Exemple #1
0
    def test_renameObjectByPaths_postonly(self):
        from Products.PythonScripts.PythonScript import PythonScript
        script = PythonScript('script')
        script._filepath = 'script'
        src = """context.plone_utils.renameObjectsByPaths(paths=['/plone/news'], new_ids=['news'], new_titles=['EVIL'], REQUEST=context.REQUEST)"""
        script.write(src)
        self.portal.evil = script
        csrf_token = self._get_authenticator()

        self.publish('/plone/evil', extra={'_authenticator': csrf_token}, request_method='POST')
        self.assertEqual('News', self.portal.news.Title())

        owner_basic = ptc.portal_owner + ':' + ptc.default_password
        csrf_token = self._get_authenticator(owner_basic)
        self.publish('/plone/evil', extra={'_authenticator': csrf_token}, basic=owner_basic)
        self.assertEqual('News', self.portal.news.Title())
        self.publish('/plone/evil', request_method='POST', extra={'_authenticator': csrf_token}, basic=owner_basic)
        self.assertEqual('EVIL', self.portal.news.Title())

        self.setRoles(['Manager'])
        self.portal.news.setTitle('News')
        self.portal.plone_utils.renameObjectsByPaths(paths=['/plone/news'], new_ids=['news'], new_titles=['EVIL'])
        self.assertEqual('EVIL', self.portal.news.Title())
        self.portal.news.setTitle('News')

        self.setRoles(['Member'])
        self.portal.plone_utils.renameObjectsByPaths(paths=['/plone/news'], new_ids=['news'], new_titles=['EVIL'])
        self.assertEqual('News', self.portal.news.Title())
    def test_renameObjectByPaths_postonly(self):
        from Products.PythonScripts.PythonScript import PythonScript

        script = PythonScript("script")
        script._filepath = "script"
        src = """context.plone_utils.renameObjectsByPaths(paths=['/plone/news'], new_ids=['news'], new_titles=['EVIL'], REQUEST=context.REQUEST)"""
        script.write(src)
        self.portal.evil = script
        csrf_token = self._get_authenticator()

        self.publish("/plone/evil", extra={"_authenticator": csrf_token}, request_method="POST")
        self.assertEqual("News", self.portal.news.Title())

        owner_basic = SITE_OWNER_NAME + ":" + SITE_OWNER_PASSWORD
        csrf_token = self._get_authenticator(owner_basic)
        self.publish("/plone/evil", extra={"_authenticator": csrf_token}, basic=owner_basic)
        self.assertEqual("News", self.portal.news.Title())
        self.publish("/plone/evil", request_method="POST", extra={"_authenticator": csrf_token}, basic=owner_basic)
        self.assertEqual("EVIL", self.portal.news.Title())

        self.setRoles(["Manager"])
        self.portal.news.setTitle("News")
        self.portal.plone_utils.renameObjectsByPaths(paths=["/plone/news"], new_ids=["news"], new_titles=["EVIL"])
        self.assertEqual("EVIL", self.portal.news.Title())
        self.portal.news.setTitle("News")

        self.setRoles(["Member"])
        self.portal.plone_utils.renameObjectsByPaths(paths=["/plone/news"], new_ids=["news"], new_titles=["EVIL"])
        self.assertEqual("News", self.portal.news.Title())
Exemple #3
0
    def test_resource_registry_vector(self):
        for vector in ('less-variables.js', 'less-modify.js'):
            src = '''
class ctx:
  def format(self, *args, **kwargs):
    self.foo=context
    return "foo"

context.portal_registry['plone.lessvariables']['foo'] = ctx()
context.portal_registry['plone.lessvariables']['bar'] = "{foo.foo.__class__}"
js = context.restrictedTraverse("%s")
return js()
''' % vector
            from Products.PythonScripts.PythonScript import PythonScript
            script = PythonScript('evil')
            script._filepath = 'evil'
            script.write(src)
            self.portal.evil = script
            output = self.publish('/plone/evil')
            self.assertFalse(
                'Products.CMFPlone.Portal.PloneSite' in output.body)
    def test_resource_registry_vector(self):
        for vector in ('less-variables.js', 'less-modify.js'):
            src = '''
class ctx:
  def format(self, *args, **kwargs):
    self.foo=context
    return "foo"

context.portal_registry['plone.lessvariables']['foo'] = ctx()
context.portal_registry['plone.lessvariables']['bar'] = "{foo.foo.__class__}"
js = context.restrictedTraverse("%s")
return js()
''' % vector
            from Products.PythonScripts.PythonScript import PythonScript
            script = PythonScript('evil')
            script._filepath = 'evil'
            script.write(src)
            self.portal.evil = script
            output = self.publish('/plone/evil')
            self.assertFalse(
                'Products.CMFPlone.Portal.PloneSite' in output.body)