changeset 5482:cded5f776bc1

merged moin/1.8 (1 package test is failing)
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Tue, 02 Feb 2010 15:29:21 +0100
parents d09832475f04 (current diff) f9a7aa1a4a4a (diff)
children 686b698d48ee a68d363312db
files MoinMoin/_tests/test_packages.py MoinMoin/config/multiconfig.py MoinMoin/packages.py MoinMoin/userprefs/changepass.py MoinMoin/userprefs/prefs.py MoinMoin/userprefs/suid.py MoinMoin/wikiutil.py
diffstat 4 files changed, 42 insertions(+), 29 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/_tests/test_packages.py	Tue Feb 02 13:30:25 2010 +0100
+++ b/MoinMoin/_tests/test_packages.py	Tue Feb 02 15:29:21 2010 +0100
@@ -3,7 +3,8 @@
     MoinMoin - MoinMoin.packages tests
 
     @copyright: 2005 MoinMoin:AlexanderSchremmer,
-                2007 Federico Lorenzi
+                2007 Federico Lorenzi,
+                2010 MoinMoin:ReimarBauer
     @license: GNU GPL, see COPYING for details.
 """
 
@@ -34,14 +35,10 @@
 print|foo
 ReplaceUnderlay|testdatei|TestSeite2
 IgnoreExceptions|True
-DeletePage|TestSeiteDoesNotExist|Test ...
-DeletePage|FooPage|Test ...
 IgnoreExceptions|False
 AddRevision|foofile|FooPage
 AddRevision|foofile|FooPage
-setthemename|foo
 #foobar
-installplugin|foo|local|parser|testy
 """
 
     def extract_file(self, filename):
@@ -66,9 +63,7 @@
             py.test.skip('This test needs to be run using the test wiki.')
 
     def teardown_class(self):
-        DebugPackage(self.request, u"""moinmoinpackage|1
-DeletePage|FooPage|Test ...
-""").installPackage()
+        nuke_page(self.request, "FooPage")
 
     def testBasicPackageThings(self):
         become_superuser(self.request)
--- a/MoinMoin/config/multiconfig.py	Tue Feb 02 13:30:25 2010 +0100
+++ b/MoinMoin/config/multiconfig.py	Tue Feb 02 15:29:21 2010 +0100
@@ -893,6 +893,16 @@
     ('show_timings', False, "show some timing values at bottom of a page"),
     ('show_version', False, "show moin's version at the bottom of a page"),
 
+    ('packagepages_actions_excluded',
+     ['setthemename',  # related to questionable theme stuff, see below
+      'copythemefile', # maybe does not work, e.g. if no fs write permissions or real theme file path is unknown to moin
+      'installplugin', # code installation, potentially dangerous
+      'renamepage',    # dangerous with hierarchical acls
+      'deletepage',    # dangerous with hierarchical acls
+      'delattachment', # dangerous, no revisioning
+     ],
+     'list with excluded package actions (e.g. because they are dangerous / questionable)'),
+
     ('page_credits',
      [
        '<a href="http://moinmo.in/" title="This site uses the MoinMoin Wiki software.">MoinMoin Powered</a>',
--- a/MoinMoin/packages.py	Tue Feb 02 13:30:25 2010 +0100
+++ b/MoinMoin/packages.py	Tue Feb 02 15:29:21 2010 +0100
@@ -3,7 +3,7 @@
     MoinMoin - Package Installer
 
     @copyright: 2005 MoinMoin:AlexanderSchremmer,
-                2007-2009 MoinMoin:ReimarBauer
+                2007-2010 MoinMoin:ReimarBauer
     @license: GNU GPL, see COPYING for details.
 """
 
@@ -429,7 +429,12 @@
             if fnname == '':
                 continue
             try:
-                fn = getattr(self, "do_" + fnname)
+                if fnname in self.request.cfg.packagepages_actions_excluded:
+                    self.msg += u"action package %s: excluded \n" % elements[0].strip()
+                    success = False
+                    continue
+                else:
+                    fn = getattr(self, "do_" + fnname)
             except AttributeError:
                 self.msg += u"Exception RuntimeScriptException: %s\n" % (
                         _("Unknown function %(func)s in line %(lineno)i.") %
--- a/MoinMoin/userprefs/suid.py	Tue Feb 02 13:30:25 2010 +0100
+++ b/MoinMoin/userprefs/suid.py	Tue Feb 02 15:29:21 2010 +0100
@@ -31,28 +31,31 @@
 
     def handle_form(self):
         _ = self._
-        form = self.request.form
+        request = self.request
+        form = request.form
 
-        if 'cancel' in form:
+        if form.has_key('cancel'):
             return
 
-        if (wikiutil.checkTicket(self.request, self.request.form['ticket'])
-            and self.request.method == 'POST'):
-            uid = form.get('selected_user', '')
-            if not uid:
-                return 'error', _("No user selected")
-            theuser = user.User(self.request, uid, auth_method='setuid')
-            if not theuser or not theuser.exists():
-                return 'error', _("No user selected")
-            # set valid to True so superusers can even switch
-            # to disable accounts
-            theuser.valid = True
-            self.request._setuid_real_user = self.request.user
-            # now continue as the other user
-            self.request.user = theuser
-            return  _("You can now change the settings of the selected user account; log out to get back to your account.")
-        else:
-            return None
+        if request.method != 'POST':
+            return
+
+        if not wikiutil.checkTicket(request, form['ticket']):
+            return
+
+        uid = form.get('selected_user', '')
+        if not uid:
+            return 'error', _("No user selected")
+        theuser = user.User(request, uid, auth_method='setuid')
+        if not theuser or not theuser.exists():
+            return 'error', _("No user selected")
+        # set valid to True so superusers can even switch
+        # to disable accounts
+        theuser.valid = True
+        request._setuid_real_user = request.user
+        # now continue as the other user
+        request.user = theuser
+        return  _("You can now change the settings of the selected user account; log out to get back to your account.")
 
     def _user_select(self):
         options = []