Log message for revision 129487: Forward-port fix for LP #978980 from 2.12 branch.
Changed: _U Zope/branches/2.13/ U Zope/branches/2.13/doc/CHANGES.rst U Zope/branches/2.13/src/Products/PageTemplates/ZopePageTemplate.py U Zope/branches/2.13/src/Products/PageTemplates/tests/testZopePageTemplate.py -=- Modified: Zope/branches/2.13/doc/CHANGES.rst =================================================================== --- Zope/branches/2.13/doc/CHANGES.rst 2013-02-19 18:22:27 UTC (rev 129486) +++ Zope/branches/2.13/doc/CHANGES.rst 2013-02-19 20:25:29 UTC (rev 129487) @@ -8,6 +8,9 @@ 2.13.20 (unreleased) -------------------- +- LP #978980: Protect views of ZPT source with 'View Management Screens' + permision. + - Make sure the generated classes for simple browser pages (SimpleViewClasses) have a str __name__. See LP #1129030. Modified: Zope/branches/2.13/src/Products/PageTemplates/ZopePageTemplate.py =================================================================== --- Zope/branches/2.13/src/Products/PageTemplates/ZopePageTemplate.py 2013-02-19 18:22:27 UTC (rev 129486) +++ Zope/branches/2.13/src/Products/PageTemplates/ZopePageTemplate.py 2013-02-19 20:25:29 UTC (rev 129487) @@ -56,6 +56,8 @@ class Src(Explicit): """ I am scary code """ + security = ClassSecurityInfo() + security.declareObjectProtected(view_management_screens) PUT = document_src = Acquired index_html = None @@ -68,6 +70,8 @@ " " return self.document_src(REQUEST) +InitializeClass(Src) + class ZopePageTemplate(Script, PageTemplate, Historical, Cacheable, Traversable, PropertyManager): "Zope wrapper for Page Template using TAL, TALES, and METAL" Modified: Zope/branches/2.13/src/Products/PageTemplates/tests/testZopePageTemplate.py =================================================================== --- Zope/branches/2.13/src/Products/PageTemplates/tests/testZopePageTemplate.py 2013-02-19 18:22:27 UTC (rev 129486) +++ Zope/branches/2.13/src/Products/PageTemplates/tests/testZopePageTemplate.py 2013-02-19 20:25:29 UTC (rev 129487) @@ -232,7 +232,8 @@ self.app.REQUEST.debug = DebugFlags() self.assertEqual(zpt.pt_render(), unicode('<div>foo</div>')) self.app.REQUEST.debug.showTAL = True - self.assertEqual(zpt.pt_render(), unicode('<div tal:content="string:foo">foo</div>')) + self.assertEqual(zpt.pt_render(), + unicode('<div tal:content="string:foo">foo</div>')) self.app.REQUEST.debug.sourceAnnotations = True self.assertEqual(zpt.pt_render().startswith(unicode('<!--')), True) @@ -483,6 +484,54 @@ pt.pt_render(source=True) self.assertEqual(pt.pt_errors(), None) +class SrcTests(unittest.TestCase): + + def _getTargetClass(self): + from Products.PageTemplates.ZopePageTemplate import Src + return Src + + def _makeOne(self, zpt=None): + if zpt is None: + zpt = self._makeTemplate() + zpt.test_src = self._getTargetClass()() + return zpt.test_src + + def _makeTemplate(self, id='test', source='<html/>'): + from Products.PageTemplates.ZopePageTemplate import ZopePageTemplate + return ZopePageTemplate(id, source) + + def test___before_publishing_traverse___wo__hacked_path(self): + src = self._makeOne() + request = DummyRequest() + src.__before_publishing_traverse__(None, request) + self.assertFalse('_hacked_path' in request.__dict__) + + def test___before_publishing_traverse___w__hacked_path_false(self): + src = self._makeOne() + request = DummyRequest() + request._hacked_path = False + src.__before_publishing_traverse__(None, request) + self.assertFalse(request._hacked_path) + + def test___before_publishing_traverse___w__hacked_path_true(self): + src = self._makeOne() + request = DummyRequest() + request._hacked_path = True + src.__before_publishing_traverse__(None, request) + self.assertFalse(request._hacked_path) + + def test___call__(self): + template = self._makeTemplate(source='TESTING') + src = self._makeOne(template) + request = DummyRequest() + response = object() + self.assertEqual(src(request, response), 'TESTING') + + +class DummyRequest(dict): + pass + + class DummyFileUpload: def __init__(self, data='', filename='', content_type=''): @@ -495,10 +544,12 @@ def test_suite(): - suite = unittest.makeSuite(ZPTRegressions) - suite.addTests(unittest.makeSuite(ZPTUtilsTests)) - suite.addTests(unittest.makeSuite(ZPTMacros)) - suite.addTests(unittest.makeSuite(ZopePageTemplateFileTests)) - suite.addTests(unittest.makeSuite(ZPTUnicodeEncodingConflictResolution)) - suite.addTests(unittest.makeSuite(PreferredCharsetUnicodeResolverTests)) - return suite + return unittest.TestSuite(( + unittest.makeSuite(ZPTRegressions), + unittest.makeSuite(ZPTUtilsTests), + unittest.makeSuite(ZPTMacros), + unittest.makeSuite(ZopePageTemplateFileTests), + unittest.makeSuite(ZPTUnicodeEncodingConflictResolution), + unittest.makeSuite(PreferredCharsetUnicodeResolverTests), + unittest.makeSuite(SrcTests), + )) _______________________________________________ Zope-Checkins maillist - Zope-Checkins@zope.org https://mail.zope.org/mailman/listinfo/zope-checkins