Ticket #8926 (closed Bug: fixed)

Opened 7 years ago

Last modified 7 years ago

"Form authenticator is invalid" when deleting an object from the full review list; All objects are linked to folder_contents

Reported by: deesto Owned by:
Priority: minor Milestone: 3.3
Component: General Version:
Keywords: Full Review List, Pending state, folder view, Forbidden, Form authenticator is invalid Cc: deesto


I am logged into my Plone site with the Manager role. I change a few objects to the Pending state -- a News item, and Event item, a Page -- and do a few other unrelated things in the site. In the Review List portlet, I see a list of objects in the Pending state, and I click "Full review list ...", which brings me to the "Full review list" page. Selecting one or more objects here -- one Event, and one Page -- and clicking Delete results in the following traceback:

   Module ZPublisher.Publish, line 119, in publish
   Module ZPublisher.mapply, line 88, in mapply
   Module ZPublisher.Publish, line 42, in call_object
   Module Products.CMFFormController.FSControllerPythonScript, line  
104, in __call__
   Module Products.CMFFormController.Script, line 145, in __call__
   Module Products.CMFCore.FSPythonScript, line 140, in __call__
   Module Shared.DC.Scripts.Bindings, line 313, in __call__
   Module Shared.DC.Scripts.Bindings, line 350, in _bindAndExec
   Module Products.CMFCore.FSPythonScript, line 196, in _exec
   Module None, line 19, in folder_delete
    - <FSControllerPythonScript at /[my-site]/folder_delete>
    - Line 19
   Module <string>, line 3, in _facade
   Module plone.protect.utils, line 32, in _curried
   Module plone.protect.authenticator, line 60, in check
Forbidden: Form authenticator is invalid.

I don't understand what "Forbidden: Form authenticator is invalid" means in this context, but it doesn't help in debugging the issue.

I then return to the Full Review List, and click one of the listed objects, and I notice a few strange things:

  • The content of the object is blank, with the exception of the

original title, name, and description, all of which are retained

  • The returned page claims "This folder has no visible items. To add

content, press the add button, or paste content from another location."

  • The object's URL is now appended with '/folder_contents'.

There seem to be two problems, and I'm not sure which is the real problem and which is a by-product of the other:

  • The Review List seems to assume that every object in the list is a


  • Every object in the Review List is being duplicated (incorrectly) as

another object with type:folder.

If one simply clicks one of the objects in the Review portlet, and not on "Full review list...", the error is not encountered, so I suspect a problem in whatever view is driving the Full Review List page.

Change History

comment:1 Changed 7 years ago by hannosch

  • Component changed from Unknown to Permissions

comment:2 Changed 7 years ago by hannosch

  • Component changed from Permissions to Infrastructure

comment:3 Changed 7 years ago by csenger

  • Status changed from new to closed
  • Resolution set to fixed
  • Summary changed from Full Review List assumes Folder view for Pending objects to "Form authenticator is invalid" when deleting an object from the full review list; All objects are linked to folder_contents

fixed in r26687 and r26688.

(Form authenticators: See plone.protect)

comment:4 Changed 7 years ago by hannosch

  • Milestone changed from 3.x to 3.3

comment:5 Changed 4 years ago by davisagli

  • Component changed from Infrastructure to General
Note: See TracTickets for help on using tickets.