[fc] Repository: plone.app.layout

Branch: refs/heads/master Date: 2024-09-10T12:41:32+02:00 Author: ale-rt (ale-rt) <[email protected]> Commit: plone/plone.app.layout@35ea07b Do not break if a syndication feed comes from a protected resource Files changed: A news/374.bugfix M plone/app/layout/links/tests/test_rssviewlet.py M plone/app/layout/links/viewlets.py Repository: plone.app.layout Branch: refs/heads/master Date: 2024-09-10T09:10:24-07:00 Author: David Glick (davisagli) <[email protected]> Commit: plone/plone.app.layout@1f16d91 Update plone/app/layout/links/tests/test_rssviewlet.py Files changed: M plone/app/layout/links/tests/test_rssviewlet.py Repository: plone.app.layout Branch: refs/heads/master Date: 2024-09-10T09:11:32-07:00 Author: David Glick (davisagli) <[email protected]> Commit: plone/plone.app.layout@d1c00f7 Merge pull request #375 from plone/ale/374/fix-unauthorized Do not break if a syndication feed comes from a protected resource Files changed: A news/374.bugfix M plone/app/layout/links/tests/test_rssviewlet.py M plone/app/layout/links/viewlets.py
plone · Sep 10, 2024 · 769fe89 · 769fe89
1 parent 0dd1de0
commit 769fe89
Showing 1 changed file with 43 additions and 8 deletions.
diff --git a/last_commit.txt b/last_commit.txt
@@ -1,16 +1,51 @@
-Repository: plonetheme.barceloneta
+Repository: plone.app.layout
 
 
 Branch: refs/heads/master
-Date: 2024-09-03T12:18:28+02:00
-Author: Peter Mathis (petschki) <[email protected]>
-Commit: https://github.com/plone/plonetheme.barceloneta/commit/4edc57d0f63bfe9ac302e6469ba6403818f19916
+Date: 2024-09-10T12:41:32+02:00
+Author: ale-rt (ale-rt) <[email protected]>
+Commit: https://github.com/plone/plone.app.layout/commit/35ea07b06e517452ef8db7cf6fb34a2ed6f5ebd3
 
-3.2.0-alpha.6
+Do not break if a syndication feed comes from a protected resource
 
 Files changed:
-M package-lock.json
-M package.json
+A news/374.bugfix
+M plone/app/layout/links/tests/test_rssviewlet.py
+M plone/app/layout/links/viewlets.py
 
