Re: How to make Leo run a node-script automatically when the file is opened?

[Jacob Peck]

On 1/14/2014 4:07 PM, Edward K. Ream wrote:

On Tue, Jan 14, 2014 at 2:46 PM, Jacob Peck <gatesph...@gmail.com 
<mailto:gatesph...@gmail.com>> wrote:


    Makes me wonder... does mod_scripting only respect that setting
    from myLeoSettings.leo, or does it also listen to local (per-.leo
    file) settings?


​Ouch!
​

    Because if that's the case... this is a huge security risk. 
    Imagine a .leo with a malicious @script **and**
    ​​
    ​​
    @bool scripting-at-script-nodes = True.  Chaos... the only true
    way to look it at is in an external editor, or a no-plugins-loaded
    version of Leo.


​Imo, this warrants a special check in the core settings code.  It 
should disallow setting ​​@bool scripting-at-script-nodes in local files!

An alternative almost-as-safe strategy would be for the mod_scripting 
plugin to make that check, using the same mechanism used by the 
print-settings command to determine the source of the file.  Let me 
see how that works...

Oh yes, it uses Kent's suggestion: g.app.config.config_iter(c):

Checking the plugin...

Fail! self.atScriptNodes = getBool('scripting-at-script-nodes')

So Leo is wide open at present.  We've got to fix this yesterday.

Let's see how config_iter works...

    def config_iter(self,c):

        '''Letters:
          leoSettings.leo
        D default settings
        F loaded .leo File
        M myLeoSettings.leo
        '''
        lm = g.app.loadManager
        suppressKind = ('shortcut','shortcuts','openwithtable')
        suppressKeys = (None,'shortcut')

        d = c.config.settingsDict if c else lm.globalSettingsDict
        for key in sorted(list(d.keys())):
            if key not in suppressKeys:
                gs = d.get(key)
                assert g.isGeneralSetting(gs),gs
                if gs and gs.kind not in suppressKind:
                    letter = lm.computeBindingLetter(gs.path)
                    yield key,gs.val,c,letter

    def computeBindingLetter(self,kind):
        if not kind:
            return 'D'
        table = (
            ('M','myLeoSettings.leo'),
            (' ','leoSettings.leo'),
            ('F','.leo'),
        )
        for letter,kind2 in table:
            if kind.lower().endswith(kind2.lower()):
                return letter
        else:
            return 'D' if kind.find('mode') == -1 else '@'

It would be best to define a convenience method, say 
c.config.isLocalSetting(settingName).  The mod_scripting plugin can 
then refuse to honor a local setting for ​@bool scripting-at-script-nodes.

I'll do this immediately.

Edward
--
My nodewatch.py plugin can benefit from that as well.  I'm waiting 
attentively :)

-->Jake

--
You received this message because you are subscribed to the Google Groups 
"leo-editor" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to leo-editor+unsubscr...@googlegroups.com.
To post to this group, send email to leo-editor@googlegroups.com.
Visit this group at http://groups.google.com/group/leo-editor.
For more options, visit https://groups.google.com/groups/opt_out.