From 0cd8e3c166b00832f69bfeba490cd9bb2996e640 Mon Sep 17 00:00:00 2001
From: Gil Forcada <gforcada@gnome.org>
Date: Wed, 21 Oct 2015 12:06:29 +0200
Subject: [PATCH] Fix a write on read situation

If the context gets its first annotation it need to be marked as
safe to write.

The same goes for the annotations on the object.
---
 CHANGES.rst                              | 4 ++--
 plone/contentrules/engine/assignments.py | 8 +++++++-
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/CHANGES.rst b/CHANGES.rst
index 986d9fd..27761ca 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -4,8 +4,8 @@ Changelog
 2.0.5 (unreleased)
 ------------------
 
-- Nothing changed yet.
-
+- CSRF fix: safe write on read.
+  [gforcada]
 
 2.0.4 (2014-01-27)
 ------------------
diff --git a/plone/contentrules/engine/assignments.py b/plone/contentrules/engine/assignments.py
index 7918fca..054e688 100644
--- a/plone/contentrules/engine/assignments.py
+++ b/plone/contentrules/engine/assignments.py
@@ -14,6 +14,8 @@
 from plone.contentrules.engine.interfaces import IRuleAssignment
 from plone.contentrules.engine.interfaces import IRuleAssignmentManager
 
+from plone.protect.auto import safeWrite
+
 from BTrees.OOBTree import OOBTree
 
 
@@ -85,6 +87,10 @@ def ruleAssignmentManagerAdapterFactory(context):
     annotations = IAnnotations(context)
     manager = annotations.get(KEY, None)
     if manager is None:
-        manager = annotations[KEY] = RuleAssignmentManager()
+        annotations[KEY] = RuleAssignmentManager()
+        manager = annotations[KEY]
+        # protect both context and its annotations from a write on read error
+        safeWrite(context)
+        safeWrite(context.__annotations__)
 
     return manager