-
-
Notifications
You must be signed in to change notification settings - Fork 75
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Branch: refs/heads/master Date: 2024-09-10T12:41:32+02:00 Author: ale-rt (ale-rt) <[email protected]> Commit: plone/plone.app.layout@35ea07b Do not break if a syndication feed comes from a protected resource Files changed: A news/374.bugfix M plone/app/layout/links/tests/test_rssviewlet.py M plone/app/layout/links/viewlets.py Repository: plone.app.layout Branch: refs/heads/master Date: 2024-09-10T09:10:24-07:00 Author: David Glick (davisagli) <[email protected]> Commit: plone/plone.app.layout@1f16d91 Update plone/app/layout/links/tests/test_rssviewlet.py Files changed: M plone/app/layout/links/tests/test_rssviewlet.py Repository: plone.app.layout Branch: refs/heads/master Date: 2024-09-10T09:11:32-07:00 Author: David Glick (davisagli) <[email protected]> Commit: plone/plone.app.layout@d1c00f7 Merge pull request #375 from plone/ale/374/fix-unauthorized Do not break if a syndication feed comes from a protected resource Files changed: A news/374.bugfix M plone/app/layout/links/tests/test_rssviewlet.py M plone/app/layout/links/viewlets.py
- Loading branch information
Showing
1 changed file
with
43 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,16 +1,51 @@ | ||
Repository: plonetheme.barceloneta | ||
Repository: plone.app.layout | ||
|
||
|
||
Branch: refs/heads/master | ||
Date: 2024-09-03T12:18:28+02:00 | ||
Author: Peter Mathis (petschki) <[email protected]> | ||
Commit: https://github.com/plone/plonetheme.barceloneta/commit/4edc57d0f63bfe9ac302e6469ba6403818f19916 | ||
Date: 2024-09-10T12:41:32+02:00 | ||
Author: ale-rt (ale-rt) <[email protected]> | ||
Commit: https://github.com/plone/plone.app.layout/commit/35ea07b06e517452ef8db7cf6fb34a2ed6f5ebd3 | ||
|
||
3.2.0-alpha.6 | ||
Do not break if a syndication feed comes from a protected resource | ||
|
||
Files changed: | ||
M package-lock.json | ||
M package.json | ||
A news/374.bugfix | ||
M plone/app/layout/links/tests/test_rssviewlet.py | ||
M plone/app/layout/links/viewlets.py | ||
|
||
b'diff --git a/package-lock.json b/package-lock.json\nindex b1177212..e8a9d17d 100644\n--- a/package-lock.json\n+++ b/package-lock.json\n@@ -1,12 +1,12 @@\n {\n "name": "@plone/plonetheme-barceloneta-base",\n- "version": "3.2.0-alpha.5",\n+ "version": "3.2.0-alpha.6",\n "lockfileVersion": 3,\n "requires": true,\n "packages": {\n "": {\n "name": "@plone/plonetheme-barceloneta-base",\n- "version": "3.2.0-alpha.5",\n+ "version": "3.2.0-alpha.6",\n "license": "MIT",\n "dependencies": {\n "bootstrap": "5.3.3"\ndiff --git a/package.json b/package.json\nindex f63ecea9..776d2481 100644\n--- a/package.json\n+++ b/package.json\n@@ -1,7 +1,7 @@\n {\n "name": "@plone/plonetheme-barceloneta-base",\n "description": "Plone Theme Barceloneta Resources",\n- "version": "3.2.0-alpha.5",\n+ "version": "3.2.0-alpha.6",\n "files": [\n "/scss",\n "/plonetheme/barceloneta/theme/tinymce/*.css"\n' | ||
b'diff --git a/news/374.bugfix b/news/374.bugfix\nnew file mode 100644\nindex 00000000..42cdb6cc\n--- /dev/null\n+++ b/news/374.bugfix\n@@ -0,0 +1,2 @@\n+Do not break if a syndication feed comes from a protected resource.\n+[ale-rt]\ndiff --git a/plone/app/layout/links/tests/test_rssviewlet.py b/plone/app/layout/links/tests/test_rssviewlet.py\nindex ae12c856..aaea7e41 100644\n--- a/plone/app/layout/links/tests/test_rssviewlet.py\n+++ b/plone/app/layout/links/tests/test_rssviewlet.py\n@@ -1,11 +1,16 @@\n from plone.app.layout.links.viewlets import RSSViewlet\n from plone.app.layout.viewlets.tests.base import ViewletsTestCase\n+from plone.app.testing import login\n+from plone.app.testing import logout\n from plone.app.testing import setRoles\n from plone.app.testing import TEST_USER_ID\n+from plone.app.testing import TEST_USER_NAME\n from plone.base.interfaces import ISiteSyndicationSettings\n from plone.registry.interfaces import IRegistry\n from zope.component import