def addTokenToUrl(url, req=None, manager=None): if not url: return url if req is None: req = getRequest() if req is None or not url.startswith(req.SERVER_URL): # only transforms urls to same site return url if getattr(req, 'environ', _default) is _default: # TestRequests have no environ. token = createToken(manager=manager) elif '_auth_token' not in req.environ: # Let's cache this value since this could be called # many times for one request. token = createToken(manager=manager) req.environ['_auth_token'] = token else: token = req.environ['_auth_token'] if '_authenticator' not in url: if '?' not in url: url += '?' else: url += '&' url += '_authenticator=' + token return url
def test_force_regenerate_sync_view(self): ''' Test we can regenerate existing previews ''' file1 = api.content.create(self.portal, id='file1', type='File', file=self.get_blob()) # the time of the original preview generation original_ids = self.get_preview_ids_for(file1) # Calling the view without the generate parameter will not force # The preview regeneration view = api.content.get_view( 'generate-previews-for-contents', self.portal, self.get_request({'_authenticator': createToken()})) self.assertEqual( self.get_preview_ids_for(file1), original_ids, ) # Adding a truish regenerate value to the request will view = api.content.get_view( 'generate-previews-for-contents', self.portal, self.get_request({ '_authenticator': createToken(), 'regenerate': True, })) view() self.assertNotEqual( self.get_preview_ids_for(file1), original_ids, )
def setUp(self): self.portal = self.layer['portal'] login(self.portal, TEST_USER_NAME) setRoles(self.portal, TEST_USER_ID, ['Manager']) self.portal.invokeFactory('Document', id="page", title="page") self.portal.page.reindexObject() self.request = TestRequest( environ={ 'HTTP_ACCEPT_LANGUAGE': 'en', 'REQUEST_METHOD': 'POST' }, form={ 'selection': '["' + IUUID(self.portal.page) + '"]', '_authenticator': createToken(), 'folder': '/' } ) self.request.REQUEST_METHOD = 'POST' alsoProvides(self.request, IAttributeAnnotatable) self.userList = json.dumps([{ 'id': 'one' }, { 'id': 'two' }])
def __call__(self, **kw): uid = self.request['uid'] payment = Payments(self.context).get('invoice') payment.succeed(self.request, uid) url = '{url}/@@invoiced?uid={uid}&_authenticator={token}'.format( url=self.context.absolute_url(), uid=uid, token=createToken()) self.request.response.redirect(url)
def get_options(self): site_url = success_url = self.context.absolute_url() if ISiteRoot.providedBy(self.context): success_url += '/@@dashboard' if 'came_from' in self.request.form: came_from = self.request.form['came_from'] try: url_tool = api.portal.get_tool('portal_url') except api.exc.CannotGetPortalError: url_tool = None if (came_from.startswith(site_url) and ( not url_tool or url_tool.isURLInPortal(came_from))): success_url = came_from if 'login' in success_url or 'logged_out' in success_url: success_url = site_url + '/@@dashboard' data = { 'supportedAuthSchemes': self.get_supported_auth_schemes(), 'twoFactorEnabled': self.two_factor_enabled, 'apiEndpoint': '{}/@@secure-login'.format(site_url), 'successUrl': success_url, 'additionalProviders': [] } try: data['authenticator'] = createToken() except ConnectionStateError: # zope root related issue here... pass return data
def setUp(self): self.portal = self.layer['portal'] login(self.portal, TEST_USER_NAME) setRoles(self.portal, TEST_USER_ID, ['Manager']) self.portal.invokeFactory( 'Folder', id="basefolder", title="Folder Base" ) self.bf = self.portal.basefolder self.bf.reindexObject() for idx in range(0, 5): newid = "f{0:}".format(idx) self.bf.invokeFactory( 'Folder', id=newid, # title in reverse order title="Folder {0:}".format(4-idx) ) self.bf[newid].reindexObject() self.env = {'HTTP_ACCEPT_LANGUAGE': 'en', 'REQUEST_METHOD': 'POST'} self.request = makerequest(self.layer['app']).REQUEST self.request.environ.update(self.env) self.request.form = { 'selection': '["' + IUUID(self.bf) + '"]', '_authenticator': createToken(), 'folder': '/basefolder' } self.request.REQUEST_METHOD = 'POST'
def get_chat_info(): try: frontpage = api.portal.get_registry_record( 'castle.rocket_chat_front_page') salt = api.portal.get_registry_record('castle.rocket_chat_secret') except InvalidParameterError: frontpage = None salt = '' if frontpage is None or salt == '': return if frontpage[-1] != '/': frontpage = frontpage + '/' url = frontpage.replace('http://', 'ws://') url = url + 'websocket' current = api.user.get_current() base_url = api.portal.get().absolute_url() return { 'url': url, 'base_url': base_url, 'frontpage': frontpage, 'token': createToken(salt), 'user': getattr(current, 'id', ''), 'email': current.getProperty('email') }
def setUp(self): self.portal = self.layer['portal'] login(self.portal, TEST_USER_NAME) setRoles(self.portal, TEST_USER_ID, ['Manager']) self.portal.invokeFactory('Document', id="page", title="page") self.portal.page.reindexObject() self.request = TestRequest(environ={ 'HTTP_ACCEPT_LANGUAGE': 'en', 'REQUEST_METHOD': 'POST' }, form={ 'selection': '["' + IUUID(self.portal.page) + '"]', '_authenticator': createToken(), 'folder': '/' }) self.request.REQUEST_METHOD = 'POST' # Mock physicalPathFromURL # NOTE: won't return the right path in virtual hosting environments self.request.physicalPathFromURL = lambda url: urlparse( url).path.split('/') # noqa alsoProvides(self.request, IAttributeAnnotatable) self.userList = 'one,two'
