Change Error handling and turn on path restrictions.

lib/python/Products/PageTemplates/Expressions.py

@@ -89,10 +89,10 @@ Page Template-specific implementation of TALES, with handlers
 for Python expressions, Python string literals, and paths.
 """
 
-__version__='$Revision: 1.2 $'[11:-2]
+__version__='$Revision: 1.3 $'[11:-2]
 
 import re, sys
-from TALES import Engine, TALESError, _valid_name, NAME_RE
+from TALES import Engine, CompilerError, _valid_name, NAME_RE
 from string import strip, split, join, replace
 from DocumentTemplate.DT_Util import TemplateDict
 
@@ -121,7 +121,7 @@ class PathExpr:
         self._path = path = split(expr, '/')
         self._base = base = path.pop(0)
         if not _valid_name(base):
-            raise TALESError, 'Invalid variable name "%s"' % base
+            raise CompilerError, 'Invalid variable name "%s"' % base
         self._dynparts = dp = []
         for i in range(len(path)):
             e = path[i]
@@ -183,15 +183,15 @@ class StringExpr:
             for exp in split(expr, '$$'):
                 if parts: parts.append('$')
                 m = _interp.search(exp)
-                if m is not None:
+                while m is not None:
                     parts.append(exp[:m.start()])
                     parts.append('%s')
                     vars.append(PathExpr('path', m.group(1) or m.group(2)))
                     exp = exp[m.end():]
                     m = _interp.search(exp)
                 if '$' in exp:
-                    raise TALESError, ('$ must be doubled or '
-                                       'followed by a variable name '
+                    raise CompilerError, (
+                        '$ must be doubled or followed by a variable name '
                         'in string expression "%s"' % expr)
                 parts.append(exp)
             expr = join(parts, '')
@@ -231,7 +231,7 @@ if sys.modules.has_key('Zope'):
             self.expr = expr = strip(expr)
             blk = GuardedBlock('def f():\n return %s\n' % expr)
             if blk.errors:
-                raise TALESError, ('Python expression error:\n%s' %
+                raise CompilerError, ('Python expression error:\n%s' %
                                       join(blk.errors, '\n') )
             guards = {'$guard': theGuard, '$write_guard': WriteGuard,
                       '$read_guard': ReadGuard, '__debug__': __debug__}
@@ -263,6 +263,12 @@ if sys.modules.has_key('Zope'):
         def __str__(self):
             return 'Python expression "%s"' % self.expr
 else:
+    class getSecurityManager:
+        '''Null security manager'''
+        def validate(self, *args, **kwargs):
+            return 1
+        validateValue = validate
+
     class PythonExpr:
         def __init__(self, name, expr):
             try:
@@ -270,7 +276,7 @@ else:
                 exec 'def f():\n return %s\n' % strip(expr) in d
                 self._f = d['f']
             except:
-                raise TALESError, ('Python expression error:\n'
+                raise CompilerError, ('Python expression error:\n'
                                       '%s: %s') % sys.exc_info()[:2]
             self._f_varnames = vnames = []
             for vname in self._f.func_code.co_names:
@@ -310,14 +316,14 @@ def restrictedTraverse(self, path):
     REQUEST={'TraversalRequestNameStack': path}
     path.reverse()
     pop=path.pop
-    #securityManager=getSecurityManager()
+    securityManager=getSecurityManager()
 
     if not path[-1]:
         # If the path starts with an empty string, go to the root first.
         pop()
         self=self.getPhysicalRoot()
-        #if not securityManager.validateValue(self):
-        #    raise 'Unauthorized', name
+        if not securityManager.validateValue(self):
+            raise 'Unauthorized', name
                     
     object = self
     while path:
@@ -330,8 +336,8 @@ def restrictedTraverse(self, path):
         if name=='..':
             o=getattr(object, 'aq_parent', M)
             if o is not M:
-                #if not securityManager.validate(object, object, name, o):
-                #    raise 'Unauthorized', name
+                if not securityManager.validate(object, object, name, o):
+                    raise 'Unauthorized', name
                 object=o
                 continue
 
@@ -341,8 +347,8 @@ def restrictedTraverse(self, path):
                     
