-
-
Notifications
You must be signed in to change notification settings - Fork 75
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Branch: refs/heads/2.2.x Date: 2016-09-01T09:18:17+02:00 Author: Jonas Baumann (jone) <jone@jone.ch> Commit: plone/plone.dexterity@d385d80 Set copy flags when copying container. When copying a DX container which has AT children, the UID of the AT children was not updated. The reason for the error is that the DX container copy did not have the _v_is_cp flag while the AT children were processed and thus the flag was not properly delegated. By copying the _v_is_cp and _v_cp_refs flags to the copy we have the same behavior as it used to be with AT, which does fix the error. Files changed: M CHANGES.rst M plone/dexterity/content.py Repository: plone.dexterity Branch: refs/heads/2.2.x Date: 2016-09-12T17:37:31+02:00 Author: Jens W. Klein (jensens) <jk@kleinundpartner.at> Commit: plone/plone.dexterity@f09a597 Merge pull request #60 from plone/jone-set-copy-flags Set copy flags when copying container. Files changed: M CHANGES.rst M plone/dexterity/content.py
- Loading branch information
Showing
1 changed file
with
88 additions
and
259 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,296 +1,125 @@ | ||
| Repository: plone.app.users | ||
| Repository: plone.dexterity | ||
|
|
||
|
|
||
| Branch: refs/heads/1.2.x | ||
| Date: 2016-09-07T18:10:16+02:00 | ||
| Author: Maurits van Rees (mauritsvanrees) <maurits@vanrees.org> | ||
| Commit: https://github.com/plone/plone.app.users/commit/5671aecbbe59e2c53706b76baa17324c03dbcf38 | ||
| Branch: refs/heads/2.2.x | ||
| Date: 2016-09-01T09:18:17+02:00 | ||
| Author: Jonas Baumann (jone) <jone@jone.ch> | ||
| Commit: https://github.com/plone/plone.dexterity/commit/d385d80ac11c4a172e160089c3153651a80340aa | ||
|
|
||
| Don't show unescaped user id in user-information form. | ||
| Set copy flags when copying container. | ||
|
|
||
| This applies PloneHotfix20160830. | ||
| When copying a DX container which has AT children, the UID of the AT | ||
| children was not updated. | ||
| The reason for the error is that the DX container copy did not have the | ||
| _v_is_cp flag while the AT children were processed and thus the flag was | ||
| not properly delegated. | ||
|
|
||
| Files changed: | ||
| A plone/app/users/tests/test_user_data_panel.py | ||
| M CHANGES.rst | ||
| M plone/app/users/browser/personalpreferences.py | ||
|
|
||
| diff --git a/CHANGES.rst b/CHANGES.rst | ||
| index 4062f75..9a1a8cc 100644 | ||
| --- a/CHANGES.rst | ||
| +++ b/CHANGES.rst | ||
| @@ -4,13 +4,14 @@ Changelog | ||
| 1.2.5 (unreleased) | ||
| ------------------ | ||
|
|
||
| -New: | ||
| +New features: | ||
|
|
||
| - *add item here* | ||
|
|
||
| -Fixes: | ||
| +Bug fixes: | ||
|
|
||
| -- *add item here* | ||
| +- Don't show unescaped user id in user-information form. | ||
| + This applies PloneHotfix20160830. [maurits] | ||
|
|
||
|
|
||
| 1.2.4 (2016-02-24) | ||
| diff --git a/plone/app/users/browser/personalpreferences.py b/plone/app/users/browser/personalpreferences.py | ||
| index 809c433..d973198 100644 | ||
| --- a/plone/app/users/browser/personalpreferences.py | ||
| +++ b/plone/app/users/browser/personalpreferences.py | ||
| @@ -26,6 +26,8 @@ | ||
| from Products.Five.browser.pagetemplatefile import ViewPageTemplateFile | ||
| from Products.statusmessages.interfaces import IStatusMessage | ||
|
|
||
| +import cgi | ||
| + | ||
|
|
||
| class IPersonalPreferences(Interface): | ||
|
|
||
| @@ -298,7 +300,7 @@ def description(self): | ||
| #editing someone else's profile | ||
| return _(u'description_personal_information_form_otheruser', | ||
| default='Change personal information for $name', | ||
| - mapping={'name': self.userid}) | ||
| + mapping={'name': cgi.escape(self.userid)}) | ||
| else: | ||
| #editing my own profile | ||
| return _(u'description_personal_information_form', | ||
| diff --git a/plone/app/users/tests/test_user_data_panel.py b/plone/app/users/tests/test_user_data_panel.py | ||