getUtility\n \n+import re\n+\n \n class TestRSSViewletView(ViewletsTestCase):\n def test_RSSViewlet(self):\n@@ -30,3 +35,52 @@ def test_RSSViewlet(self):\n self.assertFalse("<link" not in result)\n self.assertFalse("http://nohost/plone/atom.xml" not in result)\n self.assertFalse("http://nohost/plone/news/atom.xml" not in result)\n+\n+ def test_RSSViewlet_with_private_objs(self):\n+ setRoles(self.portal, TEST_USER_ID, ["Manager"])\n+ self.portal.invokeFactory("Folder", "news")\n+ registry = getUtility(IRegistry)\n+ settings = registry.forInterface(ISiteSyndicationSettings)\n+ self.assertTrue(settings.allowed)\n+\n+ # Stream a private folder\n+ self.portal.news.invokeFactory("Collection", "aggregator")\n+ settings.site_rss_items = (self.portal.news.aggregator.UID(),)\n+ request = self.layer["request"]\n+\n+ link_href_pattern = re.compile(r\'<link href="(.*?)"\')\n+\n+ # Verify that anonymous users can\'t see the RSS feed\n+ # from the aggregator collection\n+ logout()\n+ viewlet = RSSViewlet(self.portal, request.clone(), None, None)\n+ viewlet.update()\n+ result = viewlet.render()\n+\n+ self.assertSetEqual(\n+ {\n+ "http://nohost/plone/atom.xml",\n+ "http://nohost/plone/rss.xml",\n+ "http://nohost/plone/RSS",\n+ },\n+ {match.group(1) for match in link_href_pattern.finditer(result)},\n+ )\n+\n+ login(self.portal, TEST_USER_NAME)\n+ viewlet = RSSViewlet(self.portal, request.clone(), None, None)\n+ viewlet.update()\n+ result = viewlet.render()\n+\n+ # Verify that an anonymous users can see the RSS feed\n+ # from the aggregator collection\n+ self.assertSetEqual(\n+ {\n+ "http://nohost/plone/atom.xml",\n+ "http://nohost/plone/rss.xml",\n+ "http://nohost/plone/RSS",\n+ "http://nohost/plone/news/aggregator/atom.xml",\n+ "http://nohost/plone/news/aggregator/rss.xml",\n+ "http://nohost/plone/news/aggregator/RSS",\n+ },\n+ {match.group(1) for match in link_href_pattern.finditer(result)},\n+ )\ndiff --git a/plone/app/layout/links/viewlets.py b/plone/app/layout/links/viewlets.py\nindex 4be24c2d..cbcadc42 100644\n--- a/plone/app/layout/links/viewlets.py\n+++ b/plone/app/layout/links/viewlets.py\n@@ -1,3 +1,4 @@\n+from AccessControl import Unauthorized\n from Acquisition import aq_inner\n from plone.app.layout.viewlets import ViewletBase\n from plone.app.uuid.utils import uuidToObject\n@@ -156,7 +157,12 @@ def update(self):\n for uid in settings.site_rss_items:\n if not uid:\n continue\n- obj = uuidToObject(uid)\n+ try:\n+ obj = uuidToObject(uid)\n+ except Unauthorized:\n+ # Do not break if we do not have enough permission\n+ # to access the object\n+ obj = None\n if obj is None and uid[0] == "/":\n obj = portal.restrictedTraverse(uid.lstrip("/"), None)\n if obj is not None:\n' | ||
|
||
Repository: plone.app.layout | ||
|
||
|
||
Branch: refs/heads/master | ||
Date: 2024-09-10T09:10:24-07:00 | ||
Author: David Glick (davisagli) <[email protected]> | ||
Commit: https://github.com/plone/plone.app.layout/commit/1f16d91a81de14eb4ff23722ce2a701ab85a72de | ||
|
||
Update plone/app/layout/links/tests/test_rssviewlet.py | ||
|
||
Files changed: | ||
M plone/app/layout/links/tests/test_rssviewlet.py | ||
|
||
b'diff --git a/plone/app/layout/links/tests/test_rssviewlet.py b/plone/app/layout/links/tests/test_rssviewlet.py\nindex aaea7e41..b90b8de7 100644\n--- a/plone/app/layout/links/tests/test_rssviewlet.py\n+++ b/plone/app/layout/links/tests/test_rssviewlet.py\n@@ -71,7 +71,7 @@ def test_RSSViewlet_with_private_objs(self):\n viewlet.update()\n result = viewlet.render()\n \n- # Verify that an anonymous users can see the RSS feed\n+ # Verify that an authenticated user can see the RSS feed\n # from the aggregator collection\n self.assertSetEqual(\n {\n' | ||
|
||
Repository: plone.app.layout | ||
|
||
|
||
Branch: refs/heads/master | ||
Date: 2024-09-10T09:11:32-07:00 | ||
Author: David Glick (davisagli) <[email protected]> | ||
Commit: https://github.com/plone/plone.app.layout/commit/d1c00f7e9d41c5c0b8e208e6596cce8e8dccf3d8 | ||
|
||
