Log message for revision 129488: Forward-port fix for LP #987980 from the 2.12 branch.
Changed: _U Zope/trunk/ U Zope/trunk/doc/CHANGES.rst U Zope/trunk/src/Products/PageTemplates/ZopePageTemplate.py U Zope/trunk/src/Products/PageTemplates/tests/testZopePageTemplate.py -=- Property changes on: Zope/trunk ___________________________________________________________________ Modified: svn:mergeinfo - /Zope/branches/2.12:109929 + /Zope/branches/2.12:109929 Modified: Zope/trunk/doc/CHANGES.rst =================================================================== --- Zope/trunk/doc/CHANGES.rst 2013-02-19 20:25:29 UTC (rev 129487) +++ Zope/trunk/doc/CHANGES.rst 2013-02-19 20:31:04 UTC (rev 129488) @@ -11,6 +11,9 @@ Bugs Fixed ++++++++++ +- LP #978980: Protect views of ZPT source with 'View Management Screens' + permision. + - Make sure the generated classes for simple browser pages (SimpleViewClasses) have a str __name__. See LP #1129030. Modified: Zope/trunk/src/Products/PageTemplates/ZopePageTemplate.py =================================================================== --- Zope/trunk/src/Products/PageTemplates/ZopePageTemplate.py 2013-02-19 20:25:29 UTC (rev 129487) +++ Zope/trunk/src/Products/PageTemplates/ZopePageTemplate.py 2013-02-19 20:31:04 UTC (rev 129488) @@ -52,6 +52,8 @@ class Src(Explicit): """ I am scary code """ + security = ClassSecurityInfo() + security.declareObjectProtected(view_management_screens) PUT = document_src = Acquired index_html = None @@ -64,6 +66,8 @@ " " return self.document_src(REQUEST) +InitializeClass(Src) + class ZopePageTemplate(Script, PageTemplate, Historical, Cacheable, Traversable, PropertyManager): "Zope wrapper for Page Template using TAL, TALES, and METAL" Modified: Zope/trunk/src/Products/PageTemplates/tests/testZopePageTemplate.py =================================================================== --- Zope/trunk/src/Products/PageTemplates/tests/testZopePageTemplate.py 2013-02-19 20:25:29 UTC (rev 129487) +++ Zope/trunk/src/Products/PageTemplates/tests/testZopePageTemplate.py 2013-02-19 20:31:04 UTC (rev 129488) @@ -232,7 +232,8 @@ self.app.REQUEST.debug = DebugFlags() self.assertEqual(zpt.pt_render(), unicode('<div>foo</div>')) self.app.REQUEST.debug.showTAL = True - self.assertEqual(zpt.pt_render(), unicode('<div tal:content="string:foo">foo</div>')) + self.assertEqual(zpt.pt_render(), + unicode('<div tal:content="string:foo">foo</div>')) self.app.REQUEST.debug.sourceAnnotations = True self.assertEqual(zpt.pt_render().startswith(unicode('<!--')), True) @@ -478,6 +479,54 @@ pt.pt_render(source=True) self.assertEqual(pt.pt_errors(), None) +class SrcTests(unittest.TestCase): + + def _getTargetClass(self): + from Products.PageTemplates.ZopePageTemplate import Src + return Src + + def _makeOne(self, zpt=None): + if zpt is None: + zpt = self._makeTemplate() + zpt.test_src = self._getTargetClass()() + return zpt.test_src + + def _makeTemplate(self, id='test', source='<html/>'): + from Products.PageTemplates.ZopePageTemplate import ZopePageTemplate + return ZopePageTemplate(id, source) + + def test___before_publishing_traverse___wo__hacked_path(self): + src = self._makeOne() + request = DummyRequest() + src.__before_publishing_traverse__(None, request) + self.assertFalse('_hacked_path' in request.__dict__) + + def test___before_publishing_traverse___w__hacked_path_false(self): + src = self._makeOne() + request = DummyRequest() + request._hacked_path = False + src.__before_publishing_traverse__(None, request) + self.assertFalse(request._hacked_path) + + def test___before_publishing_traverse___w__hacked_path_true(self): + src = self._makeOne() + request = DummyRequest() + request._hacked_path = True + src.__before_publishing_traverse__(None, request) + self.assertFalse(request._hacked_path) + + def test___call__(self): + template = self._makeTemplate(source='TESTING') + src = self._makeOne(template) + request = DummyRequest() + response = object() + self.assertEqual(src(request, response), 'TESTING') + + +class DummyRequest(dict): + pass + + class DummyFileUpload: def __init__(self, data='', filename='', content_type=''): @@ -490,10 +539,12 @@ def test_suite(): - suite = unittest.makeSuite(ZPTRegressions) - suite.addTests(unittest.makeSuite(ZPTUtilsTests)) - suite.addTests(unittest.makeSuite(ZPTMacros)) - suite.addTests(unittest.makeSuite(ZopePageTemplateFileTests)) - suite.addTests(unittest.makeSuite(ZPTUnicodeEncodingConflictResolution)) - suite.addTests(unittest.makeSuite(PreferredCharsetUnicodeResolverTests)) - return suite + return unittest.TestSuite(( + unittest.makeSuite(ZPTRegressions), + unittest.makeSuite(ZPTUtilsTests), + unittest.makeSuite(ZPTMacros), + unittest.makeSuite(ZopePageTemplateFileTests), + unittest.makeSuite(ZPTUnicodeEncodingConflictResolution), + unittest.makeSuite(PreferredCharsetUnicodeResolverTests), + unittest.makeSuite(SrcTests), + )) _______________________________________________ Zope-Checkins maillist - Zope-Checkins@zope.org https://mail.zope.org/mailman/listinfo/zope-checkins