| new file mode 100644 | ||
| index 0000000..6a99ede | ||
| --- /dev/null | ||
| +++ b/plone/app/users/tests/test_user_data_panel.py | ||
| @@ -0,0 +1,26 @@ | ||
| +from plone.app.users.browser.personalpreferences import UserDataPanel | ||
| +from plone.app.users.tests.base import TestCase | ||
| +from zope.i18n import translate | ||
| + | ||
| + | ||
| +class TestUserDataPanel(TestCase): | ||
| + | ||
| + def test_regression(self): | ||
| + portal = self.portal | ||
| + request = portal.REQUEST | ||
| + request.form.update({ | ||
| + 'userid': 'admin' | ||
| + }) | ||
| + form = UserDataPanel(portal, request) | ||
| + description = translate(form.description, context=request) | ||
| + self.assertTrue('admin' in description) | ||
| + | ||
| + def test_escape_html(self): | ||
| + portal = self.portal | ||
| + request = portal.REQUEST | ||
| + request.form.update({ | ||
| + 'userid': 'admin<script>alert("userid")</script>' | ||
| + }) | ||
| + form = UserDataPanel(portal, request) | ||
| + description = translate(form.description, context=request) | ||
| + self.assertTrue('<script>' not in description) | ||
|
|
||
|
|
||
| Repository: plone.app.users | ||
|
|
||
|
|
||
| Branch: refs/heads/1.2.x | ||
| Date: 2016-09-07T18:24:25+02:00 | ||
| Author: Maurits van Rees (mauritsvanrees) <maurits@vanrees.org> | ||
| Commit: https://github.com/plone/plone.app.users/commit/5dc8328d8e79433f3a3bbac6d7df64fea86bacb5 | ||
|
|
||
| Give 404 when user-information form is called with not existing userid. | ||
| By copying the _v_is_cp and _v_cp_refs flags to the copy we have the | ||
| same behavior as it used to be with AT, which does fix the error. | ||
|
|
||
| Files changed: | ||
| M CHANGES.rst | ||
| M plone/app/users/browser/personalpreferences.py | ||
| M plone/app/users/tests/test_user_data_panel.py | ||
| M plone/dexterity/content.py | ||
|
|
||
| diff --git a/CHANGES.rst b/CHANGES.rst | ||
| index 9a1a8cc..e0309f3 100644 | ||
| index 4d61c82..97e35f5 100644 | ||
| --- a/CHANGES.rst | ||
| +++ b/CHANGES.rst | ||
| @@ -10,6 +10,9 @@ New features: | ||
| @@ -14,7 +14,8 @@ New features: | ||
|
|
||
| Bug fixes: | ||
|
|
||
| +- Give a 404 when the user-information form is called with a not | ||
| + existing userid. [maurits] | ||
| + | ||
| - Don't show unescaped user id in user-information form. | ||
| This applies PloneHotfix20160830. [maurits] | ||
|
|
||
| diff --git a/plone/app/users/browser/personalpreferences.py b/plone/app/users/browser/personalpreferences.py | ||
| index d973198..5a924c2 100644 | ||
| --- a/plone/app/users/browser/personalpreferences.py | ||
| +++ b/plone/app/users/browser/personalpreferences.py | ||
| @@ -25,6 +25,7 @@ | ||
| from Products.CMFPlone.utils import set_own_login_name, safe_unicode | ||
| from Products.Five.browser.pagetemplatefile import ViewPageTemplateFile | ||
| from Products.statusmessages.interfaces import IStatusMessage | ||
| +from zExceptions import NotFound | ||
| import cgi | ||
| @@ -322,6 +323,14 @@ def getPortrait(self): | ||
| context = aq_inner(self.context) | ||
| return context.portal_membership.getPersonalPortrait() | ||
| + def __call__(self): | ||
| + if self.userid: | ||
| + context = aq_inner(self.context) | ||
| + mt = getToolByName(context, 'portal_membership') | ||
| + if mt.getMemberById(self.userid) is None: | ||
| + raise NotFound('User does not exist.') | ||
| + return super(UserDataPanel, self).__call__() | ||
| -- *add item here* | ||
| +- Fix error when copying DX containers with AT children which caused the | ||
| + children to not have the UID updated properly. [jone] | ||
|
|
||
|
|
||
| 2.2.7 (2016-05-05) | ||
| diff --git a/plone/dexterity/content.py b/plone/dexterity/content.py | ||
| index 167a3ed..1222064 100644 | ||
| --- a/plone/dexterity/content.py | ||
| +++ b/plone/dexterity/content.py | ||
| @@ -221,6 +221,22 @@ def _verifyObjectPaste(self, obj, validate_src=True): | ||
| 'You can not add the copied content here.' | ||
| ) | ||
|
|
||
| + def _getCopy(self, container): | ||