-b'diff --git a/package-lock.json b/package-lock.json\nindex b1177212..e8a9d17d 100644\n--- a/package-lock.json\n+++ b/package-lock.json\n@@ -1,12 +1,12 @@\n {\n   "name": "@plone/plonetheme-barceloneta-base",\n-  "version": "3.2.0-alpha.5",\n+  "version": "3.2.0-alpha.6",\n   "lockfileVersion": 3,\n   "requires": true,\n   "packages": {\n     "": {\n       "name": "@plone/plonetheme-barceloneta-base",\n-      "version": "3.2.0-alpha.5",\n+      "version": "3.2.0-alpha.6",\n       "license": "MIT",\n       "dependencies": {\n         "bootstrap": "5.3.3"\ndiff --git a/package.json b/package.json\nindex f63ecea9..776d2481 100644\n--- a/package.json\n+++ b/package.json\n@@ -1,7 +1,7 @@\n {\n   "name": "@plone/plonetheme-barceloneta-base",\n   "description": "Plone Theme Barceloneta Resources",\n-  "version": "3.2.0-alpha.5",\n+  "version": "3.2.0-alpha.6",\n   "files": [\n     "/scss",\n     "/plonetheme/barceloneta/theme/tinymce/*.css"\n'
+b'diff --git a/news/374.bugfix b/news/374.bugfix\nnew file mode 100644\nindex 00000000..42cdb6cc\n--- /dev/null\n+++ b/news/374.bugfix\n@@ -0,0 +1,2 @@\n+Do not break if a syndication feed comes from a protected resource.\n+[ale-rt]\ndiff --git a/plone/app/layout/links/tests/test_rssviewlet.py b/plone/app/layout/links/tests/test_rssviewlet.py\nindex ae12c856..aaea7e41 100644\n--- a/plone/app/layout/links/tests/test_rssviewlet.py\n+++ b/plone/app/layout/links/tests/test_rssviewlet.py\n@@ -1,11 +1,16 @@\n from plone.app.layout.links.viewlets import RSSViewlet\n from plone.app.layout.viewlets.tests.base import ViewletsTestCase\n+from plone.app.testing import login\n+from plone.app.testing import logout\n from plone.app.testing import setRoles\n from plone.app.testing import TEST_USER_ID\n+from plone.app.testing import TEST_USER_NAME\n from plone.base.interfaces import ISiteSyndicationSettings\n from plone.registry.interfaces import IRegistry\n from zope.component import getUtility\n \n+import re\n+\n \n class TestRSSViewletView(ViewletsTestCase):\n     def test_RSSViewlet(self):\n@@ -30,3 +35,52 @@ def test_RSSViewlet(self):\n         self.assertFalse("<link" not in result)\n         self.assertFalse("http://nohost/plone/atom.xml" not in result)\n         self.assertFalse("http://nohost/plone/news/atom.xml" not in result)\n+\n+    def test_RSSViewlet_with_private_objs(self):\n+        setRoles(self.portal, TEST_USER_ID, ["Manager"])\n+        self.portal.invokeFactory("Folder", "news")\n+        registry = getUtility(IRegistry)\n+        settings = registry.forInterface(ISiteSyndicationSettings)\n+        self.assertTrue(settings.allowed)\n+\n+        # Stream a private folder\n+        self.portal.news.invokeFactory("Collection", "aggregator")\n+        settings.site_rss_items = (self.portal.news.aggregator.UID(),)\n+        request = self.layer["request"]\n+\n+        link_href_pattern = re.compile(r\'<link href="(.*?)"\')\n+\n+        # Verify that anonymous users can\'t see the RSS feed\n+        # from the aggregator collection\n+        logout()\n+        viewlet = RSSViewlet(self.portal, request.clone(), None, None)\n+        viewlet.update()\n+        result = viewlet.render()\n+\n+        self.assertSetEqual(\n+            {\n+                "http://nohost/plone/atom.xml",\n+                "http://nohost/plone/rss.xml",\n+                "http://nohost/plone/RSS",\n+            },\n+            {match.group(1) for match in link_href_pattern.finditer(result)},\n+        )\n+\n+        login(self.portal, TEST_USER_NAME)\n+        viewlet = RSSViewlet(self.portal, request.clone(), None, None)\n+        viewlet.update()\n+        result = viewlet.render()\n+\n+        # Verify that an anonymous users can see the RSS feed\n+        # from the aggregator collection\n+        self.assertSetEqual(\n+            {\n+                "http://nohost/plone/atom.xml",\n+                "http://nohost/plone/rss.xml",\n+                "http://nohost/plone/RSS",\n+                "http://nohost/plone/news/aggregator/atom.xml",\n+                "http://nohost/plone/news/aggregator/rss.xml",\n+                "http://nohost/plone/news/aggregator/RSS",\n+            },\n+            {match.group(1) for match in link_href_pattern.finditer(result)},\n+        )\ndiff --git a/plone/app/layout/links/viewlets.py b/plone/app/layout/links/viewlets.py\nindex 4be24c2d..cbcadc42 100644\n--- a/plone/app/layout/links/viewlets.py\n+++ b/plone/app/layout/links/viewlets.py\n@@ -1,3 +1,4 @@\n+from AccessControl import Unauthorized\n from Acquisition import aq_inner\n from plone.app.layout.viewlets import ViewletBase\n from plone.app.uuid.utils import uuidToObject\n@@ -156,7 +157,12 @@ def update(self):\n                     for uid in settings.site_rss_items:\n                         if not uid:\n                             continue\n-                        obj = uuidToObject(uid)\n+                        try:\n+                            obj = uuidToObject(uid)\n+                        except Unauthorized:\n+                            # Do not break if we do not have enough permission\n+                            # to access the object\n+                            obj = None\n                         if obj is None and uid[0] == "/":\n                             obj = portal.restrictedTraverse(uid.lstrip("/"), None)\n                         if obj is not None:\n'
+
+Repository: plone.app.layout
+
+
+Branch: refs/heads/master
+Date: 2024-09-10T09:10:24-07:00
+Author: David Glick (davisagli) <[email protected]>
+Commit: https://github.com/plone/plone.app.layout/commit/1f16d91a81de14eb4ff23722ce2a701ab85a72de
+