def setUp(self): self.portal = self.layer['portal'] login(self.portal, TEST_USER_NAME) setRoles(self.portal, TEST_USER_ID, ['Manager']) self.portal.invokeFactory('Document', id="page", title="page") self.portal.page.reindexObject() self.request = TestRequest( environ={ 'HTTP_ACCEPT_LANGUAGE': 'en', 'REQUEST_METHOD': 'POST' }, form={ 'selection': '["' + IUUID(self.portal.page) + '"]', '_authenticator': createToken(), 'folder': '/' } ) self.request.REQUEST_METHOD = 'POST' # Mock physicalPathFromURL # NOTE: won't return the right path in virtual hosting environments self.request.physicalPathFromURL = lambda url: urlparse(url).path.split('/') # noqa alsoProvides(self.request, IAttributeAnnotatable) self.userList = 'one,two'
def query_options(self): ''' The query string options for the bookmark action ''' options = { '_authenticator': createToken(), } return options
def __call__(self): if self.path[0] == 'view': # this is neutral, we just return the default content view # but it gives the opportunity to create specific pseudo views # via our Diazo rules.xml return self.context() self.request.response.setHeader('X-Theme-Disabled', '1') if self.path[-1].startswith('$'): # inject Diazo parent request path parent_path = self.request.PARENT_REQUEST['URL'].split('/') try: offset = int(self.path[-1][1:]) except ValueError: return "Bad Rapido url injection %s" % self.path[-1] index = parent_path.index('@@rapido') self.path = self.path[:-1] + parent_path[index + offset:] if len(self.path) == 2 and self.path[1] == '_log': messages = self.get_app_messages() self.request.response.setHeader('content-type', 'application/json') return json.dumps(messages, cls=PythonObjectEncoder) if "application/json" in self.request.getHeader('Accept', ''): result = self.json() if len(self.path) == 1: self.request.response.setHeader('X-CSRF-TOKEN', createToken()) self.request.response.setHeader('content-type', 'application/json') return json.dumps(result, cls=PythonObjectEncoder) else: result = self.content() return result
def test_delete_wrong_object_by_acquisition(self): page_id = self.portal.page.id f1 = self.portal.invokeFactory('Folder', id="f1", title="folder one") # created a nested page with the same id as the one at the site root p1 = self.portal[f1].invokeFactory('Document', id=page_id, title="page") self.assertEquals(p1, page_id) request2 = self.make_request() # both pages exist before we delete on for location in [self.portal, self.portal[f1]]: self.assertTrue(p1 in location) # instantiate two different views and delete the same object with each from plone.app.content.browser.contents.delete import DeleteActionView object_uuid = IUUID(self.portal[f1][p1]) for req in [self.request, request2]: req.form = { 'selection': '["{}"]'.format(object_uuid), '_authenticator': createToken(), 'folder': '/{}/'.format(f1) } view = DeleteActionView(self.portal, req) view() # the root page exists, the nested one is gone self.assertTrue(p1 in self.portal) self.assertFalse(p1 in self.portal[f1])
def morphVersionDataToHistoryFormat(vdata, version_id): meta = vdata["metadata"]["sys_metadata"] userid = meta["principal"] token = createToken() preview_url = \ "%s/versions_history_form?version_id=%s&_authenticator=%s#version_preview" % ( # noqa context_url, version_id, token ) info = dict( type='versioning', action=_(u"Edited"), transition_title=_(u"Edited"), actorid=userid, time=meta["timestamp"], comments=meta['comment'], version_id=version_id, preview_url=preview_url, ) if can_diff: if version_id > 0: info["diff_previous_url"] = ( "%s/@@history?one=%s&two=%s&_authenticator=%s" % (context_url, version_id, version_id - 1, token)) if not rt.isUpToDate(context, version_id): info["diff_current_url"] = ( "%s/@@history?one=current&two=%s&_authenticator=%s" % (context_url, version_id, token)) if can_revert: info["revert_url"] = "%s/revertversion" % context_url else: info["revert_url"] = None info.update(self.getUserInfo(userid)) return info
def test_custom_value_for_height_calculation_method(self, browser): """ Test setting a custom value for the height calculation method. """ block = create(Builder('iframe block') .having(url=u'http://www.google.com') .having(auto_size=True) .within(create(Builder('sl content page')))) browser.append_request_header('X-CSRF-TOKEN', createToken()) browser.login() # Edit the block and customize the height calculation method. browser.visit(block, view='edit.json') response = browser.json browser.parse(response['content']) browser.fill({ 'Height calculation method': 'documentElementOffset', }) browser.find_button_by_label('Save').click() # The value has been set. view = block.restrictedTraverse('@@block_view') self.assertEqual( u'documentElementOffset', view.height_calculation_method )
