Commit 6ef81bdb authored by Evan Simpson's avatar Evan Simpson

Change Error handling and turn on path restrictions.

parent f262f5ca
......@@ -89,10 +89,10 @@ Page Template-specific implementation of TALES, with handlers
for Python expressions, Python string literals, and paths.
"""
__version__='$Revision: 1.2 $'[11:-2]
__version__='$Revision: 1.3 $'[11:-2]
import re, sys
from TALES import Engine, TALESError, _valid_name, NAME_RE
from TALES import Engine, CompilerError, _valid_name, NAME_RE
from string import strip, split, join, replace
from DocumentTemplate.DT_Util import TemplateDict
......@@ -121,7 +121,7 @@ class PathExpr:
self._path = path = split(expr, '/')
self._base = base = path.pop(0)
if not _valid_name(base):
raise TALESError, 'Invalid variable name "%s"' % base
raise CompilerError, 'Invalid variable name "%s"' % base
self._dynparts = dp = []
for i in range(len(path)):
e = path[i]
......@@ -183,16 +183,16 @@ class StringExpr:
for exp in split(expr, '$$'):
if parts: parts.append('$')
m = _interp.search(exp)
if m is not None:
while m is not None:
parts.append(exp[:m.start()])
parts.append('%s')
vars.append(PathExpr('path', m.group(1) or m.group(2)))
exp = exp[m.end():]
m = _interp.search(exp)
if '$' in exp:
raise TALESError, ('$ must be doubled or '
'followed by a variable name '
'in string expression "%s"' % expr)
raise CompilerError, (
'$ must be doubled or followed by a variable name '
'in string expression "%s"' % expr)
parts.append(exp)
expr = join(parts, '')
self._expr = expr
......@@ -231,8 +231,8 @@ if sys.modules.has_key('Zope'):
self.expr = expr = strip(expr)
blk = GuardedBlock('def f():\n return %s\n' % expr)
if blk.errors:
raise TALESError, ('Python expression error:\n%s' %
join(blk.errors, '\n') )
raise CompilerError, ('Python expression error:\n%s' %
join(blk.errors, '\n') )
guards = {'$guard': theGuard, '$write_guard': WriteGuard,
'$read_guard': ReadGuard, '__debug__': __debug__}
self._f = UntupleFunction(blk.t, guards, __builtins__=safebin)
......@@ -263,6 +263,12 @@ if sys.modules.has_key('Zope'):
def __str__(self):
return 'Python expression "%s"' % self.expr
else:
class getSecurityManager:
'''Null security manager'''
def validate(self, *args, **kwargs):
return 1
validateValue = validate
class PythonExpr:
def __init__(self, name, expr):
try:
......@@ -270,8 +276,8 @@ else:
exec 'def f():\n return %s\n' % strip(expr) in d
self._f = d['f']
except:
raise TALESError, ('Python expression error:\n'
'%s: %s') % sys.exc_info()[:2]
raise CompilerError, ('Python expression error:\n'
'%s: %s') % sys.exc_info()[:2]
self._f_varnames = vnames = []
for vname in self._f.func_code.co_names:
if vname[0] not in '$_':
......@@ -310,14 +316,14 @@ def restrictedTraverse(self, path):
REQUEST={'TraversalRequestNameStack': path}
path.reverse()
pop=path.pop
#securityManager=getSecurityManager()
securityManager=getSecurityManager()
if not path[-1]:
# If the path starts with an empty string, go to the root first.
pop()
self=self.getPhysicalRoot()
#if not securityManager.validateValue(self):
# raise 'Unauthorized', name
if not securityManager.validateValue(self):
raise 'Unauthorized', name
object = self
while path:
......@@ -330,8 +336,8 @@ def restrictedTraverse(self, path):
if name=='..':
o=getattr(object, 'aq_parent', M)
if o is not M:
#if not securityManager.validate(object, object, name, o):
# raise 'Unauthorized', name
if not securityManager.validate(object, object, name, o):
raise 'Unauthorized', name
object=o
continue
......@@ -341,8 +347,8 @@ def restrictedTraverse(self, path):
# Note we pass no container, because we have no
# way of knowing what it is
#if not securityManager.validate(object, None, name, o):
# raise 'Unauthorized', name
if not securityManager.validate(object, None, name, o):
raise 'Unauthorized', name
else:
o=get(object, name, M)
......@@ -350,20 +356,20 @@ def restrictedTraverse(self, path):
# waaaa
if hasattr(get(object,'aq_base',object), name):
# value wasn't acquired
#if not securityManager.validate(
# object, object, name, o):
# raise 'Unauthorized', name
if not securityManager.validate(
object, object, name, o):
raise 'Unauthorized', name
pass
else:
#if not securityManager.validate(
# object, None, name, o):
# raise 'Unauthorized', name
if not securityManager.validate(
object, None, name, o):
raise 'Unauthorized', name
pass
else:
o=object[name]
#if not securityManager.validate(object, object, None, o):
# raise 'Unauthorized', name
if not securityManager.validate(object, object, None, o):
raise 'Unauthorized', name
object = o
return object
......@@ -87,7 +87,7 @@
HTML- and XML-based template objects using TAL, TALES, and METAL.