| + # Copy the _v_is_cp and _v_cp_refs flags from the original | ||
| + # object (self) to the new copy. | ||
| + # This has impact on how children will be handled. | ||
| + # When the flags are missing, an Archetypes child object will not have | ||
| + # the UID updated in some situations. | ||
| + # Copied from Products.Archetypes.Referenceable.Referenceable._getCopy | ||
| + is_cp_flag = getattr(self, '_v_is_cp', None) | ||
| + cp_refs_flag = getattr(self, '_v_cp_refs', None) | ||
| + ob = super(PasteBehaviourMixin, self)._getCopy(container) | ||
| + if is_cp_flag: | ||
| + setattr(ob, '_v_is_cp', is_cp_flag) | ||
| + if cp_refs_flag: | ||
| + setattr(ob, '_v_cp_refs', cp_refs_flag) | ||
| + return ob | ||
| + | ||
|
|
||
| class UserDataConfiglet(UserDataPanel): | ||
| """ """ | ||
| diff --git a/plone/app/users/tests/test_user_data_panel.py b/plone/app/users/tests/test_user_data_panel.py | ||
| index 6a99ede..a859a54 100644 | ||
| --- a/plone/app/users/tests/test_user_data_panel.py | ||
| +++ b/plone/app/users/tests/test_user_data_panel.py | ||
| @@ -1,5 +1,6 @@ | ||
| from plone.app.users.browser.personalpreferences import UserDataPanel | ||
| from plone.app.users.tests.base import TestCase | ||
| +from zExceptions import NotFound | ||
| from zope.i18n import translate | ||
|
|
||
|
|
||
| @@ -14,6 +15,8 @@ def test_regression(self): | ||
| form = UserDataPanel(portal, request) | ||
| description = translate(form.description, context=request) | ||
| self.assertTrue('admin' in description) | ||
| + # form can be called without raising exception. | ||
| + self.assertTrue(form()) | ||
|
|
||
| def test_escape_html(self): | ||
| portal = self.portal | ||
| @@ -24,3 +27,4 @@ def test_escape_html(self): | ||
| form = UserDataPanel(portal, request) | ||
| description = translate(form.description, context=request) | ||
| self.assertTrue('<script>' not in description) | ||
| + self.assertRaises(NotFound, form) | ||
| @implementer( | ||
| IDexterityContent, | ||
|
|
||
|
|
||
| Repository: plone.app.users | ||
| Repository: plone.dexterity | ||
|
|
||
|
|
||
| Branch: refs/heads/1.2.x | ||
| Date: 2016-09-07T23:11:22+02:00 | ||
| Author: Gil Forcada Codinachs (gforcada) <gil.gnome@gmail.com> | ||
| Commit: https://github.com/plone/plone.app.users/commit/51245a23f6df6a907b75059dced5c18b08501944 | ||
| Branch: refs/heads/2.2.x | ||
| Date: 2016-09-12T17:37:31+02:00 | ||
| Author: Jens W. Klein (jensens) <jk@kleinundpartner.at> | ||
| Commit: https://github.com/plone/plone.dexterity/commit/f09a5977990240874c29720db66204f37da96b85 | ||
|
|
||
| Merge pull request #61 from plone/apply-hotfix-20160830-12x | ||
| Merge pull request #60 from plone/jone-set-copy-flags | ||
|
|
||
| Apply hotfix 20160830 12x | ||
| Set copy flags when copying container. | ||
|
|
||
| Files changed: | ||
| A plone/app/users/tests/test_user_data_panel.py | ||
| M CHANGES.rst | ||
| M plone/app/users/browser/personalpreferences.py | ||
| M plone/dexterity/content.py | ||
|
|
||
| diff --git a/CHANGES.rst b/CHANGES.rst | ||
| index 4062f75..e0309f3 100644 | ||
| index 4d61c82..97e35f5 100644 | ||
| --- a/CHANGES.rst | ||
| +++ b/CHANGES.rst | ||
| @@ -4,13 +4,17 @@ Changelog | ||
| 1.2.5 (unreleased) | ||
| ------------------ | ||
|
|
||
| -New: | ||
| +New features: | ||
|
|
||
| - *add item here* | ||
| @@ -14,7 +14,8 @@ New features: | ||
|
|
||
| -Fixes: | ||
| +Bug fixes: | ||
| Bug fixes: | ||
|
|
||
| -- *add item here* | ||
| +- Give a 404 when the user-information form is called with a not | ||
| + existing userid. [maurits] | ||
| + | ||
| +- Don't show unescaped user id in user-information form. | ||
| + This applies PloneHotfix20160830. [maurits] | ||
|
|
||
|
|
||
| 1.2.4 (2016-02-24) | ||
| diff --git a/plone/app/users/browser/personalpreferences.py b/plone/app/users/browser/personalpreferences.py | ||
| index 809c433..5a924c2 100644 | ||
| --- a/plone/app/users/browser/personalpreferences.py | ||
| +++ b/plone/app/users/browser/personalpreferences.py | ||
| @@ -25,6 +25,9 @@ | ||