def setUp(self): self.portal = self.layer['portal'] login(self.portal, TEST_USER_NAME) setRoles(self.portal, TEST_USER_ID, ['Manager']) self.portal.invokeFactory('Folder', id="basefolder", title="Folder Base") self.bf = self.portal.basefolder self.bf.reindexObject() for idx in range(0, 5): newid = "f{0:}".format(idx) self.bf.invokeFactory( 'Folder', id=newid, # title in reverse order title="Folder {0:}".format(4 - idx)) self.bf[newid].reindexObject() self.env = {'HTTP_ACCEPT_LANGUAGE': 'en', 'REQUEST_METHOD': 'POST'} self.request = makerequest(self.layer['app']).REQUEST self.request.environ.update(self.env) self.request.form = { 'selection': '["' + IUUID(self.bf) + '"]', '_authenticator': createToken(), 'folder': '/basefolder' } self.request.REQUEST_METHOD = 'POST'
def transform(self, result, encoding): result = self.parseTree(result, encoding) if result is None: return None root = result.tree.getroot() url = urlparse(self.request.URL) try: token = createToken(manager=self.key_manager) except ComponentLookupError: if self.site is not None: logger.warn( 'Keyring not found on site. This should not happen', exc_info=True ) return result for form in root.cssselect('form'): # XXX should we only do POST? If we're logged in and # it's an internal form, I'm inclined to say no... # method = form.attrib.get('method', 'GET').lower() # if method != 'post': # continue # some get forms we definitely do not want to protect. # for now, we know search we do not want to protect method = form.attrib.get('method', 'GET').lower() action = form.attrib.get('action', '').strip() if method == 'get' and '@@search' in action: continue action = form.attrib.get('action', '').strip() if not self.isActionInSite(action, url): continue # check if the token is already on the form.. hidden = form.cssselect('[name="_authenticator"]') if len(hidden) == 0: hidden = etree.Element("input") hidden.attrib['name'] = '_authenticator' hidden.attrib['type'] = 'hidden' hidden.attrib['value'] = token form.append(hidden) if self.site is not None and not root.cssselect('#protect-script'): # Alternative: add this in the resource registry. site_url = self.site.absolute_url() elements = root.cssselect('body') if len(elements): body = elements[0] protect_script = etree.Element("script") protect_script.attrib.update({ 'type': "application/javascript", 'src': "%s/++resource++protect.js" % site_url, 'data-site-url': site_url, 'data-token': token, 'id': 'protect-script' }) body.append(protect_script) return result
def reject_url(self): can_review = api.user.has_permission("Review portal content", obj=self.context) if not can_review: return "" return "{context_url}/content_status_modify?workflow_action=refuse&_authenticator={token}".format( # noqa context_url=self.context.absolute_url(), token=createToken())
def site_config(self): return json.dumps({ "actionUrl": "%s/++sitelayout++/custom/@@plone.resourceeditor.filemanager-actions" % ( # noqa self.context.absolute_url()), "uploadUrl": "%s/portal_resources/sitelayout/custom/themeFileUpload?_authenticator=%s" % ( # noqa self.context.absolute_url(), createToken()) })
def site_config(self): return json.dumps({ 'actionUrl': ('{0}/++sitelayout++/custom/' '@@plone.resourceeditor.filemanager-actions'.format( self.context.absolute_url())), 'uploadUrl': ('{0}/portal_resources/sitelayout/custom/' 'themeFileUpload?_authenticator={1}'.format( self.context.absolute_url(), createToken())), })
def __call__(self): soup = self.context.get_soup() columns = self.columns() aaData = list() length, lazydata = self._query(soup) # XXX Todo html from template if PLONE_PROTECT: token = createToken() url = self.context.absolute_url() html = '<a href="#" data-iid="%(iid)s" class="pfgsoup-edit">edit</a> ' html += '<a href="%(url)s/pfgsoupdel?iid=%(iid)s&_authenticator=%(token)s" class="pfgsoup-delete">remove</a> ' html += ( '<a href="%(url)s/@@pfgsouplog?iid=%(iid)s&_authenticator=%(token)s" ' 'class="pfgsoup-log">log</a>') else: url = self.context.absolute_url() html = '<a href="#" data-iid="%(iid)s" class="pfgsoup-edit">edit</a> ' html += '<a href="%(url)s/pfgsoupdel?iid=%(iid)s" class="pfgsoup-delete">remove</a> ' html += ('<a href="%(url)s/@@pfgsouplog?iid=%(iid)s" ' 'class="pfgsoup-log">log</a>') def record2list(record): result = list() for colname in columns: value = record.attrs.get(colname, '') if isinstance(value, list): value = ', '.join(value) elif isinstance(value, datetime.datetime): value = value.isoformat() elif isinstance(value, dict): value = ', '.join([str(_) for _ in value.items]) try: json.dumps(value) except TypeError: value = str(value) result.append(value) if PLONE_PROTECT: result.append(html % { 'iid': record.intid, 'url': url, 'token': token }) else: result.append(html % {'iid': record.intid, 'url': url}) return result for lazyrecord in self._slice(lazydata): aaData.append(record2list(lazyrecord())) data = { "sEcho": int(self.request.form['sEcho']), "iTotalRecords": soup.storage.length.value, "iTotalDisplayRecords": length, "aaData": aaData, } self.request.response.setHeader("Content-type", "application/json") return json.dumps(data)
def getRequest(self, form={}, authentic=False): if authentic: form['_authenticator'] = createToken() req = TestRequest(form=form, environ={ 'SERVER_URL': 'http://nohost', 'HTTP_HOST': 'nohost' }) alsoProvides(req, IAttributeAnnotatable) return req
