[hal_json] Choose named prefix over "_" for private variables passed via forms

dbcaa640 · Tomáš Peterka · Tomáš Peterka · 60c42769 · dbcaa640 · dbcaa640
Commit dbcaa640 authored May 04, 2018 by Tomáš Peterka Committed by Tomáš Peterka May 08, 2018
3 changed files
--- a/bt5/erp5_hal_json_style/SkinTemplateItem/portal_skins/erp5_hal_json_style/Base_callDialogMethod.py
+++ b/bt5/erp5_hal_json_style/SkinTemplateItem/portal_skins/erp5_hal_json_style/Base_callDialogMethod.py
@@ -203,7 +203,7 @@ if len(listbox_id_list):
 # First check for an query in form parameters - if they are there
 # that means previous view was a listbox with selected stuff so recover here
 query = extra_param.get("query", None)
-select_all = extra_param.get("_select_all", 0)
+select_all = extra_param.get("basedialog_select_all", 0)
 # inject `uids` into Scripts **kwargs when we got any `query` (empty or filled)
 if query is not None:
@@ -216,7 +216,7 @@ if query is not None:
 # early-stop if user selected all documents
 if query == "" and select_all == 0 and dialog_method != update_method:  # do not interrupt on UPDATE
-  extra_param["_select_all"] = 1
+  extra_param["basedialog_select_all"] = 1
  return context.Base_renderForm(
    dialog_id,
    message=translate("All documents are selected! Submit again to proceed or Cancel and narrow down your search."),

--- a/bt5/erp5_ui_test/SkinTemplateItem/portal_skins/erp5_ui_test/Folder_doNothing.py
+++ b/bt5/erp5_ui_test/SkinTemplateItem/portal_skins/erp5_ui_test/Folder_doNothing.py
@@ -13,14 +13,13 @@ else:
 if kwargs.get("update_method", ""):
  return context.Base_renderForm(dialog_id, message="Updated. " + message)
-if _my_confirmation == 0:
+if donothing_confirmation == 0:
-  # Here is an example of unfriendly confirmation Script which takes
+  # Here is an example of an adversary Script which hijacks `keep_items`
-  # whole keep_item for itself!
  # It should take keep_items from parameters, update it and pass it
-  # along. But no programmer will ever comply with that so we are ready!
+  # through. But no programmer will ever comply therefor we are ready!
  return context.Base_renderForm(dialog_id,
                                 message="Submit again to confirm. " + message,
                                 level='warning',
-                                 keep_items={'_my_confirmation': 1})
+                                 keep_items={'donothing_confirmation': 1})
 return context.Base_redirect(form_id, keep_items={"portal_status_message": message})
--- a/bt5/erp5_ui_test/SkinTemplateItem/portal_skins/erp5_ui_test/Folder_doNothing.xml
+++ b/bt5/erp5_ui_test/SkinTemplateItem/portal_skins/erp5_ui_test/Folder_doNothing.xml
@@ -50,7 +50,7 @@
        </item>
        <item>
            <key> <string>_params</string> </key>
-            <value> <string>dialog_id, form_id, uids, _my_confirmation=0, **kwargs</string> </value>
+            <value> <string>dialog_id, form_id, uids, donothing_confirmation=0, **kwargs</string> </value>
        </item>
        <item>
            <key> <string>id</string> </key>