[Checkins] SVN: five.pt/trunk/ Use trusted path expression for trusted engine. Also, fix issue with missing ``request`` variable from template context. Dependencies upgrade to point releases.
Malthe Borch
mborch at gmail.com
Thu Jul 14 03:12:47 EDT 2011
Log message for revision 122209:
Use trusted path expression for trusted engine. Also, fix issue with missing ``request`` variable from template context. Dependencies upgrade to point releases.
Changed:
U five.pt/trunk/CHANGES.txt
U five.pt/trunk/setup.py
U five.pt/trunk/src/five/pt/expressions.py
U five.pt/trunk/src/five/pt/patches.py
-=-
Modified: five.pt/trunk/CHANGES.txt
===================================================================
--- five.pt/trunk/CHANGES.txt 2011-07-14 07:08:12 UTC (rev 122208)
+++ five.pt/trunk/CHANGES.txt 2011-07-14 07:12:47 UTC (rev 122209)
@@ -1,6 +1,16 @@
Changelog
=========
+In next release ...
+
+- Use trusted path expression for trusted expression engine.
+ [malthe]
+
+- Fixed template context issues where a ``request`` would be required
+ by the path expression compiler but not provided (typically when in
+ a situation where the user is unauthorized to view content).
+ [malthe]
+
2.1-rc1 (2011-07-14)
~~~~~~~~~~~~~~~~~~~~
Modified: five.pt/trunk/setup.py
===================================================================
--- five.pt/trunk/setup.py 2011-07-14 07:08:12 UTC (rev 122208)
+++ five.pt/trunk/setup.py 2011-07-14 07:12:47 UTC (rev 122209)
@@ -1,6 +1,6 @@
from setuptools import setup, find_packages
-version = '2.1-rc1'
+version = '2.1-dev'
setup(name='five.pt',
version=version,
@@ -25,8 +25,8 @@
zip_safe=False,
install_requires=[
'setuptools',
- 'z3c.pt>=2.0-rc3',
- 'Chameleon>=2.0-rc14',
+ 'z3c.pt>=2.0',
+ 'Chameleon>=2.0',
'sourcecodegen',
],
entry_points="""
Modified: five.pt/trunk/src/five/pt/expressions.py
===================================================================
--- five.pt/trunk/src/five/pt/expressions.py 2011-07-14 07:08:12 UTC (rev 122208)
+++ five.pt/trunk/src/five/pt/expressions.py 2011-07-14 07:12:47 UTC (rev 122209)
@@ -79,13 +79,16 @@
return ob
-class FiveTraverser(object):
+class BoboAwareZopeTraverse(object):
+ traverse_method = 'restrictedTraverse'
+
def __call__(self, base, request, call, *path_items):
"""See ``zope.app.pagetemplate.engine``."""
length = len(path_items)
if length:
i = 0
+ method = self.traverse_method
while i < length:
name = path_items[i]
i += 1
@@ -98,7 +101,8 @@
if isinstance(base, dict):
base = base[name]
elif ITraversable.providedBy(base):
- base = base.restrictedTraverse(name)
+ traverser = getattr(base, method)
+ base = traverser(name)
else:
base = traversePathElement(
base, name, path_items[i:], request=request)
@@ -114,14 +118,24 @@
return base
+class TrustedBoboAwareZopeTraverse(BoboAwareZopeTraverse):
+ traverse_method = 'unrestrictedTraverse'
+
+
class PathExpr(expressions.PathExpr):
exceptions = zope2_exceptions
- traverser = Static(
- template("cls()", cls=Symbol(FiveTraverser), mode="eval")
- )
+ traverser = Static(template(
+ "cls()", cls=Symbol(BoboAwareZopeTraverse), mode="eval"
+ ))
+class TrustedPathExpr(PathExpr):
+ traverser = Static(template(
+ "cls()", cls=Symbol(TrustedBoboAwareZopeTraverse), mode="eval"
+ ))
+
+
class NocallExpr(expressions.NocallExpr, PathExpr):
pass
@@ -169,7 +183,7 @@
return node
-class SecurePythonExpr(expressions.PythonExpr):
+class UntrustedPythonExpr(expressions.PythonExpr):
rm = RestrictionMutator()
rt = RestrictionTransform()
@@ -186,7 +200,7 @@
node = ast24_parse(decoded, 'eval').node
MutatingWalker.walk(node, self.rm)
string = generate_code(node)
- value = super(SecurePythonExpr, self).parse(string)
+ value = super(UntrustedPythonExpr, self).parse(string)
self.rt.visit(value)
self.nt.visit(value)
return value
Modified: five.pt/trunk/src/five/pt/patches.py
===================================================================
--- five.pt/trunk/src/five/pt/patches.py 2011-07-14 07:08:12 UTC (rev 122208)
+++ five.pt/trunk/src/five/pt/patches.py 2011-07-14 07:12:47 UTC (rev 122209)
@@ -22,10 +22,11 @@
from chameleon.tal import RepeatDict
from .expressions import PathExpr
+from .expressions import TrustedPathExpr
from .expressions import ProviderExpr
from .expressions import NocallExpr
from .expressions import ExistsExpr
-from .expressions import SecurePythonExpr
+from .expressions import UntrustedPythonExpr
# Declare Chameleon's repeat dictionary public
@@ -37,7 +38,7 @@
# Zope 2 Page Template expressions
_secure_expression_types = {
- 'python': SecurePythonExpr,
+ 'python': UntrustedPythonExpr,
'string': StringExpr,
'not': NotExpr,
'exists': ExistsExpr,
@@ -53,7 +54,7 @@
'string': StringExpr,
'not': NotExpr,
'exists': ExistsExpr,
- 'path': PathExpr,
+ 'path': TrustedPathExpr,
'provider': ProviderExpr,
'nocall': NocallExpr,
}
@@ -110,7 +111,7 @@
class ChameleonTALInterpreter(object):
def __init__(self, template, macros, context, stream, tal=True, **kwargs):
self.template = template
- self.econtext = context.vars
+ self.context = context.vars
self.repeat = context.repeat_vars
self.stream = stream
self.tal = tal
@@ -119,22 +120,22 @@
if self.tal is False:
result = self.template.body
else:
- econtext = self.econtext
+ context = self.context
# Swap out repeat dictionary for Chameleon implementation
# and store wrapped dictionary in new variable -- this is
# in turn used by the secure Python expression
# implementation whenever a 'repeat' symbol is found
- econtext['wrapped_repeat'] = econtext['repeat']
- econtext['repeat'] = RepeatDict(self.repeat)
+ context['wrapped_repeat'] = context['repeat']
+ context['repeat'] = RepeatDict(self.repeat)
- result = self.template.render(
- path=self.template.evaluate_path,
- exists=self.template.evaluate_exists,
- test=test,
- **econtext
- )
+ # XXX: This could be implemented as a transform which uses
+ # the turnary operator in place of calls to the test
+ # function.
+ context.setdefault('test', test)
+ result = self.template.render(**context)
+
self.stream.write(result)
More information about the checkins
mailing list