[Zope-Checkins] SVN: Zope/branches/2.13/ Forward-port fix for LP #978980 from 2.12 branch.

Tres Seaver cvs-admin at zope.org
Tue Feb 19 20:25:30 UTC 2013 

Log message for revision 129487:
  Forward-port fix for LP #978980 from 2.12 branch.

Changed:
  _U  Zope/branches/2.13/
  U   Zope/branches/2.13/doc/CHANGES.rst
  U   Zope/branches/2.13/src/Products/PageTemplates/ZopePageTemplate.py
  U   Zope/branches/2.13/src/Products/PageTemplates/tests/testZopePageTemplate.py

-=-
Modified: Zope/branches/2.13/doc/CHANGES.rst
===================================================================
--- Zope/branches/2.13/doc/CHANGES.rst	2013-02-19 18:22:27 UTC (rev 129486)
+++ Zope/branches/2.13/doc/CHANGES.rst	2013-02-19 20:25:29 UTC (rev 129487)
@@ -8,6 +8,9 @@
 2.13.20 (unreleased)
 --------------------
 
+- LP #978980: Protect views of ZPT source with 'View Management Screens'
+  permision.
+
 - Make sure the generated classes for simple browser pages (SimpleViewClasses)
   have a str __name__. See LP #1129030.
 

Modified: Zope/branches/2.13/src/Products/PageTemplates/ZopePageTemplate.py
===================================================================
--- Zope/branches/2.13/src/Products/PageTemplates/ZopePageTemplate.py	2013-02-19 18:22:27 UTC (rev 129486)
+++ Zope/branches/2.13/src/Products/PageTemplates/ZopePageTemplate.py	2013-02-19 20:25:29 UTC (rev 129487)
@@ -56,6 +56,8 @@
 
 class Src(Explicit):
     """ I am scary code """
+    security = ClassSecurityInfo()
+    security.declareObjectProtected(view_management_screens)
 
     PUT = document_src = Acquired
     index_html = None
@@ -68,6 +70,8 @@
         " "
         return self.document_src(REQUEST)
 
+InitializeClass(Src)
+
 class ZopePageTemplate(Script, PageTemplate, Historical, Cacheable,
                        Traversable, PropertyManager):
     "Zope wrapper for Page Template using TAL, TALES, and METAL"

Modified: Zope/branches/2.13/src/Products/PageTemplates/tests/testZopePageTemplate.py
===================================================================
--- Zope/branches/2.13/src/Products/PageTemplates/tests/testZopePageTemplate.py	2013-02-19 18:22:27 UTC (rev 129486)
+++ Zope/branches/2.13/src/Products/PageTemplates/tests/testZopePageTemplate.py	2013-02-19 20:25:29 UTC (rev 129487)
@@ -232,7 +232,8 @@
         self.app.REQUEST.debug = DebugFlags()
         self.assertEqual(zpt.pt_render(), unicode('<div>foo</div>'))
         self.app.REQUEST.debug.showTAL = True
-        self.assertEqual(zpt.pt_render(), unicode('<div tal:content="string:foo">foo</div>'))
+        self.assertEqual(zpt.pt_render(),
+                         unicode('<div tal:content="string:foo">foo</div>'))
         self.app.REQUEST.debug.sourceAnnotations = True
         self.assertEqual(zpt.pt_render().startswith(unicode('<!--')), True)
 
@@ -483,6 +484,54 @@
         pt.pt_render(source=True)
         self.assertEqual(pt.pt_errors(), None)
 
+class SrcTests(unittest.TestCase):
+
+    def _getTargetClass(self):
+        from Products.PageTemplates.ZopePageTemplate import Src
+        return Src
+
+    def _makeOne(self, zpt=None):
+        if zpt is None:
+            zpt = self._makeTemplate()
+        zpt.test_src = self._getTargetClass()()
+        return zpt.test_src
+
+    def _makeTemplate(self, id='test', source='<html/>'):
+        from Products.PageTemplates.ZopePageTemplate import ZopePageTemplate
+        return ZopePageTemplate(id, source)
+
+    def test___before_publishing_traverse___wo__hacked_path(self):
+        src = self._makeOne()
+        request = DummyRequest()
+        src.__before_publishing_traverse__(None, request)
+        self.assertFalse('_hacked_path' in request.__dict__)
+
+    def test___before_publishing_traverse___w__hacked_path_false(self):
+        src = self._makeOne()
+        request = DummyRequest()
+        request._hacked_path = False
+        src.__before_publishing_traverse__(None, request)
+        self.assertFalse(request._hacked_path)
+
+    def test___before_publishing_traverse___w__hacked_path_true(self):
+        src = self._makeOne()
+        request = DummyRequest()
+        request._hacked_path = True
+        src.__before_publishing_traverse__(None, request)
+        self.assertFalse(request._hacked_path)
+
+    def test___call__(self):
+        template = self._makeTemplate(source='TESTING')
+        src = self._makeOne(template)
+        request = DummyRequest()
+        response = object()
+        self.assertEqual(src(request, response), 'TESTING')
+
+
+class DummyRequest(dict):
+    pass
+
+
 class DummyFileUpload:
 
     def __init__(self, data='', filename='', content_type=''):
@@ -495,10 +544,12 @@
 
        
 def test_suite():
-    suite = unittest.makeSuite(ZPTRegressions)
-    suite.addTests(unittest.makeSuite(ZPTUtilsTests))
-    suite.addTests(unittest.makeSuite(ZPTMacros))
-    suite.addTests(unittest.makeSuite(ZopePageTemplateFileTests))
-    suite.addTests(unittest.makeSuite(ZPTUnicodeEncodingConflictResolution))
-    suite.addTests(unittest.makeSuite(PreferredCharsetUnicodeResolverTests))
-    return suite
+    return unittest.TestSuite((
+        unittest.makeSuite(ZPTRegressions),
+        unittest.makeSuite(ZPTUtilsTests),
+        unittest.makeSuite(ZPTMacros),
+        unittest.makeSuite(ZopePageTemplateFileTests),
+        unittest.makeSuite(ZPTUnicodeEncodingConflictResolution),
+        unittest.makeSuite(PreferredCharsetUnicodeResolverTests),
+        unittest.makeSuite(SrcTests),
+    ))

More information about the Zope-Checkins mailing list