"""
__version__='$Revision: 1.1 $'[11:-2]
__version__='$Revision: 1.2 $'[11:-2]
import os, sys, traceback
from TAL.TALParser import TALParser
......@@ -157,6 +157,9 @@ class PageTemplate:
def __call__(self, **kwargs):
return self.pt_render(extra_context={'options': kwargs})
def pt_errors(self):
return self._v_errors
def pt_diagnostic(self):
return ('<html><body>\n'
'<h4>Page Template Diagnostics</h4>\n'
......
......@@ -87,7 +87,7 @@
An implementation of a generic TALES engine
"""
__version__='$Revision: 1.1 $'[11:-2]
__version__='$Revision: 1.2 $'[11:-2]
import re, sys
from MultiMapping import MultiMapping
......@@ -97,11 +97,17 @@ _parse_expr = re.compile(r"(%s):(.*)" % NAME_RE).match
_valid_name = re.compile('%s$' % NAME_RE).match
class TALESError(Exception):
'''TALES Error'''
__allow_access_to_unprotected_subobjects__ = 1
def __init__(self, expression, info=(None, None, None)):
self.type, self.value, self.traceback = info
self.expression = expression
class RegistrationError(TALESError):
class RegistrationError(Exception):
'''TALES Type Registration Error'''
class CompilerError(Exception):
'''TALES Compiler Error'''
class Iterator:
'''Simple Iterator class for use in Contexts'''
def __init__(self, name, seq, context):
......@@ -168,7 +174,7 @@ class Engine:
try:
handler = self.types[type]
except KeyError:
raise TALESError, (
raise CompilerError, (
'Unrecognized expression type "%s".' % type)
try:
return handler(type, expr, self)
......@@ -244,8 +250,7 @@ class Context:
try:
return expression(self)
except:
raise TALESError, "%s\n %s" % (expression,
"%s:%s" % sys.exc_info()[:2])
raise TALESError, (`expression`, sys.exc_info())
evaluateValue = evaluate
......
......@@ -87,7 +87,7 @@
Zope object encapsulating a Page Template.
"""
__version__='$Revision: 1.2 $'[11:-2]
__version__='$Revision: 1.3 $'[11:-2]
import os, AccessControl, Acquisition, sys
from Globals import DTMLFile, MessageDialog, package_home
......@@ -152,6 +152,8 @@ class ZopePageTemplate(PageTemplate, Script, Historical, Cacheable,
pt_editForm = DTMLFile('dtml/ptEdit', globals())
manage = manage_main = pt_editForm
pt_diagnostic = DTMLFile('dtml/ptDiagnostic', globals())
security.declareProtected('Change Page Templates',
'pt_editAction', 'pt_setTitle', 'pt_edit',
'pt_upload', 'pt_changePrefs')
......
<dtml-var manage_page_header>
<dtml-var expr="manage_form_title(this(), _,
form_title='Page Template Diagnostics',
)">
<p class="form-help">
This Page Template needs the following changes in order to operate.
</p>
<dtml-in expr="container.pt_errors()">
<p class="form-help>
&dtml-sequence-item;
</p>
</dtml-in>
<dtml-var manage_page_footer>
......@@ -13,7 +13,7 @@ class ExpressionTests(unittest.TestCase):
e.compile('x/y')
e.compile('string:Fred')
e.compile('string:A$B')
e.compile('string:a${x/y}b')
e.compile('string:a ${x/y} b ${y/z} c')
e.compile('python: 2 + 2')
def test_suite():
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment