot
@@ -18,6 +18,7 @@ ${tile_class}  div.cover-tile
 *** Test cases ***
 
 Test CSS Class
+    Set Library Search Order  cover
     Enable Autologin as  Site Administrator
     Go to Homepage
 
diff --git a/src/collective/cover/tests/test_drag_and_drop_among_tiles.robot b/src/collective/cover/tests/test_drag_and_drop_among_tiles.robot
index 8bb7319b5..3a5a2fc25 100644
--- a/src/collective/cover/tests/test_drag_and_drop_among_tiles.robot
+++ b/src/collective/cover/tests/test_drag_and_drop_among_tiles.robot
@@ -22,6 +22,7 @@ ${list_tile_selector}  [data-tile-type=collective\\.cover\\.list]
 Test Drag And Drop Among Tiles
     [Tags]  Expected Failure
 
+    Set Library Search Order  cover
     Enable Autologin as  Site Administrator
     Go to Homepage
     Create Cover  Title  Description
diff --git a/src/collective/cover/tests/test_embed_tile.robot b/src/collective/cover/tests/test_embed_tile.robot
index 643838efd..c9ae92d6d 100644
--- a/src/collective/cover/tests/test_embed_tile.robot
+++ b/src/collective/cover/tests/test_embed_tile.robot
@@ -24,6 +24,7 @@ Test Embed Tile
     # XXX: test is randomly failing under Plone 4.2 only
     Run keyword if  '${CMFPLONE_VERSION}' >= '4.3'  Remove Tags  Mandelbug
 
+    Set Library Search Order  cover
     Enable Autologin as  Site Administrator
     Go to Homepage
     Create Cover  Title  Description
diff --git a/src/collective/cover/tests/test_file_tile.robot b/src/collective/cover/tests/test_file_tile.robot
index ce4974634..b6d378d7c 100644
--- a/src/collective/cover/tests/test_file_tile.robot
+++ b/src/collective/cover/tests/test_file_tile.robot
@@ -24,6 +24,7 @@ Test File Tile
     # XXX: test is randomly failing under Plone 4.2 only
     Run keyword if  '${CMFPLONE_VERSION}' >= '4.3'  Remove Tags  Mandelbug
 
+    Set Library Search Order  cover
     Enable Autologin as  Site Administrator
     Go to Homepage
     Create Cover  Title  Description
diff --git a/src/collective/cover/tests/test_layout.robot b/src/collective/cover/tests/test_layout.robot
index 13749b71e..3fb5d0b24 100644
--- a/src/collective/cover/tests/test_layout.robot
+++ b/src/collective/cover/tests/test_layout.robot
@@ -14,6 +14,7 @@ ${tile_class} =  div.cover-tile
 *** Test cases ***
 
 Test Basic Layout Operations
+    Set Library Search Order  cover
     Enable Autologin as  Site Administrator
     Go to Homepage
 
diff --git a/src/collective/cover/tests/test_list_tile.robot b/src/collective/cover/tests/test_list_tile.robot
index ed1830740..ab2d75d67 100644
--- a/src/collective/cover/tests/test_list_tile.robot
+++ b/src/collective/cover/tests/test_list_tile.robot
@@ -22,6 +22,7 @@ ${last_item}   .list-item:last-child
 *** Test cases ***
 
 Test List Tile
+    Set Library Search Order  cover
     Enable Autologin as  Site Administrator
     Go to Homepage
 
diff --git a/src/collective/cover/tests/test_locked_cover.robot b/src/collective/cover/tests/test_locked_cover.robot
index c573ed56a..f83f28fdb 100644
--- a/src/collective/cover/tests/test_locked_cover.robot
+++ b/src/collective/cover/tests/test_locked_cover.robot
@@ -19,6 +19,7 @@ ${tile_selector}  div.tile-container div.tile
 *** Test Cases ***
 
 Test Locked Cover
+    Set Library Search Order  keywords
     Log in as site owner
     Goto Homepage
     Create Cover  My Cover  Description
@@ -38,6 +39,7 @@ Test Locked Cover
     Click Link  link=My Cover
     Compose Cover
 
+    Set Library Search Order  cover
     # open a new browser to simulate a 2-user interaction
     Open Browser  ${ALT_PLONE_URL}
     Enable Autologin as  Site Administrator
diff --git a/src/collective/cover/tests/test_reverse_proxy.robot b/src/collective/cover/tests/test_reverse_proxy.robot
index 7777d8925..3f6aaa45e 100644
--- a/src/collective/cover/tests/test_reverse_proxy.robot
+++ b/src/collective/cover/tests/test_reverse_proxy.robot
@@ -15,6 +15,7 @@ ${basic_tile_location}  'collective.cover.basic'
 *** Test cases ***
 