Merge pull request #375 from plone/ale/374/fix-unauthorized | ||
|
||
Do not break if a syndication feed comes from a protected resource | ||
|
||
Files changed: | ||
A news/374.bugfix | ||
M plone/app/layout/links/tests/test_rssviewlet.py | ||
M plone/app/layout/links/viewlets.py | ||
|
||
b'diff --git a/news/374.bugfix b/news/374.bugfix\nnew file mode 100644\nindex 00000000..42cdb6cc\n--- /dev/null\n+++ b/news/374.bugfix\n@@ -0,0 +1,2 @@\n+Do not break if a syndication feed comes from a protected resource.\n+[ale-rt]\ndiff --git a/plone/app/layout/links/tests/test_rssviewlet.py b/plone/app/layout/links/tests/test_rssviewlet.py\nindex ae12c856..b90b8de7 100644\n--- a/plone/app/layout/links/tests/test_rssviewlet.py\n+++ b/plone/app/layout/links/tests/test_rssviewlet.py\n@@ -1,11 +1,16 @@\n from plone.app.layout.links.viewlets import RSSViewlet\n from plone.app.layout.viewlets.tests.base import ViewletsTestCase\n+from plone.app.testing import login\n+from plone.app.testing import logout\n from plone.app.testing import setRoles\n from plone.app.testing import TEST_USER_ID\n+from plone.app.testing import TEST_USER_NAME\n from plone.base.interfaces import ISiteSyndicationSettings\n from plone.registry.interfaces import IRegistry\n from zope.component import getUtility\n \n+import re\n+\n \n class TestRSSViewletView(ViewletsTestCase):\n def test_RSSViewlet(self):\n@@ -30,3 +35,52 @@ def test_RSSViewlet(self):\n self.assertFalse("<link" not in result)\n self.assertFalse("http://nohost/plone/atom.xml" not in result)\n self.assertFalse("http://nohost/plone/news/atom.xml" not in result)\n+\n+ def test_RSSViewlet_with_private_objs(self):\n+ setRoles(self.portal, TEST_USER_ID, ["Manager"])\n+ self.portal.invokeFactory("Folder", "news")\n+ registry = getUtility(IRegistry)\n+ settings = registry.forInterface(ISiteSyndicationSettings)\n+ self.assertTrue(settings.allowed)\n+\n+ # Stream a private folder\n+ self.portal.news.invokeFactory("Collection", "aggregator")\n+ settings.site_rss_items = (self.portal.news.aggregator.UID(),)\n+ request = self.layer["request"]\n+\n+ link_href_pattern = re.compile(r\'<link href="(.*?)"\')\n+\n+ # Verify that anonymous users can\'t see the RSS feed\n+ # from the aggregator collection\n+ logout()\n+ viewlet = RSSViewlet(self.portal, request.clone(), None, None)\n+ viewlet.update()\n+ result = viewlet.render()\n+\n+ self.assertSetEqual(\n+ {\n+ "http://nohost/plone/atom.xml",\n+ "http://nohost/plone/rss.xml",\n+ "http://nohost/plone/RSS",\n+ },\n+ {match.group(1) for match in link_href_pattern.finditer(result)},\n+ )\n+\n+ login(self.portal, TEST_USER_NAME)\n+ viewlet = RSSViewlet(self.portal, request.clone(), None, None)\n+ viewlet.update()\n+ result = viewlet.render()\n+\n+ # Verify that an authenticated user can see the RSS feed\n+ # from the aggregator collection\n+ self.assertSetEqual(\n+ {\n+ "http://nohost/plone/atom.xml",\n+ "http://nohost/plone/rss.xml",\n+ "http://nohost/plone/RSS",\n+ "http://nohost/plone/news/aggregator/atom.xml",\n+ "http://nohost/plone/news/aggregator/rss.xml",\n+ "http://nohost/plone/news/aggregator/RSS",\n+ },\n+ {match.group(1) for match in link_href_pattern.finditer(result)},\n+ )\ndiff --git a/plone/app/layout/links/viewlets.py b/plone/app/layout/links/viewlets.py\nindex 4be24c2d..cbcadc42 100644\n--- a/plone/app/layout/links/viewlets.py\n+++ b/plone/app/layout/links/viewlets.py\n@@ -1,3 +1,4 @@\n+from AccessControl import Unauthorized\n from Acquisition import aq_inner\n from plone.app.layout.viewlets import ViewletBase\n from plone.app.uuid.utils import uuidToObject\n@@ -156,7 +157,12 @@ def update(self):\n for uid in settings.site_rss_items:\n if not uid:\n continue\n- obj = uuidToObject(uid)\n+ try:\n+ obj = uuidToObject(uid)\n+ except Unauthorized:\n+ # Do not break if we do not have enough permission\n+ # to access the object\n+ obj = None\n if obj is None and uid[0] == "/":\n obj = portal.restrictedTraverse(uid.lstrip("/"), None)\n if obj is not None:\n' | ||
|