From 16bbc24b3de5c41ece88137b18bfa48ffa39faa7 Mon Sep 17 00:00:00 2001 From: Gil Forcada Date: Wed, 21 Oct 2015 12:13:17 +0200 Subject: [PATCH] Fix a write on read situation Only get the rule management assignable if it's going to be used. Getting it has the side effect of creating it if it does not exist, thus causing a write on read. --- CHANGES.rst | 3 ++- plone/app/contentrules/browser/assignments.py | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGES.rst b/CHANGES.rst index 3bda3bf..5964477 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -4,7 +4,8 @@ Changelog 3.0.9 (unreleased) ------------------ -- Nothing changed yet. +- CSRF fix: safe write on read. + [gforcada] 3.0.8 (2014-10-22) diff --git a/plone/app/contentrules/browser/assignments.py b/plone/app/contentrules/browser/assignments.py index b255c0d..884b67e 100644 --- a/plone/app/contentrules/browser/assignments.py +++ b/plone/app/contentrules/browser/assignments.py @@ -25,11 +25,11 @@ def __call__(self): request = aq_inner(self.request) form = request.form status = IStatusMessage(self.request) - assignable = IRuleAssignmentManager(context) operation = request.get('operation', None) if operation == 'move_up': + assignable = IRuleAssignmentManager(context) rule_id = request.get('rule_id') keys = list(assignable.keys()) idx = keys.index(rule_id) @@ -37,6 +37,7 @@ def __call__(self): keys.insert(idx-1, rule_id) assignable.updateOrder(keys) elif operation == 'move_down': + assignable = IRuleAssignmentManager(context) rule_id = request.get('rule_id') keys = list(assignable.keys()) idx = keys.index(rule_id)