changeset 4053:31617ef6a68b

bug fix for MoinMoinBugs/SystemAdminMailAccountData by using POST and forms for recoverpass and enable/disable useraccount (ported from 1.7)
author Reimar Bauer <rb.proj AT googlemail DOT com>
date Sun, 31 Aug 2008 20:51:57 +0200
parents 0cdc180a2932
children 691e12f53408
files MoinMoin/userform/admin.py MoinMoin/widget/browser.py docs/CHANGES
diffstat 3 files changed, 35 insertions(+), 30 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/userform/admin.py	Sun Aug 31 03:09:20 2008 +0200
+++ b/MoinMoin/userform/admin.py	Sun Aug 31 20:51:57 2008 +0200
@@ -4,13 +4,13 @@
 
     @copyright: 2001-2004 Juergen Hermann <jh@web.de>,
                 2003-2007 MoinMoin:ThomasWaldmann
-                2007 MoinMoin:ReimarBauer
+                2007-2008 MoinMoin:ReimarBauer
     @license: GNU GPL, see COPYING for details.
 """
 from MoinMoin import user, wikiutil
 from MoinMoin.util.dataset import TupleDataset, Column
 from MoinMoin.Page import Page
-
+from MoinMoin.widget import html
 
 def do_user_browser(request):
     """ Browser for SystemAdmin macro. """
@@ -42,33 +42,32 @@
         else:
             namelink = wikiutil.escape(account.name)
 
+        # creates the POST data for account disable/enable
+        val = "1"
+        text=_('Disable user')
         if account.disabled:
-            enable_disable_link = request.page.link_to(
-                                    request, text=_('Enable user'),
-                                    querystr={"action": "userprofile",
-                                              "name": account.name,
-                                              "key": "disabled",
-                                              "val": "0",
-                                             },
-                                    rel='nofollow')
+            text=_('Enable user')
+            val = "0"
             namelink += " (%s)" % _("disabled")
-        else:
-            enable_disable_link = request.page.link_to(
-                                    request, text=_('Disable user'),
-                                    querystr={"action": "userprofile",
-                                              "name": account.name,
-                                              "key": "disabled",
-                                              "val": "1",
-                                             },
-                                    rel='nofollow')
 
-        recoverpass_link = request.page.link_to(
-                            request, text=_('Mail account data'),
-                            querystr={"action": "recoverpass",
-                                      "email": account.email,
-                                      "account_sendmail": "1",
-                                      "sysadm": "users", },
-                            rel='nofollow')
+        url = request.page.url(request)
+        ret = html.FORM(action=url)
+        ret.append(html.INPUT(type='hidden', name='action', value='userprofile'))
+        ret.append(html.INPUT(type='hidden', name='name', value=account.name))
+        ret.append(html.INPUT(type='hidden', name='key', value="disabled"))
+        ret.append(html.INPUT(type='hidden', name='val', value=val))
+        ret.append(html.INPUT(type='submit', name='userprofile', value=text))
+        enable_disable_link = unicode(unicode(ret))
+
+        # creates the POST data for recoverpass
+        url = request.page.url(request)
+        ret = html.FORM(action=url)
+        ret.append(html.INPUT(type='hidden', name='action', value='recoverpass'))
+        ret.append(html.INPUT(type='hidden', name='email', value=account.email))
+        ret.append(html.INPUT(type='hidden', name='account_sendmail', value="1"))
+        ret.append(html.INPUT(type='hidden', name='sysadm', value="users"))
+        ret.append(html.INPUT(type='submit', name='recoverpass', value=_('Mail account data')))
+        recoverpass_link =  unicode(unicode(ret))
 
         if account.email:
             email_link = (request.formatter.url(1, 'mailto:' + account.email, css='mailto') +
@@ -89,7 +88,7 @@
             request.formatter.rawHTML(grouppage_links),
             email_link,
             jabber_link,
-            recoverpass_link + " - " + enable_disable_link
+            recoverpass_link + enable_disable_link
         ))
 
     if data:
@@ -97,7 +96,7 @@
 
         browser = DataBrowserWidget(request)
         browser.setData(data)
-        return browser.render()
+        return browser.render(method="POST")
 
     # No data
     return ''
--- a/MoinMoin/widget/browser.py	Sun Aug 31 03:09:20 2008 +0200
+++ b/MoinMoin/widget/browser.py	Sun Aug 31 20:51:57 2008 +0200
@@ -93,11 +93,16 @@
         common[2] = self._makeoption(self._notempty, value == self.__notempty, self.__notempty)
         return '\n'.join(common + result)
 
-    def _format(self, formatter=None):
+    def _format(self, formatter=None, method="GET"):
+        """
+        does the formatting of the table
+        @param formatter: formatter
+        @param method: GET or POST method
+        """
         fmt = formatter or self.request.formatter
 
         result = []
-        result.append(fmt.rawHTML('<form action="%s/%s" method="GET" name="%sform">' % (self.request.getScriptname(), wikiutil.quoteWikinameURL(self.request.page.page_name), self.data_id)))
+        result.append(fmt.rawHTML('<form action="%s/%s" method="%s" name="%sform">' % (self.request.getScriptname(), wikiutil.quoteWikinameURL(self.request.page.page_name), method, self.data_id)))
         result.append(fmt.div(1))
 
         havefilters = False
--- a/docs/CHANGES	Sun Aug 31 03:09:20 2008 +0200
+++ b/docs/CHANGES	Sun Aug 31 20:51:57 2008 +0200
@@ -99,6 +99,7 @@
 Version 1.7.current:
   Fixes:
     * Fix leakage of edit-log file handles (leaked 1 file handle / request!).
+    * Fix for MoinMoinBugs/SystemAdminMailAccountData (using POST and forms)
     * Wiki parser: avoid IndexError for empty #! line
     * MonthCalendar macro: fix parameter parsing / url generation
     * Xapian indexing filters (MoinMoin/filter/ or data/plugin/filter/):