def auth(context, request): """ Authenticate """ if ploneapi.user.is_anonymous(): request.response.setStatus(401) request.response.setHeader('WWW-Authenticate', 'basic realm="JSONAPI AUTH"', 1) else: request.response.setHeader('X-CSRF-TOKEN', createToken()) return {}
def __call__(self, **kw): uid = self.request['uid'] payment = Payments(self.context).get('invoice') payment.succeed(self.request, uid) url = '{url}/@@pay_invoice_done?uid={uid}&_authenticator={token}'.format( url=self.context.absolute_url(), uid=uid, token=createToken() ) self.request.response.redirect(url)
def setUp(self): """Custom shared utility setup for tests.""" self.portal = self.layer["portal"] self.request = self.layer["request"] setRoles(self.portal, TEST_USER_ID, ["Manager"]) self.migration_view = api.content.get_view(name="data-migration", context=self.portal, request=self.request) self.request.form["_authenticator"] = createToken() api.content.delete(objects=self.portal.listFolderContents())
def testPrepareObjectTabsDefaultView(self): self._invalidateRequestMemoizations() self.loginAsPortalOwner() self.app.REQUEST['ACTUAL_URL'] = '%s/edit?_authenticator=%s' % ( self.folder.test.absolute_url(), auth.createToken()) view = ContentViewsViewlet(self.folder.test, self.app.REQUEST, None) tabs = view.prepareObjectTabs() self.assertEqual(0, len([t for t in tabs if t['id'] == 'folderContents'])) self.assertEqual(['edit'], [t['id'] for t in tabs if t['selected']])
def bulk_upload_url(self): params = { '_authenticator': createToken(), } if self.autotag_bulk_uploaded: params['groupname'] = self.current_label return '{url}/workspaceFileUpload?{qs}'.format( url=self.context.absolute_url(), qs=urlencode(params), )
def __call__(self): base_url = api.portal.get().absolute_url() order_uid = self.request['uid'] logger.info('Start') try: data = IPaymentData(self.context).data(order_uid) dps_parms = DPSConfig() req = dps.GenerateRequest() req.PxPayUserId = dps_parms.PxPayUserId req.PxPayKey = dps_parms.PxPayKey req.AmountInput = "%0.2f" % (float(data['amount']) / 100.0) req.CurrencyInput = data['currency'] req.MerchantReference = data['ordernumber'] req.TxnData1 = 'IPurchaseProcess' req.TxnData2 = order_uid req.add_txn_parameters(ordernumber=data['ordernumber']) if not api.user.is_anonymous(): req.add_txn_parameters( member_id=api.user.get_current().getMemberId()) req.TxnType = 'Purchase' req.UrlSuccess = '{base_url}/{view}?_authenticator={token}'.format( view='@@pxpay_payment_success', base_url=base_url, token=createToken() ) req.UrlFail = '%s/@@pxpay_payment_failed' % base_url logger.info("Auth: %s" % req) result = req.getResponse() logger.info(result) if not result.valid: logger.info("Auth Error: %s" % result) raise PxPayError('Problem Initialising Payment') redirect_url = result.URI except Exception, e: logger.error(u"Could not initialize payment: '%s'" % str(e)) redirect_url = ('{base_url}/{view}?' 'uid={order_uid}_authenticator={token}').format( view='@@pxpay_payment_failed', base_url=base_url, order_uid=order_uid, token=createToken() )
def test_set1(self): self._invalidateRequestMemoizations() self.loginAsPortalOwner() self.app.REQUEST['ACTUAL_URL'] = '%s/edit?_authenticator=%s' % ( self.folder.test.absolute_url(), auth.createToken()) view = ContentViewsViewlet(self.folder.test, self.app.REQUEST, None) view.update() self.assertEqual( 1, len([t for t in view.tabSet1 if t['id'] == 'folderContents'])) self.assertEqual(['edit'], [t['id'] for t in view.tabSet1 if t['selected']])
def test_renaming_object_via_folder_contents_rename_action(self, browser): self.grant('Manager') folder = create(Builder('folder').titled(u'Folder')) with freeze(datetime(2018, 1, 2, 3, 4, 5)): page = create(Builder('page').titled(u'The Page').within(folder)) self.assertEquals(0, IQueue(self.portal).countJobs()) form_data = {} form_data['_authenticator'] = createToken() form_data['UID_1'] = IUUID(page) form_data['newid_1'] = 'new_id' form_data['newtitle_1'] = u'Ch\xe4nged title' browser.login().visit(folder, view='@@fc-rename', data=form_data) self.assertEquals(1, IQueue(self.portal).countJobs()) job, = IQueue(self.portal).getJobs() self.assertEquals('move', job.action) data = job.getData() self.assertTrue(data) self.maxDiff = None expected = { u'utf8:metadata': { u'utf8:UID': u'utf8:testrenamingobjectviafolde000002', u'utf8:action': u'utf8:move', u'utf8:id': u'utf8:new_id', u'utf8:modified': u'utf8:2018/01/02 03:04:05 GMT+1', u'utf8:physicalPath': u'utf8:/folder/new_id', u'utf8:portal_type': u'utf8:Document', u'utf8:review_state': u'utf8:', u'utf8:sibling_positions': { u'utf8:new_id': 0 } }, u'utf8:move': { u'utf8:newName': u'utf8:new_id', u'utf8:newParent': u'utf8:/folder', u'utf8:newTitle': u'unicode:Ch\xe4nged title', u'utf8:oldName': u'utf8:the-page', u'utf8:oldParent': u'utf8:/folder' } } if IS_AT_LEAST_PLONE_5_1: expected[u'utf8:metadata'][u'utf8:modified'] = u'utf8:{}'.format( str(page.modified()).decode('utf-8')) self.assertEquals(expected, json.loads(data))
