Merge pull request #18 from plone/repatch-pluggableauth

change pluggable auth patches to marmoset
plone · Sep 26, 2015 · 44d51ee · 44d51ee
2 parents 7979ee6 + e289abb
commit 44d51ee
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 15 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -4,6 +4,11 @@ Changelog
 3.0.9 (unreleased)
 ------------------
 
+- patch pluggable auth with marmoset patch because
+  the patch would not apply otherwise depending on
+  somewhat-random import order
+  [vangheem]
+
 - get auto-csrf protection working on the zope root
   [vangheem]
 

diff --git a/plone/protect/configure.zcml b/plone/protect/configure.zcml
@@ -60,19 +60,4 @@
         preserveOriginal="True"
         />
 
-    <monkey:patch
-        zcml:condition="installed Products.PluggableAuthService.utils.getCSRFToken"
-        description="Patch old pluggable auth to use plone mechanism"
-        class="Products.PluggableAuthService.utils"
-        original="getCSRFToken"
-        replacement=".monkey.pluggableauth__getCSRFToken"
-        />
-    <monkey:patch
-        zcml:condition="installed Products.PluggableAuthService.utils.checkCSRFToken"
-        description="Patch old pluggable auth to use plone mechanism"
-        class="Products.PluggableAuthService.utils"
-        original="checkCSRFToken"
-        replacement=".monkey.pluggableauth__checkCSRFToken"
-        />
-
 </configure>
diff --git a/plone/protect/monkey.py b/plone/protect/monkey.py
@@ -1,5 +1,7 @@
 from urlparse import urlparse, urljoin
 from plone.protect.auto import safeWrite
+import inspect
+from Products.PluggableAuthService import utils as pluggable_utils
 
 
 def RedirectTo__call__(self, controller_state):
@@ -51,3 +53,16 @@ def pluggableauth__checkCSRFToken(request, token='csrf_token', raises=True):
     let plone.protect do it's job
     """
     pass
+
+
+def marmoset_patch(func, replacement):
+    source = inspect.getsource(replacement)
+    exec source in func.func_globals
+    func.func_code = replacement.func_code
+
+
+# otherwise the patches do not get applied in some cases
+if hasattr(pluggable_utils, 'checkCSRFToken'):
+    marmoset_patch(pluggable_utils.checkCSRFToken, pluggableauth__checkCSRFToken)
+if hasattr(pluggable_utils, 'getCSRFToken'):
+    marmoset_patch(pluggable_utils.getCSRFToken, pluggableauth__getCSRFToken)
diff --git a/plone/protect/tests/testPatches.py b/plone/protect/tests/testPatches.py
@@ -0,0 +1,27 @@
+from plone.app.testing import SITE_OWNER_NAME
+from plone.app.testing import SITE_OWNER_PASSWORD
+from plone.protect.testing import PROTECT_FUNCTIONAL_TESTING
+from plone.testing.z2 import Browser
+import unittest2 as unittest
+
+
+class TestCSRF(unittest.TestCase):
+    layer = PROTECT_FUNCTIONAL_TESTING
+
+    def setUp(self):
+        self.portal = self.layer['portal']
+        self.browser = Browser(self.layer['app'])
+        self.request = self.layer['request']
+        self.browser.addHeader(
+            'Authorization', 'Basic %s:%s' % (SITE_OWNER_NAME, SITE_OWNER_PASSWORD,))
+
+    def test_change_password_on_root_does_not_throw_other_csrf_protection(self):
+        self.browser.open('%s/acl_users/users/manage_users?user_id=%s&passwd=1' % (
+            self.layer['app'].absolute_url(), SITE_OWNER_NAME))
+        self.browser.getControl(name='password').value = SITE_OWNER_PASSWORD
+        self.browser.getControl(name='confirm').value = SITE_OWNER_PASSWORD
+        self.browser.getForm().submit()
+        self.assertEquals(
+            self.browser.url,
+            '%s/acl_users/users/manage_users?manage_tabs_message=password+updated' % (
+                self.layer['app'].absolute_url()))