 Test Reverse Proxy
+    Set Library Search Order  cover
     Enable Autologin as  Site Administrator
     Go to Homepage
 
diff --git a/src/collective/cover/tests/test_richtext_tile.robot b/src/collective/cover/tests/test_richtext_tile.robot
index ea30dbc73..4fc94435f 100644
--- a/src/collective/cover/tests/test_richtext_tile.robot
+++ b/src/collective/cover/tests/test_richtext_tile.robot
@@ -16,6 +16,7 @@ ${edit_link_selector}  a.edit-tile-link
 *** Test cases ***
 
 Test RichText Tile
+    Set Library Search Order  cover
     Enable Autologin as  Site Administrator
     Go to Homepage
 
diff --git a/src/collective/cover/tests/test_searchabletext_indexer.robot b/src/collective/cover/tests/test_searchabletext_indexer.robot
index d28a4c068..fecd5c6a1 100644
--- a/src/collective/cover/tests/test_searchabletext_indexer.robot
+++ b/src/collective/cover/tests/test_searchabletext_indexer.robot
@@ -25,6 +25,9 @@ ${search_results_number_selector}  xpath=//strong[@id='search-results-number']
 *** Test cases ***
 
 Test RichTextTile is Searchable
+    [Tags]  issue_580
+
+    Set Library Search Order  cover
     Enable Autologin as  Site Administrator
     Go to Homepage
 
diff --git a/versions-4.2.x.cfg b/versions-4.2.x.cfg
index 6405e78bd..77322e725 100644
--- a/versions-4.2.x.cfg
+++ b/versions-4.2.x.cfg
@@ -18,3 +18,9 @@ plone.directives.form = 1.1
 # for testing
 funcsigs = 0.4
 mock = 1.0.1
+
+# CSRF Fixes
+plone.keyring = 3.0.1
+plone.locking = 2.0.9
+plone.protect = 3.0.16
+plone4.csrffixes = 1.0.9
diff --git a/versions-4.3.x.cfg b/versions-4.3.x.cfg
index cf1e467bc..b3f9a572b 100644
--- a/versions-4.3.x.cfg
+++ b/versions-4.3.x.cfg
@@ -13,3 +13,9 @@ plone.app.jquery = 1.7.2
 
 # remove unassociated template warnings
 grokcore.view = 2.9
+
+# CSRF Fixes
+plone.keyring = 3.0.1
+plone.locking = 2.0.9
+plone.protect = 3.0.16
+plone4.csrffixes = 1.0.9

From 3bbed13eebadc8e194f12d583ed228eb52bc0746 Mon Sep 17 00:00:00 2001
From: idgserpro <idg@serpro.gov.br>
Date: Fri, 15 Apr 2016 10:49:07 -0300
Subject: [PATCH 2/3] Fix tests after rebase.

Fix some broken builds:

https://travis-ci.org/collective/collective.cover/builds/128352379
https://travis-ci.org/collective/collective.cover/builds/128367247
https://travis-ci.org/collective/collective.cover/builds/128375390

Errors:

KEYWORD BuiltIn . Sleep 2s, Wait for content tree to load
Documentation:
Pauses the test executed for the given time.
Start / End / Elapsed:	20160418 15:49:18.810 / 20160418 15:49:20.813 / 00:00:02.003
15:49:20.812	INFO	Slept 2 seconds
15:49:20.812	INFO	Wait for content tree to load
00:00:00.581KEYWORD Selenium2Library . Input Text css=#content-trees input, file

Documentation:
Types the given `text` into text field identified by `locator`.
Start / End / Elapsed:	20160418 15:49:20.813 / 20160418 15:49:21.394 / 00:00:00.581
00:00:00.060KEYWORD Selenium2Library . Capture Page Screenshot
15:49:20.814	INFO	Typing text 'file' into text field 'css=#content-trees input'
15:49:21.394	FAIL	ElementNotVisibleException: Message: Element is not currently visible and so may not be interacted with
---
 src/collective/cover/tests/cover.robot        | 17 +++++++++---
 .../cover/tests/test_contentchooser.robot     |  3 +++
 .../cover/tests/test_link_integrity.robot     | 26 ++++++++++++++++---
 3 files changed, 39 insertions(+), 7 deletions(-)

diff --git a/src/collective/cover/tests/cover.robot b/src/collective/cover/tests/cover.robot
index 10e4aefd2..671b57a7f 100644
--- a/src/collective/cover/tests/cover.robot
+++ b/src/collective/cover/tests/cover.robot
@@ -38,11 +38,22 @@ Start Browser and Log In as Site Owner
     Log In As Site Owner
     Click Link  link=Home
 
