def test_renameObjectByPaths_postonly(self):
from Products.PythonScripts.PythonScript import PythonScript
script = PythonScript('script')
script._filepath = 'script'
src = """context.plone_utils.renameObjectsByPaths(paths=['/plone/news'], new_ids=['news'], new_titles=['EVIL'], REQUEST=context.REQUEST)"""
script.write(src)
self.portal.evil = script
csrf_token = self._get_authenticator()
self.publish('/plone/evil', extra={'_authenticator': csrf_token}, request_method='POST')
self.assertEqual('News', self.portal.news.Title())
owner_basic = ptc.portal_owner + ':' + ptc.default_password
csrf_token = self._get_authenticator(owner_basic)
self.publish('/plone/evil', extra={'_authenticator': csrf_token}, basic=owner_basic)
self.assertEqual('News', self.portal.news.Title())
self.publish('/plone/evil', request_method='POST', extra={'_authenticator': csrf_token}, basic=owner_basic)
self.assertEqual('EVIL', self.portal.news.Title())
self.setRoles(['Manager'])
self.portal.news.setTitle('News')
self.portal.plone_utils.renameObjectsByPaths(paths=['/plone/news'], new_ids=['news'], new_titles=['EVIL'])
self.assertEqual('EVIL', self.portal.news.Title())
self.portal.news.setTitle('News')
self.setRoles(['Member'])
self.portal.plone_utils.renameObjectsByPaths(paths=['/plone/news'], new_ids=['news'], new_titles=['EVIL'])
self.assertEqual('News', self.portal.news.Title())
def test_renameObjectByPaths_postonly(self):
from Products.PythonScripts.PythonScript import PythonScript
script = PythonScript("script")
script._filepath = "script"
src = """context.plone_utils.renameObjectsByPaths(paths=['/plone/news'], new_ids=['news'], new_titles=['EVIL'], REQUEST=context.REQUEST)"""
script.write(src)
self.portal.evil = script
csrf_token = self._get_authenticator()
self.publish("/plone/evil", extra={"_authenticator": csrf_token}, request_method="POST")
self.assertEqual("News", self.portal.news.Title())
owner_basic = SITE_OWNER_NAME + ":" + SITE_OWNER_PASSWORD
csrf_token = self._get_authenticator(owner_basic)
self.publish("/plone/evil", extra={"_authenticator": csrf_token}, basic=owner_basic)
self.assertEqual("News", self.portal.news.Title())
self.publish("/plone/evil", request_method="POST", extra={"_authenticator": csrf_token}, basic=owner_basic)
self.assertEqual("EVIL", self.portal.news.Title())
self.setRoles(["Manager"])
self.portal.news.setTitle("News")
self.portal.plone_utils.renameObjectsByPaths(paths=["/plone/news"], new_ids=["news"], new_titles=["EVIL"])
self.assertEqual("EVIL", self.portal.news.Title())
self.portal.news.setTitle("News")
self.setRoles(["Member"])
self.portal.plone_utils.renameObjectsByPaths(paths=["/plone/news"], new_ids=["news"], new_titles=["EVIL"])
self.assertEqual("News", self.portal.news.Title())
def test_resource_registry_vector(self):
for vector in ('less-variables.js', 'less-modify.js'):
src = '''
class ctx:
def format(self, *args, **kwargs):
self.foo=context
return "foo"
context.portal_registry['plone.lessvariables']['foo'] = ctx()
context.portal_registry['plone.lessvariables']['bar'] = "{foo.foo.__class__}"
js = context.restrictedTraverse("%s")
return js()
''' % vector
from Products.PythonScripts.PythonScript import PythonScript
script = PythonScript('evil')
script._filepath = 'evil'
script.write(src)
self.portal.evil = script
output = self.publish('/plone/evil')
self.assertFalse(
'Products.CMFPlone.Portal.PloneSite' in output.body)
def test_resource_registry_vector(self):
for vector in ('less-variables.js', 'less-modify.js'):
src = '''
class ctx:
def format(self, *args, **kwargs):
self.foo=context
return "foo"
context.portal_registry['plone.lessvariables']['foo'] = ctx()
context.portal_registry['plone.lessvariables']['bar'] = "{foo.foo.__class__}"
js = context.restrictedTraverse("%s")
return js()
''' % vector
from Products.PythonScripts.PythonScript import PythonScript
script = PythonScript('evil')
script._filepath = 'evil'
script.write(src)
self.portal.evil = script
output = self.publish('/plone/evil')
self.assertFalse(
'Products.CMFPlone.Portal.PloneSite' in output.body)