def update(self): self.site = api.portal.get() self.folder = self.context_state.folder() self.user = api.user.get_current() self.csrf_token = createToken() self.registry = getUtility(IRegistry) self.pactions = api.portal.get_tool('portal_actions') self.econtext = createExprContext( self.folder, self.site, self.real_context)
def testSet1(self): self._invalidateRequestMemoizations() self.loginAsPortalOwner() self.app.REQUEST['ACTUAL_URL'] = '%s/edit?_authenticator=%s' % ( self.folder.test.absolute_url(), auth.createToken() ) view = ContentViewsViewlet(self.folder.test, self.app.REQUEST, None) view.update() self.assertEqual(1, len([t for t in view.tabSet1 if t[ 'id'] == 'folderContents'])) self.assertEqual(['edit'], [t['id'] for t in view.tabSet1 if t['selected']])
def test_store_save_simplelayout_state_thru_view(self, browser): payload = {"data": json.dumps(self.payload)} if IS_PLONE_5: from plone.protect.authenticator import createToken payload["_authenticator"] = createToken() browser.login().visit(self.container, view='sl-ajax-save-state-view', data=payload) browser.visit(self.container) self.assertEquals(self.payload, self.page_config.load())
def __call__(self): soup = self.context.get_soup() columns = self.columns() aaData = list() length, lazydata = self._query(soup) # XXX Todo html from template if PLONE_PROTECT: token = createToken() url = self.context.absolute_url() html = '<a href="#" data-iid="%(iid)s" class="pfgsoup-edit">edit</a> ' html += '<a href="%(url)s/pfgsoupdel?iid=%(iid)s&_authenticator=%(token)s" class="pfgsoup-delete">remove</a> ' html += ('<a href="%(url)s/@@pfgsouplog?iid=%(iid)s&_authenticator=%(token)s" ' 'class="pfgsoup-log">log</a>') else: url = self.context.absolute_url() html = '<a href="#" data-iid="%(iid)s" class="pfgsoup-edit">edit</a> ' html += '<a href="%(url)s/pfgsoupdel?iid=%(iid)s" class="pfgsoup-delete">remove</a> ' html += ('<a href="%(url)s/@@pfgsouplog?iid=%(iid)s" ' 'class="pfgsoup-log">log</a>') def record2list(record): result = list() for colname in columns: value = record.attrs.get(colname, '') if isinstance(value, list): value = ', '.join(value) elif isinstance(value, datetime.datetime): value = value.isoformat() elif isinstance(value, dict): value = ', '.join([str(_) for _ in value.items]) try: json.dumps(value) except TypeError: value = str(value) result.append(value) if PLONE_PROTECT: result.append(html % {'iid': record.intid, 'url': url, 'token': token}) else: result.append(html % {'iid': record.intid, 'url': url}) return result for lazyrecord in self._slice(lazydata): aaData.append(record2list(lazyrecord())) data = { "sEcho": int(self.request.form['sEcho']), "iTotalRecords": soup.storage.length.value, "iTotalDisplayRecords": length, "aaData": aaData, } self.request.response.setHeader("Content-type", "application/json") return json.dumps(data)
def setUp(self): """Custom shared utility setup for tests.""" self.portal = self.layer['portal'] setRoles(self.portal, TEST_USER_ID, ['Manager']) self.installer = api.portal.get_tool('portal_quickinstaller') self.request = self.layer['request'] # Disable plone.protect for these tests self.request.form['_authenticator'] = createToken() # Eventuelly you find this also useful self.request.environ['REQUEST_METHOD'] = 'POST' self.tune = api.content.create( type='tune', title='tune', container=self.portal)
def test_password_reset_password_does_not_match(self): registry = getUtility(IRegistry) registry['plone.two_factor_enabled'] = False login(self.portal, TEST_USER_NAME) self.request.form.update({ 'apiMethod': 'set_password', 'username': TEST_USER_NAME, 'existing_password': '******', 'new_password': '******', '_authenticator': createToken() }) view = SecureLoginView(self.portal, self.request) result = json.loads(view()) self.assertFalse(result['success'])
def test_add_to_portal_root_save(self): browser = Browser(self.layer['app']) browser.handleErrors = False # Login browser.open(self.portal.absolute_url() + '/login') browser.getControl(name='__ac_name').value = TEST_USER_NAME browser.getControl(name='__ac_password').value = TEST_USER_PASSWORD browser.getControl('Log in').click() # Enter the add screen for a temporary # portal_factory-managed object browser.open( '{}/portal_factory/Document/document.2010-02-04.2866363923/edit?_authenticator={}'.format( # noqa self.portal.absolute_url(), createToken())) # We should now have cookies with the drafts information cookies = browser.cookies.forURL(browser.url) self.assertEqual( '"/plone/portal_factory/Document/document.2010-02-04.2866363923"', # noqa cookies['plone.app.drafts.path'], ) self.assertEqual( '"0%3ADocument"', cookies['plone.app.drafts.targetKey'], ) self.assertNotIn( 'plone.app.drafts.draftName', browser.cookies.forURL(browser.url), ) # We can now fill in the required fields and save. # The cookies should expire. browser.getControl(name='title').value = u'New document' browser.getControl(name='form.button.save').click() self.assertNotIn( 'plone.app.drafts.targetKey', browser.cookies.forURL(browser.url), ) self.assertNotIn( 'plone.app.drafts.path', browser.cookies.forURL(browser.url), ) self.assertNotIn( 'plone.app.drafts.draftName', browser.cookies.forURL(browser.url), )