+# BBB: This needs to be customized to handle both Plone 4.2 and 4.3.
+# In Plone 4.2, we still have the confirm action button that it's gone in 4.3.
+# Customized from
+# https://github.com/plone/plone.app.robotframework/blob/9ab289c5b93c2aa1acb6078b955694ad458d9c3b/src/plone/app/robotframework/keywords.robot#L53
 Go to homepage
+
+    # Both.
     Go to  ${PLONE_URL}
-    Wait Until Page Contains Element  css=${confirm_action_selector}
-    Click Element  css=${confirm_action_selector}
-    Page Should Contain  Plone site
+
+    # Plone 4.2.
+    Run keyword if  '${CMFPLONE_VERSION}' < '4.3'  Wait Until Page Contains Element  css=${confirm_action_selector}
+    Run keyword if  '${CMFPLONE_VERSION}' < '4.3'  Click Element  css=${confirm_action_selector}
+    Run keyword if  '${CMFPLONE_VERSION}' < '4.3'  Page Should Contain  Plone site
+
+    # Plone >= 4.3.
+    Run keyword if  '${CMFPLONE_VERSION}' >= '4.3'  Wait until location is  ${PLONE_URL}
 
 Setup Cover Test Case
     Start Browser and Log In as Site Owner
diff --git a/src/collective/cover/tests/test_contentchooser.robot b/src/collective/cover/tests/test_contentchooser.robot
index 036a3d83c..03ac0ac44 100644
--- a/src/collective/cover/tests/test_contentchooser.robot
+++ b/src/collective/cover/tests/test_contentchooser.robot
@@ -39,13 +39,16 @@ Test Content Chooser
 
     # make a search on Recent items
     Click Element  link=Recent items
+    Wait Until Element Is Visible  css=#contentchooser-content-search-input
     Input Text  css=#recent input  folder
     # FIXME: we have no result counter in here
     #Wait Until Page Contains  1 Results
     Click Element  css=#recent ${contentchooser_search_clear}
+    Sleep  4s  Wait for complete ajax call @@content-search for cleaning
 
     Click Element  link=Content tree
     Sleep  2s  Wait for content tree to load
+    Wait Until Element Is Visible  css=#contentchooser-content-trees
 
     # make a search on Content tree
     Input Text  css=#content-trees input  file
diff --git a/src/collective/cover/tests/test_link_integrity.robot b/src/collective/cover/tests/test_link_integrity.robot
index e2333c7a8..cadc3242e 100644
--- a/src/collective/cover/tests/test_link_integrity.robot
+++ b/src/collective/cover/tests/test_link_integrity.robot
@@ -22,7 +22,14 @@ ${edit_link_selector}  a.edit-tile-link
 Test Link Integrity on Basic Tile
     [Tags]  issue_615
     Enable Autologin as  Manager
-    Go to Homepage
+    # BBB: "Go to Homepage" keyword is customized to give support to Plone 4.2.
+    # In other tests, to say that customized keywords in collective.cover have
+    # precedence instead of plone.app.robotframework (like in test_banner_tile)
+    # "Set Library Search Order  cover" is used instead of using 'cover.'
+    # prefix below. Here we use the prefix because the second "Go to Homepage"
+    # call, indeed, is to use the one from plone.app.robotframework since we
+    # don't have the "Confirm" action button for CSRF.
+    cover.Go to Homepage
     Create Cover  Title  Description
 
     # add tile to the layout
@@ -37,7 +44,9 @@ Test Link Integrity on Basic Tile
     Page Should Contain  My document
 
     # a warning is shown when trying to delete the document
-    Go to Homepage
+    # BBB: Check "cover.Go to Homepage" explanation above to understand the
+    # prefix usage.
+    keywords.Go to Homepage
     Click Link  link=My document
     Click Delete Action
     Page Should Contain  Potential link breakage
@@ -46,7 +55,14 @@ Test Link Integrity on Basic Tile
 Test Link Integrity on RichText Tile
     [Tags]  issue_615
     Enable Autologin as  Manager
-    Go to Homepage
+    # BBB: "Go to Homepage" keyword is customized to give support to Plone 4.2.
+    # In other tests, to say that customized keywords in collective.cover have
+    # precedence instead of plone.app.robotframework (like in test_banner_tile)
+    # "Set Library Search Order  cover" is used instead of using 'cover.'
+    # prefix below. Here we use the prefix because the second "Go to Homepage"
+    # call, indeed, is to use the one from plone.app.robotframework since we
+    # don't have the "Confirm" action button for CSRF.
+    cover.Go to Homepage
     Create Cover  Title  Description
 
