def test_prevents_bad_string_formatting_key(self): from AccessControl.safe_formatter import SafeFormatter from AccessControl.ZopeGuards import guarded_getitem from persistent.list import PersistentList # Accessing basic Python types in a basic Python list is fine. foo = list(['bar']) self.assertEqual(SafeFormatter('{0[0]}').safe_format(foo), 'bar') self.assertEqual(guarded_getitem(foo, 0), 'bar') # For basic Python types in a non-basic list, we guard the access. foo = PersistentList(foo) self.assertRaises(Unauthorized, guarded_getitem, foo, 0) self.assertRaises(Unauthorized, SafeFormatter('{0[0]}').safe_format, foo) # though we could allow access if we want: foo.__allow_access_to_unprotected_subobjects__ = 1 self.assertEqual(guarded_getitem(foo, 0), 'bar') self.assertEqual(SafeFormatter('{0[0]}').safe_format(foo), 'bar') # For non-basic items we want run checks too. folder = self._create_folder_with_mixed_contents() # We can get the public items just fine: self.assertEqual( SafeFormatter('{0[0]}').safe_format(folder), '<Item public1>') self.assertEqual( SafeFormatter('{0[2]}').safe_format(folder), '<Item public2>') # But not the private item: self.assertRaises(Unauthorized, SafeFormatter('{0[1]}').safe_format, folder)
def test_prevents_bad_string_formatting_key(self): from AccessControl.safe_formatter import SafeFormatter from AccessControl.ZopeGuards import guarded_getitem from persistent.list import PersistentList # Accessing basic Python types in a basic Python list is fine. foo = list(['bar']) self.assertEqual(SafeFormatter('{0[0]}').safe_format(foo), 'bar') self.assertEqual(guarded_getitem(foo, 0), 'bar') # For basic Python types in a non-basic list, we guard the access. foo = PersistentList(foo) self.assertRaises(Unauthorized, guarded_getitem, foo, 0) self.assertRaises(Unauthorized, SafeFormatter('{0[0]}').safe_format, foo) # though we could allow access if we want: foo.__allow_access_to_unprotected_subobjects__ = 1 self.assertEqual(guarded_getitem(foo, 0), 'bar') self.assertEqual(SafeFormatter('{0[0]}').safe_format(foo), 'bar') # For non-basic items we want run checks too. folder = self._create_folder_with_mixed_contents() # We can get the public items just fine: self.assertEqual(SafeFormatter('{0[0]}').safe_format(folder), '<Item public1>') self.assertEqual(SafeFormatter('{0[2]}').safe_format(folder), '<Item public2>') # But not the private item: self.assertRaises(Unauthorized, SafeFormatter('{0[1]}').safe_format, folder)