def test_add_to_portal_root_save(self): browser = Browser(self.layer['app']) browser.handleErrors = False # Login browser.open(self.portal.absolute_url() + '/login') browser.getControl(name='__ac_name').value = TEST_USER_NAME browser.getControl(name='__ac_password').value = TEST_USER_PASSWORD browser.getControl('Log in').click() # Enter the add screen for a temporary # portal_factory-managed object browser.open( '{}/portal_factory/Document/document.2010-02-04.2866363923/edit?_authenticator={}' .format( # noqa self.portal.absolute_url(), createToken())) # We should now have cookies with the drafts information cookies = browser.cookies.forURL(browser.url) self.assertEqual( '"/plone/portal_factory/Document/document.2010-02-04.2866363923"', # noqa cookies['plone.app.drafts.path'], ) self.assertEqual( '"0%3ADocument"', cookies['plone.app.drafts.targetKey'], ) self.assertNotIn( 'plone.app.drafts.draftName', browser.cookies.forURL(browser.url), ) # We can now fill in the required fields and save. # The cookies should expire. browser.getControl(name='title').value = u'New document' browser.getControl(name='form.button.save').click() self.assertNotIn( 'plone.app.drafts.targetKey', browser.cookies.forURL(browser.url), ) self.assertNotIn( 'plone.app.drafts.path', browser.cookies.forURL(browser.url), ) self.assertNotIn( 'plone.app.drafts.draftName', browser.cookies.forURL(browser.url), )
def update(self): self.site = api.portal.get() self.context_state = getMultiAdapter( (aq_inner(self.real_context), self.request), name=u'plone_context_state') self.folder = self.context_state.folder() self.user = api.user.get_current() self.csrf_token = createToken() self.registry = getUtility(IRegistry) self.pactions = api.portal.get_tool('portal_actions') self.econtext = createExprContext(self.folder, self.site, self.real_context)
def setUp(self): super(BaseTestCase, self).setUp() # Fixing CSRF protection # https://github.com/plone/plone.protect/#fixing-csrf-protection-failures-in-tests self.request = self.layer["request"] # Disable plone.protect for these tests self.request.form["_authenticator"] = createToken() # Eventuelly you find this also useful self.request.environ["REQUEST_METHOD"] = "POST" setRoles(self.portal, TEST_USER_ID, ["LabManager", "Manager"]) # Default skin is set to "Sunburst Theme"! # => This causes an `AttributeError` when we want to access # e.g. 'guard_handler' FSPythonScript self.portal.changeSkin("Plone Default")
def site_config(self): return json.dumps({ 'actionUrl': ( '{0}/++sitelayout++/custom/' '@@plone.resourceeditor.filemanager-actions'.format( self.context.absolute_url() ) ), 'uploadUrl': ( '{0}/portal_resources/sitelayout/custom/' 'themeFileUpload?_authenticator={1}'.format( self.context.absolute_url(), createToken() ) ), })
def setUp(self): self.portal = self.layer['portal'] login(self.portal, TEST_USER_NAME) setRoles(self.portal, TEST_USER_ID, ['Manager']) self.portal.invokeFactory('Document', id="page", title="page") self.portal.page.reindexObject() self.env = {'HTTP_ACCEPT_LANGUAGE': 'en', 'REQUEST_METHOD': 'POST'} self.request = makerequest(self.layer['app']).REQUEST self.request.environ.update(self.env) self.request.form = { 'selection': '["' + IUUID(self.portal.page) + '"]', '_authenticator': createToken(), 'folder': '/' } self.request.REQUEST_METHOD = 'POST'
def setUp(self): """Custom shared utility setup for tests.""" self.portal = self.layer["portal"] self.request = self.layer["request"] setRoles(self.portal, TEST_USER_ID, ["Manager"]) # enable blocks behavior fti = queryUtility(IDexterityFTI, name="Document") behaviors = [x for x in fti.behaviors] behaviors.append("volto.blocks") fti.behaviors = tuple(behaviors) migration_view = api.content.get_view(name="data-migration", context=self.portal, request=self.request) self.request.form["_authenticator"] = createToken() migration_view.do_migrate()
def test_add_to_folder(self): browser = Browser(self.layer['app']) browser.handleErrors = False uuid = IUUID(self.folder) # Login browser.open(self.portal.absolute_url() + '/login') browser.getControl(name='__ac_name').value = TEST_USER_NAME browser.getControl(name='__ac_password').value = TEST_USER_PASSWORD browser.getControl('Log in').click() # Enter the add screen for a temporary # portal_factory-managed object browser.open( '{}/portal_factory/Document/document.2010-02-04.2866363923/edit?_authenticator={}' .format( # noqa self.folder.absolute_url(), createToken())) # We should now have cookies with the drafts information cookies = browser.cookies.forURL(browser.url) path = '"{0}/portal_factory/Document/document.2010-02-04.2866363923"' # noqa self.assertEqual( path.format(self.folder.absolute_url_path()), cookies['plone.app.drafts.path'], ) self.assertEqual( '"{0}%3ADocument"'.format(uuid), cookies['plone.app.drafts.targetKey'], ) self.assertNotIn( 'plone.app.drafts.draftName', browser.cookies.forURL(browser.url), ) # We can now cancel the edit. The cookies should expire. browser.getControl(name='form.button.cancel').click() self.assertNotIn( 'plone.app.drafts.targetKey', browser.cookies.forURL(browser.url), ) self.assertNotIn( 'plone.app.drafts.path', browser.cookies.forURL(browser.url), )
