erp5_data_notebook: Respect preference

Before executing any code check if server side is configured to execute unrestricted code.

erp5_data_notebook: Respect preference
Before executing any code check if server side is configured to execute unrestricted code.
58dc6615 · Łukasz Nowak · e3941f7e · 58dc6615 · 58dc6615 · 58dc6615
Commit 58dc6615 authored Aug 10, 2017 by Łukasz Nowak
5 changed files
--- a/bt5/erp5_data_notebook/ExtensionTemplateItem/portal_components/extension.erp5.JupyterCompile.py
+++ b/bt5/erp5_data_notebook/ExtensionTemplateItem/portal_components/extension.erp5.JupyterCompile.py
@@ -43,6 +43,9 @@ except ImportError:
 def Base_executeJupyter(self, python_expression=None, reference=None, \
                        title=None, request_reference=False, **kw):
+  # Check if implementation is enabled
+  if not self.getPortalObject().ERP5Site_isDataNotebookEnabled():
+    return "The synchronous and unrestricted implementation is not enabled on the server"
  # Check permissions for current user and display message to non-authorized user 
  if not self.Base_checkPermission('portal_components', 'Manage Portal'):
    return "You are not authorized to access the script"

--- a/bt5/erp5_data_notebook/ExtensionTemplateItem/portal_components/extension.erp5.JupyterCompile.xml
+++ b/bt5/erp5_data_notebook/ExtensionTemplateItem/portal_components/extension.erp5.JupyterCompile.xml
@@ -46,13 +46,14 @@
            <key> <string>text_content_warning_message</string> </key>
            <value>
              <tuple>
-                <string>W:401, 10: Use of exec (exec-used)</string>
+                <string>W:426, 10: Use of exec (exec-used)</string>
-                <string>W:447, 10: Use of exec (exec-used)</string>
+                <string>W:472, 10: Use of exec (exec-used)</string>
-                <string>W:460, 10: Use of exec (exec-used)</string>
+                <string>W:485, 10: Use of exec (exec-used)</string>
-                <string>W:549,  4: No exception type(s) specified (bare-except)</string>
+                <string>W:574,  4: No exception type(s) specified (bare-except)</string>
-                <string>W:557,  6: No exception type(s) specified (bare-except)</string>
+                <string>W:582,  6: No exception type(s) specified (bare-except)</string>
-                <string>W:869,  6: Use of exec (exec-used)</string>
+                <string>W:892,  6: Use of exec (exec-used)</string>
-                <string>W:1104,  2: Redefining name \'IFrame\' from outer scope (line 4) (redefined-outer-name)</string>
+                <string>W:1128,  2: Redefining name \'IFrame\' from outer scope (line 4) (redefined-outer-name)</string>
+                <string>W: 19,  0: Unused log imported from Products.ERP5Type.Log (unused-import)</string>
              </tuple>
            </value>
        </item>

--- a/bt5/erp5_data_notebook/SkinTemplateItem/portal_skins/erp5_data_notebook/ERP5Site_isDataNotebookEnabled.py
+++ b/bt5/erp5_data_notebook/SkinTemplateItem/portal_skins/erp5_data_notebook/ERP5Site_isDataNotebookEnabled.py
+return context.getPortalObject().portal_preferences.isPreferredDataNotebookEnabled()
--- a/bt5/erp5_data_notebook/SkinTemplateItem/portal_skins/erp5_data_notebook/ERP5Site_isDataNotebookEnabled.xml
+++ b/bt5/erp5_data_notebook/SkinTemplateItem/portal_skins/erp5_data_notebook/ERP5Site_isDataNotebookEnabled.xml
+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>Script_magic</string> </key>
+            <value> <int>3</int> </value>
+        </item>
+        <item>
+            <key> <string>_bind_names</string> </key>
+            <value>
+              <object>
+                <klass>
+                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
+                </klass>
+                <tuple/>
+                <state>
+                  <dictionary>
+                    <item>
+                        <key> <string>_asgns</string> </key>
+                        <value>
+                          <dictionary>
+                            <item>
+                                <key> <string>name_container</string> </key>
+                                <value> <string>container</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_context</string> </key>
+                                <value> <string>context</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_m_self</string> </key>
+                                <value> <string>script</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_subpath</string> </key>
+                                <value> <string>traverse_subpath</string> </value>
+                            </item>
+                          </dictionary>
+                        </value>
+                    </item>
+                  </dictionary>
+                </state>
+              </object>
+            </value>
+        </item>
+        <item>
+            <key> <string>_params</string> </key>
+            <value> <string></string> </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>ERP5Site_isDataNotebookEnabled</string> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>
--- a/bt5/erp5_data_notebook/TestTemplateItem/portal_components/test.erp5.testExecuteJupyter.py
+++ b/bt5/erp5_data_notebook/TestTemplateItem/portal_components/test.erp5.testExecuteJupyter.py
@@ -51,6 +51,13 @@ class TestExecuteJupyter(ERP5TypeTestCase):
    user_folder._doAddUser('member_user', '', ['Member','Authenticated',], [])
    # Assign developer role to user
    addUserToDeveloperRole('dev_user')
+    # Create script to mock execution
+    createZODBPythonScript(self.getPortal().portal_skins.custom, "ERP5Site_isDataNotebookEnabled", '', "return True")
+    self.tic()
+  def beforeTearDown(self):
+    removeZODBPythonScript(self.getPortal().portal_skins.custom, "ERP5Site_isDataNotebookEnabled")
    self.tic()
  def _newNotebook(self, reference=None):
@@ -128,6 +135,20 @@ portal.%s()
    # Test that calling Base_runJupyter shouldn't change the context Title
    self.assertNotEqual(portal.getTitle(), new_test_title)
+  def testBase_executeJupyterRespectPreference(self):
+    self.login('dev_user')
+    removeZODBPythonScript(self.getPortal().portal_skins.custom, "ERP5Site_isDataNotebookEnabled")
+    createZODBPythonScript(self.getPortal().portal_skins.custom, "ERP5Site_isDataNotebookEnabled", '', "return False")
+    self.tic()
+    jupyter_code = "a = 1\na"
+    reference = 'Test.Notebook.PreferenceHandle'
+    result = self.portal.Base_executeJupyter(
+      reference=reference,
+      python_expression=jupyter_code
+    )
+    self.assertEqual(result, 'The synchronous and unrestricted implementation is not enabled on the server')
  def testJupyterCompileInvalidPythonSyntax(self):
    """
    Test how the JupyterCompile extension behaves when it receives Python