             # Note we pass no container, because we have no
             # way of knowing what it is
-            #if not securityManager.validate(object, None, name, o):
-            #    raise 'Unauthorized', name
+            if not securityManager.validate(object, None, name, o):
+                raise 'Unauthorized', name
                       
         else:
             o=get(object, name, M)
@@ -350,20 +356,20 @@ def restrictedTraverse(self, path):
                 # waaaa
                 if hasattr(get(object,'aq_base',object), name):
                     # value wasn't acquired
-                    #if not securityManager.validate(
-                    #    object, object, name, o):
-                    #    raise 'Unauthorized', name
+                    if not securityManager.validate(
+                        object, object, name, o):
+                        raise 'Unauthorized', name
                     pass
                 else:
-                    #if not securityManager.validate(
-                    #    object, None, name, o):
-                    #    raise 'Unauthorized', name
+                    if not securityManager.validate(
+                        object, None, name, o):
+                        raise 'Unauthorized', name
                     pass
                         
             else:
                 o=object[name]
-                #if not securityManager.validate(object, object, None, o):
-                #    raise 'Unauthorized', name
+                if not securityManager.validate(object, object, None, o):
+                    raise 'Unauthorized', name
         object = o
 
     return object

lib/python/Products/PageTemplates/PageTemplate.py

@@ -87,7 +87,7 @@
 HTML- and XML-based template objects using TAL, TALES, and METAL.
 """
 
-__version__='$Revision: 1.1 $'[11:-2]
+__version__='$Revision: 1.2 $'[11:-2]
 
 import os, sys, traceback
 from TAL.TALParser import TALParser
@@ -157,6 +157,9 @@ class PageTemplate:
     def __call__(self, **kwargs):
         return self.pt_render(extra_context={'options': kwargs})
 
+    def pt_errors(self):
+        return self._v_errors
+
     def pt_diagnostic(self):
         return ('<html><body>\n'
                 '<h4>Page Template Diagnostics</h4>\n'

lib/python/Products/PageTemplates/TALES.py

@@ -87,7 +87,7 @@
 An implementation of a generic TALES engine
 """
 
-__version__='$Revision: 1.1 $'[11:-2]
+__version__='$Revision: 1.2 $'[11:-2]
 
 import re, sys
 from MultiMapping import MultiMapping
@@ -97,11 +97,17 @@ _parse_expr = re.compile(r"(%s):(.*)" % NAME_RE).match
 _valid_name = re.compile('%s$' % NAME_RE).match
 
 class TALESError(Exception):
-    '''TALES Error'''
+    __allow_access_to_unprotected_subobjects__ = 1
+    def __init__(self, expression, info=(None, None, None)):
+        self.type, self.value, self.traceback = info
+        self.expression = expression
 
-class RegistrationError(TALESError):
+class RegistrationError(Exception):
     '''TALES Type Registration Error'''
 
+class CompilerError(Exception):
+    '''TALES Compiler Error'''
+
 class Iterator:
     '''Simple Iterator class for use in Contexts'''
     def __init__(self, name, seq, context):
@@ -168,7 +174,7 @@ class Engine:
         try:
             handler = self.types[type]
         except KeyError:
-            raise TALESError, (
+            raise CompilerError, (
                 'Unrecognized expression type "%s".' % type)
         try:
             return handler(type, expr, self)
@@ -244,8 +250,7 @@ class Context:
         try:
             return expression(self)
         except:
-            raise TALESError, "%s\n %s" % (expression,
-                                           "%s:%s" % sys.exc_info()[:2])
+            raise TALESError, (`expression`, sys.exc_info())
 
     evaluateValue = evaluate
 

lib/python/Products/PageTemplates/ZopePageTemplate.py

@@ -87,7 +87,7 @@
 Zope object encapsulating a Page Template.
 """
 
-__version__='$Revision: 1.2 $'[11:-2]
+__version__='$Revision: 1.3 $'[11:-2]
 
 import os, AccessControl, Acquisition, sys
 from Globals import DTMLFile, MessageDialog, package_home
@@ -152,6 +152,8 @@ class ZopePageTemplate(PageTemplate, Script, Historical, Cacheable,
     pt_editForm = DTMLFile('dtml/ptEdit', globals())
     manage = manage_main = pt_editForm
 
+    pt_diagnostic = DTMLFile('dtml/ptDiagnostic', globals())
+
     security.declareProtected('Change Page Templates',
       'pt_editAction', 'pt_setTitle', 'pt_edit',
       'pt_upload', 'pt_changePrefs')

lib/python/Products/PageTemplates/dtml/ptDiagnostic.dtml

+<dtml-var manage_page_header>
+
+<dtml-var expr="manage_form_title(this(), _,
+           form_title='Page Template Diagnostics',
+	   )">
+<p class="form-help">
+This Page Template needs the following changes in order to operate.
+</p>
+<dtml-in expr="container.pt_errors()">
+<p class="form-help>
+&dtml-sequence-item;
+</p>
+</dtml-in>
+
+
+<dtml-var manage_page_footer>

lib/python/Products/PageTemplates/tests/testExpressions.py

@@ -13,7 +13,7 @@ class ExpressionTests(unittest.TestCase):
         e.compile('x/y')
         e.compile('string:Fred')
         e.compile('string:A$B')
-        e.compile('string:a${x/y}b')
+        e.compile('string:a ${x/y} b ${y/z} c')
         e.compile('python: 2 + 2')
         
 def test_suite():