def test_add_to_folder(self): browser = Browser(self.layer['app']) browser.handleErrors = False uuid = IUUID(self.folder) # Login browser.open(self.portal.absolute_url() + '/login') browser.getControl(name='__ac_name').value = TEST_USER_NAME browser.getControl(name='__ac_password').value = TEST_USER_PASSWORD browser.getControl('Log in').click() # Enter the add screen for a temporary # portal_factory-managed object browser.open( '{}/portal_factory/Document/document.2010-02-04.2866363923/edit?_authenticator={}'.format( # noqa self.folder.absolute_url(), createToken())) # We should now have cookies with the drafts information cookies = browser.cookies.forURL(browser.url) path = '"{0}/portal_factory/Document/document.2010-02-04.2866363923"' # noqa self.assertEqual( path.format(self.folder.absolute_url_path()), cookies['plone.app.drafts.path'], ) self.assertEqual( '"{0}%3ADocument"'.format(uuid), cookies['plone.app.drafts.targetKey'], ) self.assertNotIn( 'plone.app.drafts.draftName', browser.cookies.forURL(browser.url), ) # We can now cancel the edit. The cookies should expire. browser.getControl(name='form.button.cancel').click() self.assertNotIn( 'plone.app.drafts.targetKey', browser.cookies.forURL(browser.url), ) self.assertNotIn( 'plone.app.drafts.path', browser.cookies.forURL(browser.url), )
def transform(self, result): result = self.parseTree(result) if result is None: return None root = result.tree.getroot() url = urlparse(self.request.URL) try: token = createToken() except ComponentLookupError: context = self.getContext() if IApplication.providedBy(context) or \ IResource.providedBy(context): # skip here, utility not installed yet on zope root return raise for form in root.cssselect('form'): # XXX should we only do POST? If we're logged in and # it's an internal form, I'm inclined to say no... #method = form.attrib.get('method', 'GET').lower() #if method != 'post': # continue # some get forms we definitely do not want to protect. # for now, we know search we do not want to protect method = form.attrib.get('method', 'GET').lower() action = form.attrib.get('action', '').strip() if method == 'get' and '@@search' in action: continue action = form.attrib.get('action', '').strip() if not self.isActionInSite(action, url): continue # check if the token is already on the form.. hidden = form.cssselect('[name="_authenticator"]') if len(hidden) == 0: hidden = etree.Element("input") hidden.attrib['name'] = '_authenticator' hidden.attrib['type'] = 'hidden' hidden.attrib['value'] = token form.append(hidden) return result
def setUp(self): self.portal = self.layer['portal'] self.request = self.layer['request'] # Disable plone.protect for these tests self.request.environ['REQUEST_METHOD'] = 'POST' self.request.form['_authenticator'] = createToken() login(self.portal, TEST_USER_NAME) setRoles(self.portal, TEST_USER_ID, ['Manager']) # set available languages registry = getUtility(IRegistry) registry['plone.available_languages'] = ['en', 'de'] self.portal.invokeFactory('Folder', 'main1') self.portal.main1.invokeFactory('Folder', 'sub1') self.portal.main1.sub1.invokeFactory('Folder', 'subsub1') self.portal.main1.invokeFactory('Document', 'sub2') self.portal.invokeFactory('Document', 'main2') self.setup_initial()
def render_ajax_form(context, request, name): """Render ajax form on context by view name. By default contents of div with id ``content`` gets replaced. If fiddle mode or selector needs to get customized, ``bda.plone.ajax.form.mode`` and ``bda.plone.ajax.form.selector`` must be given as request parameters. """ try: key_manager = getUtility(IKeyManager) except ComponentLookupError: key_manager = getRootKeyManager(getRoot(context)) token = createToken(manager=key_manager) try: result = context.restrictedTraverse(name)() selector = request.get('bda.plone.ajax.form.selector', '#content') mode = request.get('bda.plone.ajax.form.mode', 'inner') continuation = request.get('bda.plone.ajax.continuation') form_continue = AjaxFormContinue(continuation) response = ajax_form_template % { 'form': result, 'token': token, 'selector': selector, 'mode': mode, 'next': form_continue.next, } return response except Exception: result = '<div>Form rendering error</div>' selector = request.get('bda.plone.ajax.form.selector', '#content') mode = request.get('bda.plone.ajax.form.mode', 'inner') tb = format_traceback() continuation = AjaxMessage(tb, 'error', None) form_continue = AjaxFormContinue([continuation]) response = ajax_form_template % { 'form': result, 'token': token, 'selector': selector, 'mode': mode, 'next': form_continue.next, } return response
def addTokenToUrl(url, req=None, manager=None): if not url: return url if req is None: req = getRequest() if not url.startswith(req.SERVER_URL): # only transforms urls to same site return url if '_auth_token' not in req.environ: # let's cache this value since this could be called # many times for one request req.environ['_auth_token'] = createToken(manager=manager) token = req.environ['_auth_token'] if '_authenticator' not in url: if '?' not in url: url += '?' else: url += '&' url += '_authenticator=' + token return url
