[Zope-Checkins] SVN: Zope/trunk/ Forward-port fix for LP #987980 from the 2.12 branch.

Tres Seaver cvs-admin at zope.org
Tue Feb 19 20:31:05 UTC 2013


Log message for revision 129488:
  Forward-port fix for LP #987980 from the 2.12 branch.

Changed:
  _U  Zope/trunk/
  U   Zope/trunk/doc/CHANGES.rst
  U   Zope/trunk/src/Products/PageTemplates/ZopePageTemplate.py
  U   Zope/trunk/src/Products/PageTemplates/tests/testZopePageTemplate.py

-=-

Property changes on: Zope/trunk
___________________________________________________________________
Modified: svn:mergeinfo
   - /Zope/branches/2.12:109929
   + /Zope/branches/2.12:109929


Modified: Zope/trunk/doc/CHANGES.rst
===================================================================
--- Zope/trunk/doc/CHANGES.rst	2013-02-19 20:25:29 UTC (rev 129487)
+++ Zope/trunk/doc/CHANGES.rst	2013-02-19 20:31:04 UTC (rev 129488)
@@ -11,6 +11,9 @@
 Bugs Fixed
 ++++++++++
 
+- LP #978980: Protect views of ZPT source with 'View Management Screens'
+  permision.
+
 - Make sure the generated classes for simple browser pages (SimpleViewClasses)
   have a str __name__. See LP #1129030.
 

Modified: Zope/trunk/src/Products/PageTemplates/ZopePageTemplate.py
===================================================================
--- Zope/trunk/src/Products/PageTemplates/ZopePageTemplate.py	2013-02-19 20:25:29 UTC (rev 129487)
+++ Zope/trunk/src/Products/PageTemplates/ZopePageTemplate.py	2013-02-19 20:31:04 UTC (rev 129488)
@@ -52,6 +52,8 @@
 
 class Src(Explicit):
     """ I am scary code """
+    security = ClassSecurityInfo()
+    security.declareObjectProtected(view_management_screens)
 
     PUT = document_src = Acquired
     index_html = None
@@ -64,6 +66,8 @@
         " "
         return self.document_src(REQUEST)
 
+InitializeClass(Src)
+
 class ZopePageTemplate(Script, PageTemplate, Historical, Cacheable,
                        Traversable, PropertyManager):
     "Zope wrapper for Page Template using TAL, TALES, and METAL"

Modified: Zope/trunk/src/Products/PageTemplates/tests/testZopePageTemplate.py
===================================================================
--- Zope/trunk/src/Products/PageTemplates/tests/testZopePageTemplate.py	2013-02-19 20:25:29 UTC (rev 129487)
+++ Zope/trunk/src/Products/PageTemplates/tests/testZopePageTemplate.py	2013-02-19 20:31:04 UTC (rev 129488)
@@ -232,7 +232,8 @@
         self.app.REQUEST.debug = DebugFlags()
         self.assertEqual(zpt.pt_render(), unicode('<div>foo</div>'))
         self.app.REQUEST.debug.showTAL = True
-        self.assertEqual(zpt.pt_render(), unicode('<div tal:content="string:foo">foo</div>'))
+        self.assertEqual(zpt.pt_render(),
+                         unicode('<div tal:content="string:foo">foo</div>'))
         self.app.REQUEST.debug.sourceAnnotations = True
         self.assertEqual(zpt.pt_render().startswith(unicode('<!--')), True)
 
@@ -478,6 +479,54 @@
         pt.pt_render(source=True)
         self.assertEqual(pt.pt_errors(), None)
 
+class SrcTests(unittest.TestCase):
+
+    def _getTargetClass(self):
+        from Products.PageTemplates.ZopePageTemplate import Src
+        return Src
+
+    def _makeOne(self, zpt=None):
+        if zpt is None:
+            zpt = self._makeTemplate()
+        zpt.test_src = self._getTargetClass()()
+        return zpt.test_src
+
+    def _makeTemplate(self, id='test', source='<html/>'):
+        from Products.PageTemplates.ZopePageTemplate import ZopePageTemplate
+        return ZopePageTemplate(id, source)
+
+    def test___before_publishing_traverse___wo__hacked_path(self):
+        src = self._makeOne()
+        request = DummyRequest()
+        src.__before_publishing_traverse__(None, request)
+        self.assertFalse('_hacked_path' in request.__dict__)
+
+    def test___before_publishing_traverse___w__hacked_path_false(self):
+        src = self._makeOne()
+        request = DummyRequest()
+        request._hacked_path = False
+        src.__before_publishing_traverse__(None, request)
+        self.assertFalse(request._hacked_path)
+
+    def test___before_publishing_traverse___w__hacked_path_true(self):
+        src = self._makeOne()
+        request = DummyRequest()
+        request._hacked_path = True
+        src.__before_publishing_traverse__(None, request)
+        self.assertFalse(request._hacked_path)
+
+    def test___call__(self):
+        template = self._makeTemplate(source='TESTING')
+        src = self._makeOne(template)
+        request = DummyRequest()
+        response = object()
+        self.assertEqual(src(request, response), 'TESTING')
+
+
+class DummyRequest(dict):
+    pass
+
+
 class DummyFileUpload:
 
     def __init__(self, data='', filename='', content_type=''):
@@ -490,10 +539,12 @@
 
        
 def test_suite():
-    suite = unittest.makeSuite(ZPTRegressions)
-    suite.addTests(unittest.makeSuite(ZPTUtilsTests))
-    suite.addTests(unittest.makeSuite(ZPTMacros))
-    suite.addTests(unittest.makeSuite(ZopePageTemplateFileTests))
-    suite.addTests(unittest.makeSuite(ZPTUnicodeEncodingConflictResolution))
-    suite.addTests(unittest.makeSuite(PreferredCharsetUnicodeResolverTests))
-    return suite
+    return unittest.TestSuite((
+        unittest.makeSuite(ZPTRegressions),
+        unittest.makeSuite(ZPTUtilsTests),
+        unittest.makeSuite(ZPTMacros),
+        unittest.makeSuite(ZopePageTemplateFileTests),
+        unittest.makeSuite(ZPTUnicodeEncodingConflictResolution),
+        unittest.makeSuite(PreferredCharsetUnicodeResolverTests),
+        unittest.makeSuite(SrcTests),
+    ))



More information about the Zope-Checkins mailing list