changeset 5481:f9a7aa1a4a4a

merged moin/1.7
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Tue, 02 Feb 2010 14:30:11 +0100
parents 575601b3117d (current diff) 39cae9b6c0c8 (diff)
children cded5f776bc1 91aa8c3c515b
files MoinMoin/config/multiconfig.py MoinMoin/packages.py MoinMoin/userprefs/prefs.py MoinMoin/userprefs/suid.py
diffstat 5 files changed, 55 insertions(+), 36 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/_tests/test_packages.py	Mon Feb 01 15:37:37 2010 +0100
+++ b/MoinMoin/_tests/test_packages.py	Tue Feb 02 14:30:11 2010 +0100
@@ -3,7 +3,8 @@
     MoinMoin - MoinMoin.packages tests
 
     @copyright: 2005 MoinMoin:AlexanderSchremmer,
-                2007 Federico Lorenzi
+                2007 Federico Lorenzi,
+                2010 MoinMoin:ReimarBauer
     @license: GNU GPL, see COPYING for details.
 """
 
@@ -34,14 +35,10 @@
 print|foo
 ReplaceUnderlay|testdatei|TestSeite2
 IgnoreExceptions|True
-DeletePage|TestSeiteDoesNotExist|Test ...
-DeletePage|FooPage|Test ...
 IgnoreExceptions|False
 AddRevision|foofile|FooPage
 AddRevision|foofile|FooPage
-setthemename|foo
 #foobar
-installplugin|foo|local|parser|testy
 """
 
     def extract_file(self, filename):
@@ -66,9 +63,7 @@
             py.test.skip('This test needs to be run using the test wiki.')
 
     def teardown_class(self):
-        DebugPackage(self.request, u"""moinmoinpackage|1
-DeletePage|FooPage|Test ...
-""").installPackage()
+        nuke_page(self.request, "FooPage")
 
     def testBasicPackageThings(self):
         become_superuser(self.request)
--- a/MoinMoin/config/multiconfig.py	Mon Feb 01 15:37:37 2010 +0100
+++ b/MoinMoin/config/multiconfig.py	Tue Feb 02 14:30:11 2010 +0100
@@ -846,6 +846,16 @@
     ('traceback_show', True,
      "if True, show debug tracebacks to users when moin crashes"),
 
+    ('packagepages_actions_excluded',
+     ['setthemename',  # related to questionable theme stuff, see below
+      'copythemefile', # maybe does not work, e.g. if no fs write permissions or real theme file path is unknown to moin
+      'installplugin', # code installation, potentially dangerous
+      'renamepage',    # dangerous with hierarchical acls
+      'deletepage',    # dangerous with hierarchical acls
+      'delattachment', # dangerous, no revisioning
+     ],
+     'list with excluded package actions (e.g. because they are dangerous / questionable)'),
+
     ('page_credits',
      [
        '<a href="http://moinmo.in/" title="This site uses the MoinMoin Wiki software.">MoinMoin Powered</a>',
--- a/MoinMoin/packages.py	Mon Feb 01 15:37:37 2010 +0100
+++ b/MoinMoin/packages.py	Tue Feb 02 14:30:11 2010 +0100
@@ -3,7 +3,7 @@
     MoinMoin - Package Installer
 
     @copyright: 2005 MoinMoin:AlexanderSchremmer,
-                2007 MoinMoin:ReimarBauer
+                2007-2010 MoinMoin:ReimarBauer
     @license: GNU GPL, see COPYING for details.
 """
 
@@ -435,7 +435,12 @@
             if fnname == '':
                 continue
             try:
-                fn = getattr(self, "do_" + fnname)
+                if fnname in self.request.cfg.packagepages_actions_excluded:
+                    self.msg += u"action package %s: excluded \n" % elements[0].strip()
+                    success = False
+                    continue
+                else:
+                    fn = getattr(self, "do_" + fnname)
             except AttributeError:
                 self.msg += u"Exception RuntimeScriptException: %s\n" % (
                         _("Unknown function %(func)s in line %(lineno)i.") %
--- a/MoinMoin/userprefs/prefs.py	Mon Feb 01 15:37:37 2010 +0100
+++ b/MoinMoin/userprefs/prefs.py	Tue Feb 02 14:30:11 2010 +0100
@@ -61,9 +61,6 @@
         form = self.request.form
         request = self.request
 
-        if request.request_method != 'POST':
-            return
-
         if not 'name' in request.user.auth_attribs:
             # Require non-empty name
             new_name = form.get('name', [request.user.name])[0]
@@ -224,10 +221,16 @@
 
 
     def handle_form(self):
-        _ = self._
-        form = self.request.form
+        request = self.request
+        form = request.form
+  
+        if form.has_key('cancel'):
+            return
+  
+        if request.request_method != 'POST':
+            return
 
-        if form.has_key('cancel'):
+        if not wikiutil.checkTicket(request, form.get('ticket', [''])[0]):
             return
 
         if form.has_key('save'): # Save user profile
@@ -393,6 +396,9 @@
             self._form.append(html.INPUT(type="hidden", name="action", value="userprefs"))
             self._form.append(html.INPUT(type="hidden", name="handler", value="prefs"))
 
+            ticket = wikiutil.createTicket(request)
+            self._form.append(html.INPUT(type="hidden", name="ticket", value="%s" % ticket))
+
         # Add buttons
         button_cell = []
         for name, label in buttons:
--- a/MoinMoin/userprefs/suid.py	Mon Feb 01 15:37:37 2010 +0100
+++ b/MoinMoin/userprefs/suid.py	Tue Feb 02 14:30:11 2010 +0100
@@ -33,29 +33,32 @@
 
     def handle_form(self):
         _ = self._
-        form = self.request.form
+        request = self.request
+        form = request.form
 
-        if 'cancel' in form:
+        if form.has_key('cancel'):
             return
 
-        if (wikiutil.checkTicket(self.request, self.request.form['ticket'][0])
-            and self.request.request_method == 'POST'):
-            uid = form.get('selected_user', [''])[0]
-            if not uid:
-                return 'error', _("No user selected")
-            theuser = user.User(self.request, uid, auth_method='setuid')
-            if not theuser or not theuser.exists():
-                return 'error', _("No user selected")
-            # set valid to True so superusers can even switch
-            # to disable accounts
-            theuser.valid = True
-            self.request.session['setuid'] = uid
-            self.request._setuid_real_user = self.request.user
-            # now continue as the other user
-            self.request.user = theuser
-            return  _("You can now change the settings of the selected user account; log out to get back to your account.")
-        else:
-            return None
+        if request.request_method != 'POST':
+            return
+
+        if not wikiutil.checkTicket(request, form.get('ticket', [''])[0]):
+            return
+
+        uid = form.get('selected_user', [''])[0]
+        if not uid:
+            return 'error', _("No user selected")
+        theuser = user.User(request, uid, auth_method='setuid')
+        if not theuser or not theuser.exists():
+            return 'error', _("No user selected")
+        # set valid to True so superusers can even switch
+        # to disable accounts
+        theuser.valid = True
+        request.session['setuid'] = uid
+        request._setuid_real_user = request.user
+        # now continue as the other user
+        request.user = theuser
+        return  _("You can now change the settings of the selected user account; log out to get back to your account.")
 
     def _user_select(self):
         options = []