[Checkins] SVN: five.pt/trunk/ Use trusted path expression for trusted engine. Also, fix issue with missing ``request`` variable from template context. Dependencies upgrade to point releases.

Malthe Borch mborch at gmail.com
Thu Jul 14 03:12:47 EDT 2011


Log message for revision 122209:
  Use trusted path expression for trusted engine. Also, fix issue with missing ``request`` variable from template context. Dependencies upgrade to point releases.

Changed:
  U   five.pt/trunk/CHANGES.txt
  U   five.pt/trunk/setup.py
  U   five.pt/trunk/src/five/pt/expressions.py
  U   five.pt/trunk/src/five/pt/patches.py

-=-
Modified: five.pt/trunk/CHANGES.txt
===================================================================
--- five.pt/trunk/CHANGES.txt	2011-07-14 07:08:12 UTC (rev 122208)
+++ five.pt/trunk/CHANGES.txt	2011-07-14 07:12:47 UTC (rev 122209)
@@ -1,6 +1,16 @@
 Changelog
 =========
 
+In next release ...
+
+- Use trusted path expression for trusted expression engine.
+  [malthe]
+
+- Fixed template context issues where a ``request`` would be required
+  by the path expression compiler but not provided (typically when in
+  a situation where the user is unauthorized to view content).
+  [malthe]
+
 2.1-rc1 (2011-07-14)
 ~~~~~~~~~~~~~~~~~~~~
 

Modified: five.pt/trunk/setup.py
===================================================================
--- five.pt/trunk/setup.py	2011-07-14 07:08:12 UTC (rev 122208)
+++ five.pt/trunk/setup.py	2011-07-14 07:12:47 UTC (rev 122209)
@@ -1,6 +1,6 @@
 from setuptools import setup, find_packages
 
-version = '2.1-rc1'
+version = '2.1-dev'
 
 setup(name='five.pt',
       version=version,
@@ -25,8 +25,8 @@
       zip_safe=False,
       install_requires=[
           'setuptools',
-          'z3c.pt>=2.0-rc3',
-          'Chameleon>=2.0-rc14',
+          'z3c.pt>=2.0',
+          'Chameleon>=2.0',
           'sourcecodegen',
       ],
       entry_points="""

Modified: five.pt/trunk/src/five/pt/expressions.py
===================================================================
--- five.pt/trunk/src/five/pt/expressions.py	2011-07-14 07:08:12 UTC (rev 122208)
+++ five.pt/trunk/src/five/pt/expressions.py	2011-07-14 07:12:47 UTC (rev 122209)
@@ -79,13 +79,16 @@
     return ob
 
 
-class FiveTraverser(object):
+class BoboAwareZopeTraverse(object):
+    traverse_method = 'restrictedTraverse'
+
     def __call__(self, base, request, call, *path_items):
         """See ``zope.app.pagetemplate.engine``."""
 
         length = len(path_items)
         if length:
             i = 0
+            method = self.traverse_method
             while i < length:
                 name = path_items[i]
                 i += 1
@@ -98,7 +101,8 @@
                     if isinstance(base, dict):
                         base = base[name]
                     elif ITraversable.providedBy(base):
-                        base = base.restrictedTraverse(name)
+                        traverser = getattr(base, method)
+                        base = traverser(name)
                     else:
                         base = traversePathElement(
                             base, name, path_items[i:], request=request)
@@ -114,14 +118,24 @@
         return base
 
 
+class TrustedBoboAwareZopeTraverse(BoboAwareZopeTraverse):
+    traverse_method = 'unrestrictedTraverse'
+
+
 class PathExpr(expressions.PathExpr):
     exceptions = zope2_exceptions
 
-    traverser = Static(
-        template("cls()", cls=Symbol(FiveTraverser), mode="eval")
-        )
+    traverser = Static(template(
+        "cls()", cls=Symbol(BoboAwareZopeTraverse), mode="eval"
+        ))
 
 
+class TrustedPathExpr(PathExpr):
+    traverser = Static(template(
+        "cls()", cls=Symbol(TrustedBoboAwareZopeTraverse), mode="eval"
+        ))
+
+
 class NocallExpr(expressions.NocallExpr, PathExpr):
     pass
 
@@ -169,7 +183,7 @@
         return node
 
 
-class SecurePythonExpr(expressions.PythonExpr):
+class UntrustedPythonExpr(expressions.PythonExpr):
     rm = RestrictionMutator()
     rt = RestrictionTransform()
 
@@ -186,7 +200,7 @@
         node = ast24_parse(decoded, 'eval').node
         MutatingWalker.walk(node, self.rm)
         string = generate_code(node)
-        value = super(SecurePythonExpr, self).parse(string)
+        value = super(UntrustedPythonExpr, self).parse(string)
         self.rt.visit(value)
         self.nt.visit(value)
         return value

Modified: five.pt/trunk/src/five/pt/patches.py
===================================================================
--- five.pt/trunk/src/five/pt/patches.py	2011-07-14 07:08:12 UTC (rev 122208)
+++ five.pt/trunk/src/five/pt/patches.py	2011-07-14 07:12:47 UTC (rev 122209)
@@ -22,10 +22,11 @@
 from chameleon.tal import RepeatDict
 
 from .expressions import PathExpr
+from .expressions import TrustedPathExpr
 from .expressions import ProviderExpr
 from .expressions import NocallExpr
 from .expressions import ExistsExpr
-from .expressions import SecurePythonExpr
+from .expressions import UntrustedPythonExpr
 
 
 # Declare Chameleon's repeat dictionary public
@@ -37,7 +38,7 @@
 
 # Zope 2 Page Template expressions
 _secure_expression_types = {
-    'python': SecurePythonExpr,
+    'python': UntrustedPythonExpr,
     'string': StringExpr,
     'not': NotExpr,
     'exists': ExistsExpr,
@@ -53,7 +54,7 @@
     'string': StringExpr,
     'not': NotExpr,
     'exists': ExistsExpr,
-    'path': PathExpr,
+    'path': TrustedPathExpr,
     'provider': ProviderExpr,
     'nocall': NocallExpr,
     }
@@ -110,7 +111,7 @@
 class ChameleonTALInterpreter(object):
     def __init__(self, template, macros, context, stream, tal=True, **kwargs):
         self.template = template
-        self.econtext = context.vars
+        self.context = context.vars
         self.repeat = context.repeat_vars
         self.stream = stream
         self.tal = tal
@@ -119,22 +120,22 @@
         if self.tal is False:
             result = self.template.body
         else:
-            econtext = self.econtext
+            context = self.context
 
             # Swap out repeat dictionary for Chameleon implementation
             # and store wrapped dictionary in new variable -- this is
             # in turn used by the secure Python expression
             # implementation whenever a 'repeat' symbol is found
-            econtext['wrapped_repeat'] = econtext['repeat']
-            econtext['repeat'] = RepeatDict(self.repeat)
+            context['wrapped_repeat'] = context['repeat']
+            context['repeat'] = RepeatDict(self.repeat)
 
-            result = self.template.render(
-                path=self.template.evaluate_path,
-                exists=self.template.evaluate_exists,
-                test=test,
-                **econtext
-                )
+            # XXX: This could be implemented as a transform which uses
+            # the turnary operator in place of calls to the test
+            # function.
+            context.setdefault('test', test)
 
+            result = self.template.render(**context)
+
         self.stream.write(result)
 
 



More information about the checkins mailing list