     # add tile to the layout
@@ -61,7 +77,9 @@ Test Link Integrity on RichText Tile
     Edit RichText Tile  ${html}
 
     # a warning is shown when trying to delete the document
-    Go to Homepage
+    # BBB: Check "cover.Go to Homepage" explanation above to understand the
+    # prefix usage.
+    keywords.Go to Homepage
     Click Link  link=My document
     Click Delete Action
     Page Should Contain  Potential link breakage

From fbf19c489467ee747f570b9fdb47dc83138f904f Mon Sep 17 00:00:00 2001
From: idgserpro <idg@serpro.gov.br>
Date: Fri, 13 May 2016 15:33:06 -0300
Subject: [PATCH 3/3] Improve docs for _authenticator in js files.

In essence, this is needed for Plone 5 only. Plone 4 installations that
have plone4.csrffixes and plone.protect >= 3.0.x don't need it.

Check

https://github.com/plone/plone.protect/issues/42

for mode details.
---
 .../cover/browser/templates/compose.pt        | 24 +++++++++++++++++++
 .../cover/browser/templates/layoutedit.pt     | 24 +++++++++++++++++++
 2 files changed, 48 insertions(+)

diff --git a/src/collective/cover/browser/templates/compose.pt b/src/collective/cover/browser/templates/compose.pt
index ee7814033..2717580cb 100644
--- a/src/collective/cover/browser/templates/compose.pt
+++ b/src/collective/cover/browser/templates/compose.pt
@@ -34,6 +34,30 @@
         tal:replace="structure layout/render_compose" />
     <div class="content-contentchooser"
         tal:replace="structure context/@@select-content-contentchooser" />
+    <tal:comment tal:replace="nothing">
+
+        FIXME
+        BBB
+        plone4.csrffixes automatically adds, to all AJAX calls,
+        a X-CSRF-TOKEN so plone.protect will automatically add
+        CSRF protection without configuration, because from
+        plone.protect 3.0.x onwards it checks for this token.
+
+        But for Plone 5 (that doesn't use
+        plone4.csrffixes for obvious reasons) this token isn't
+        set, so you need to add a form to all your templates
+        and an _authenticator variable to all your requests in
+        your javascripts.
+
+        If this issue of adding this behavior of setting the
+        token in
+
+        https://github.com/plone/plone.protect/issues/42
+
+        is solved, these forms and all _authenticator variables
+        can be removed from code.
+
+    </tal:comment>
     <form id="cover-compose-form" method="POST"></form>
 </metal:main>
 
diff --git a/src/collective/cover/browser/templates/layoutedit.pt b/src/collective/cover/browser/templates/layoutedit.pt
index 57ca0ac39..01a5d4d7a 100644
--- a/src/collective/cover/browser/templates/layoutedit.pt
+++ b/src/collective/cover/browser/templates/layoutedit.pt
@@ -69,6 +69,30 @@
                 <div id="export-layout" class="modal hide" tal:condition="can_export_layout">
                     <h1 class="documentFirstHeading">Export Layout</h1>
                     <p class="discreen">Save a copy of this layout under a new name</p>
+                    <tal:comment tal:replace="nothing">
+
+                        FIXME
+                        BBB
+                        plone4.csrffixes automatically adds, to all AJAX calls,
+                        a X-CSRF-TOKEN so plone.protect will automatically add
+                        CSRF protection without configuration, because from
+                        plone.protect 3.0.x onwards it checks for this token.
+
+                        But for Plone 5 (that doesn't use
+                        plone4.csrffixes for obvious reasons) this token isn't
+                        set, so you need to add a form to all your templates
+                        and an _authenticator variable to all your requests in
+                        your javascripts.
+
+                        If this issue of adding this behavior of setting the
+                        token in
+
+                        https://github.com/plone/plone.protect/issues/42
+
+                        is solved, these forms and all _authenticator variables
+                        can be removed from code.
+
+                    </tal:comment>
                     <form id="cover-layout-form" tal:attributes="action request/URL" method="post"
                           enctype="multipart/form-data">
                         <div class="modal-fields">