def transform(self, result, encoding): result = self.parseTree(result, encoding) if result is None: return None root = result.tree.getroot() url = urlparse(self.request.URL) try: token = createToken(manager=self.key_manager) except ComponentLookupError: if self.site is not None: LOGGER.warn('Keyring not found on site. This should not happen', exc_info=True) return result for form in root.cssselect('form'): # XXX should we only do POST? If we're logged in and # it's an internal form, I'm inclined to say no... # method = form.attrib.get('method', 'GET').lower() # if method != 'post': # continue # some get forms we definitely do not want to protect. # for now, we know search we do not want to protect method = form.attrib.get('method', 'GET').lower() action = form.attrib.get('action', '').strip() if method == 'get' and '@@search' in action: continue action = form.attrib.get('action', '').strip() if not self.isActionInSite(action, url): continue # check if the token is already on the form.. hidden = form.cssselect('[name="_authenticator"]') if len(hidden) == 0: hidden = etree.Element("input") hidden.attrib['name'] = '_authenticator' hidden.attrib['type'] = 'hidden' hidden.attrib['value'] = token form.append(hidden) return result
def morphVersionDataToHistoryFormat(vdata, version_id): meta = vdata["metadata"]["sys_metadata"] userid = meta["principal"] token = createToken() preview_url = \ "%s/versions_history_form?version_id=%s&_authenticator=%s#version_preview" % ( # noqa context_url, version_id, token ) info = dict( type='versioning', action=_(u"Edited"), transition_title=_(u"Edited"), actorid=userid, time=meta["timestamp"], comments=meta['comment'], version_id=version_id, preview_url=preview_url, ) if can_diff: if version_id > 0: info["diff_previous_url"] = ( "%s/@@history?one=%s&two=%s&_authenticator=%s" % (context_url, version_id, version_id - 1, token) ) if not rt.isUpToDate(context, version_id): info["diff_current_url"] = ( "%s/@@history?one=current&two=%s&_authenticator=%s" % (context_url, version_id, token) ) if can_revert: info["revert_url"] = "%s/revertversion" % context_url else: info["revert_url"] = None info.update(self.getUserInfo(userid)) return info
def test_image_tile(self): annotations = IAnnotations(self.page) annotations['plone.tiles.data.test'] = PersistentDict({ 'image': NamedImage(image(), 'image/png', filename=u'color.png') }) transaction.commit() self.browser.open( self.pageURL + '/@@plone.app.standardtiles.image/test?_authenticator={}'.format( createToken() ) ) # Confirm pass CSRF protection on Plone 5 try: self.browser.getControl(name='form.button.confirm').click() except LookupError: pass root = fromstring(self.browser.contents) nodes = root.xpath('//body//img') self.assertEqual(len(nodes), 1)
def _getauth(self, userName): self.login(userName) return createToken()
def init_url(self, uid): return '{url}/@@pay_invoice?uid={uid}&_authenticator={token}'.format( url=self.context.absolute_url(), uid=uid, token=createToken() )
def transform(self, result, encoding): site_url = 'foobar' if self.site: site_url = self.site.absolute_url() registered = self._registered_objects() if len(registered) > 0 and \ not IDisableCSRFProtection.providedBy(self.request): # in plone 4, we need to do some more trickery to # prevent write on read errors annotation_keys = ( 'plone.contentrules.localassignments', 'syndication_settings', 'plone.portlets.contextassignments') for obj in registered: if isinstance(obj, OOBTree): safe = False for key in annotation_keys: try: if key in obj: safe = True break except TypeError: pass if safe: safeWrite(obj) elif isinstance(obj, ATBlob): # writing scales is fine safeWrite(obj) # check referrer/origin header as a backstop to check # against false positives for write on read errors referrer = self.request.environ.get('HTTP_REFERER') if referrer: if referrer.startswith(site_url + '/'): alsoProvides(self.request, IDisableCSRFProtection) else: origin = self.request.environ.get('HTTP_ORIGIN') if origin and origin == site_url: alsoProvides(self.request, IDisableCSRFProtection) result = self.parseTree(result, encoding) if result is None: return None root = result.tree.getroot() try: token = createToken(manager=self.key_manager) except ComponentLookupError: return if self.site is not None: body = root.cssselect('body')[0] protect_script = etree.Element("script") protect_script.attrib.update({ 'type': "application/javascript", 'src': "%s/++resource++protect.js" % site_url, 'data-site-url': site_url, 'data-token': token, 'id': 'protect-script' }) body.append(protect_script) # guess zmi, if it is, rewrite all links last_path = self.request.URL.split('/')[-1] if last_path == 'manage' or last_path.startswith('manage_'): root.make_links_absolute(self.request.URL) def rewrite_func(url): return addTokenToUrl( url, self.request, manager=self.key_manager) root.rewrite_links(rewrite_func) # Links to add token to so we don't trigger the csrf # warnings for anchor in root.cssselect(_add_rule_token_selector): url = anchor.attrib.get('href') # addTokenToUrl only converts urls on the same site anchor.attrib['href'] = addTokenToUrl( url, self.request, manager=self.key_manager) return result