| from Products.CMFPlone.utils import set_own_login_name, safe_unicode | ||
| from Products.Five.browser.pagetemplatefile import ViewPageTemplateFile | ||
| from Products.statusmessages.interfaces import IStatusMessage | ||
| +from zExceptions import NotFound | ||
| + | ||
| +import cgi | ||
|
|
||
|
|
||
| class IPersonalPreferences(Interface): | ||
| @@ -298,7 +301,7 @@ def description(self): | ||
| #editing someone else's profile | ||
| return _(u'description_personal_information_form_otheruser', | ||
| default='Change personal information for $name', | ||
| - mapping={'name': self.userid}) | ||
| + mapping={'name': cgi.escape(self.userid)}) | ||
| else: | ||
| #editing my own profile | ||
| return _(u'description_personal_information_form', | ||
| @@ -320,6 +323,14 @@ def getPortrait(self): | ||
| context = aq_inner(self.context) | ||
| return context.portal_membership.getPersonalPortrait() | ||
|
|
||
| + def __call__(self): | ||
| + if self.userid: | ||
| + context = aq_inner(self.context) | ||
| + mt = getToolByName(context, 'portal_membership') | ||
| + if mt.getMemberById(self.userid) is None: | ||
| + raise NotFound('User does not exist.') | ||
| + return super(UserDataPanel, self).__call__() | ||
| +- Fix error when copying DX containers with AT children which caused the | ||
| + children to not have the UID updated properly. [jone] | ||
|
|
||
|
|
||
| 2.2.7 (2016-05-05) | ||
| diff --git a/plone/dexterity/content.py b/plone/dexterity/content.py | ||
| index 167a3ed..1222064 100644 | ||
| --- a/plone/dexterity/content.py | ||
| +++ b/plone/dexterity/content.py | ||
| @@ -221,6 +221,22 @@ def _verifyObjectPaste(self, obj, validate_src=True): | ||
| 'You can not add the copied content here.' | ||
| ) | ||
|
|
||
| + def _getCopy(self, container): | ||
| + # Copy the _v_is_cp and _v_cp_refs flags from the original | ||
| + # object (self) to the new copy. | ||
| + # This has impact on how children will be handled. | ||
| + # When the flags are missing, an Archetypes child object will not have | ||
| + # the UID updated in some situations. | ||
| + # Copied from Products.Archetypes.Referenceable.Referenceable._getCopy | ||
| + is_cp_flag = getattr(self, '_v_is_cp', None) | ||
| + cp_refs_flag = getattr(self, '_v_cp_refs', None) | ||
| + ob = super(PasteBehaviourMixin, self)._getCopy(container) | ||
| + if is_cp_flag: | ||
| + setattr(ob, '_v_is_cp', is_cp_flag) | ||
| + if cp_refs_flag: | ||
| + setattr(ob, '_v_cp_refs', cp_refs_flag) | ||
| + return ob | ||
| + | ||
|
|
||
| class UserDataConfiglet(UserDataPanel): | ||
| """ """ | ||
| diff --git a/plone/app/users/tests/test_user_data_panel.py b/plone/app/users/tests/test_user_data_panel.py | ||
| new file mode 100644 | ||
| index 0000000..a859a54 | ||
| --- /dev/null | ||
| +++ b/plone/app/users/tests/test_user_data_panel.py | ||
| @@ -0,0 +1,30 @@ | ||
| +from plone.app.users.browser.personalpreferences import UserDataPanel | ||
| +from plone.app.users.tests.base import TestCase | ||
| +from zExceptions import NotFound | ||
| +from zope.i18n import translate | ||
| + | ||
| + | ||
| +class TestUserDataPanel(TestCase): | ||
| + | ||
| + def test_regression(self): | ||
| + portal = self.portal | ||
| + request = portal.REQUEST | ||
| + request.form.update({ | ||
| + 'userid': 'admin' | ||
| + }) | ||
| + form = UserDataPanel(portal, request) | ||
| + description = translate(form.description, context=request) | ||
| + self.assertTrue('admin' in description) | ||
| + # form can be called without raising exception. | ||
| + self.assertTrue(form()) | ||
| + | ||
| + def test_escape_html(self): | ||
| + portal = self.portal | ||
| + request = portal.REQUEST | ||
| + request.form.update({ | ||
| + 'userid': 'admin<script>alert("userid")</script>' | ||
| + }) | ||
| + form = UserDataPanel(portal, request) | ||
| + description = translate(form.description, context=request) | ||
| + self.assertTrue('<script>' not in description) | ||
| + self.assertRaises(NotFound, form) | ||
| @implementer( | ||
| IDexterityContent, | ||
|
|
||
|
|