def test_renameObjectByPaths_postonly(self): from Products.PythonScripts.PythonScript import PythonScript script = PythonScript('script') script._filepath = 'script' src = """context.plone_utils.renameObjectsByPaths(paths=['/plone/news'], new_ids=['news'], new_titles=['EVIL'], REQUEST=context.REQUEST)""" script.write(src) self.portal.evil = script csrf_token = self._get_authenticator() self.publish('/plone/evil', extra={'_authenticator': csrf_token}, request_method='POST') self.assertEqual('News', self.portal.news.Title()) owner_basic = ptc.portal_owner + ':' + ptc.default_password csrf_token = self._get_authenticator(owner_basic) self.publish('/plone/evil', extra={'_authenticator': csrf_token}, basic=owner_basic) self.assertEqual('News', self.portal.news.Title()) self.publish('/plone/evil', request_method='POST', extra={'_authenticator': csrf_token}, basic=owner_basic) self.assertEqual('EVIL', self.portal.news.Title()) self.setRoles(['Manager']) self.portal.news.setTitle('News') self.portal.plone_utils.renameObjectsByPaths(paths=['/plone/news'], new_ids=['news'], new_titles=['EVIL']) self.assertEqual('EVIL', self.portal.news.Title()) self.portal.news.setTitle('News') self.setRoles(['Member']) self.portal.plone_utils.renameObjectsByPaths(paths=['/plone/news'], new_ids=['news'], new_titles=['EVIL']) self.assertEqual('News', self.portal.news.Title())
def test_renameObjectByPaths_postonly(self): from Products.PythonScripts.PythonScript import PythonScript script = PythonScript("script") script._filepath = "script" src = """context.plone_utils.renameObjectsByPaths(paths=['/plone/news'], new_ids=['news'], new_titles=['EVIL'], REQUEST=context.REQUEST)""" script.write(src) self.portal.evil = script csrf_token = self._get_authenticator() self.publish("/plone/evil", extra={"_authenticator": csrf_token}, request_method="POST") self.assertEqual("News", self.portal.news.Title()) owner_basic = SITE_OWNER_NAME + ":" + SITE_OWNER_PASSWORD csrf_token = self._get_authenticator(owner_basic) self.publish("/plone/evil", extra={"_authenticator": csrf_token}, basic=owner_basic) self.assertEqual("News", self.portal.news.Title()) self.publish("/plone/evil", request_method="POST", extra={"_authenticator": csrf_token}, basic=owner_basic) self.assertEqual("EVIL", self.portal.news.Title()) self.setRoles(["Manager"]) self.portal.news.setTitle("News") self.portal.plone_utils.renameObjectsByPaths(paths=["/plone/news"], new_ids=["news"], new_titles=["EVIL"]) self.assertEqual("EVIL", self.portal.news.Title()) self.portal.news.setTitle("News") self.setRoles(["Member"]) self.portal.plone_utils.renameObjectsByPaths(paths=["/plone/news"], new_ids=["news"], new_titles=["EVIL"]) self.assertEqual("News", self.portal.news.Title())
def test_resource_registry_vector(self): for vector in ('less-variables.js', 'less-modify.js'): src = ''' class ctx: def format(self, *args, **kwargs): self.foo=context return "foo" context.portal_registry['plone.lessvariables']['foo'] = ctx() context.portal_registry['plone.lessvariables']['bar'] = "{foo.foo.__class__}" js = context.restrictedTraverse("%s") return js() ''' % vector from Products.PythonScripts.PythonScript import PythonScript script = PythonScript('evil') script._filepath = 'evil' script.write(src) self.portal.evil = script output = self.publish('/plone/evil') self.assertFalse( 'Products.CMFPlone.Portal.PloneSite' in output.body)