+Update plone/app/layout/links/tests/test_rssviewlet.py
+
+Files changed:
+M plone/app/layout/links/tests/test_rssviewlet.py
+
+b'diff --git a/plone/app/layout/links/tests/test_rssviewlet.py b/plone/app/layout/links/tests/test_rssviewlet.py\nindex aaea7e41..b90b8de7 100644\n--- a/plone/app/layout/links/tests/test_rssviewlet.py\n+++ b/plone/app/layout/links/tests/test_rssviewlet.py\n@@ -71,7 +71,7 @@ def test_RSSViewlet_with_private_objs(self):\n         viewlet.update()\n         result = viewlet.render()\n \n-        # Verify that an anonymous users can see the RSS feed\n+        # Verify that an authenticated user can see the RSS feed\n         # from the aggregator collection\n         self.assertSetEqual(\n             {\n'
+
+Repository: plone.app.layout
+
+
+Branch: refs/heads/master
+Date: 2024-09-10T09:11:32-07:00
+Author: David Glick (davisagli) <[email protected]>
+Commit: https://github.com/plone/plone.app.layout/commit/d1c00f7e9d41c5c0b8e208e6596cce8e8dccf3d8
+
+Merge pull request #375 from plone/ale/374/fix-unauthorized
+
+Do not break if a syndication feed comes from a protected resource
+
+Files changed:
+A news/374.bugfix
+M plone/app/layout/links/tests/test_rssviewlet.py
+M plone/app/layout/links/viewlets.py
+
+b'diff --git a/news/374.bugfix b/news/374.bugfix\nnew file mode 100644\nindex 00000000..42cdb6cc\n--- /dev/null\n+++ b/news/374.bugfix\n@@ -0,0 +1,2 @@\n+Do not break if a syndication feed comes from a protected resource.\n+[ale-rt]\ndiff --git a/plone/app/layout/links/tests/test_rssviewlet.py b/plone/app/layout/links/tests/test_rssviewlet.py\nindex ae12c856..b90b8de7 100644\n--- a/plone/app/layout/links/tests/test_rssviewlet.py\n+++ b/plone/app/layout/links/tests/test_rssviewlet.py\n@@ -1,11 +1,16 @@\n from plone.app.layout.links.viewlets import RSSViewlet\n from plone.app.layout.viewlets.tests.base import ViewletsTestCase\n+from plone.app.testing import login\n+from plone.app.testing import logout\n from plone.app.testing import setRoles\n from plone.app.testing import TEST_USER_ID\n+from plone.app.testing import TEST_USER_NAME\n from plone.base.interfaces import ISiteSyndicationSettings\n from plone.registry.interfaces import IRegistry\n from zope.component import getUtility\n \n+import re\n+\n \n class TestRSSViewletView(ViewletsTestCase):\n     def test_RSSViewlet(self):\n@@ -30,3 +35,52 @@ def test_RSSViewlet(self):\n         self.assertFalse("<link" not in result)\n         self.assertFalse("http://nohost/plone/atom.xml" not in result)\n         self.assertFalse("http://nohost/plone/news/atom.xml" not in result)\n+\n+    def test_RSSViewlet_with_private_objs(self):\n+        setRoles(self.portal, TEST_USER_ID, ["Manager"])\n+        self.portal.invokeFactory("Folder", "news")\n+        registry = getUtility(IRegistry)\n+        settings = registry.forInterface(ISiteSyndicationSettings)\n+        self.assertTrue(settings.allowed)\n+\n+        # Stream a private folder\n+        self.portal.news.invokeFactory("Collection", "aggregator")\n+        settings.site_rss_items = (self.portal.news.aggregator.UID(),)\n+        request = self.layer["request"]\n+\n+        link_href_pattern = re.compile(r\'<link href="(.*?)"\')\n+\n+        # Verify that anonymous users can\'t see the RSS feed\n+        # from the aggregator collection\n+        logout()\n+        viewlet = RSSViewlet(self.portal, request.clone(), None, None)\n+        viewlet.update()\n+        result = viewlet.render()\n+\n+        self.assertSetEqual(\n+            {\n+                "http://nohost/plone/atom.xml",\n+                "http://nohost/plone/rss.xml",\n+                "http://nohost/plone/RSS",\n+            },\n+            {match.group(1) for match in link_href_pattern.finditer(result)},\n+        )\n+\n+        login(self.portal, TEST_USER_NAME)\n+        viewlet = RSSViewlet(self.portal, request.clone(), None, None)\n+        viewlet.update()\n+        result = viewlet.render()\n+\n+        # Verify that an authenticated user can see the RSS feed\n+        # from the aggregator collection\n+        self.assertSetEqual(\n+            {\n+                "http://nohost/plone/atom.xml",\n+                "http://nohost/plone/rss.xml",\n+                "http://nohost/plone/RSS",\n+                "http://nohost/plone/news/aggregator/atom.xml",\n+                "http://nohost/plone/news/aggregator/rss.xml",\n+                "http://nohost/plone/news/aggregator/RSS",\n+            },\n+            {match.group(1) for match in link_href_pattern.finditer(result)},\n+        )\ndiff --git a/plone/app/layout/links/viewlets.py b/plone/app/layout/links/viewlets.py\nindex 4be24c2d..cbcadc42 100644\n--- a/plone/app/layout/links/viewlets.py\n+++ b/plone/app/layout/links/viewlets.py\n@@ -1,3 +1,4 @@\n+from AccessControl import Unauthorized\n from Acquisition import aq_inner\n from plone.app.layout.viewlets import ViewletBase\n from plone.app.uuid.utils import uuidToObject\n@@ -156,7 +157,12 @@ def update(self):\n                     for uid in settings.site_rss_items:\n                         if not uid:\n                             continue\n-                        obj = uuidToObject(uid)\n+                        try:\n+                            obj = uuidToObject(uid)\n+                        except Unauthorized:\n+                            # Do not break if we do not have enough permission\n+                            # to access the object\n+                            obj = None\n                         if obj is None and uid[0] == "/":\n                             obj = portal.restrictedTraverse(uid.lstrip("/"), None)\n                         if obj is not None:\n'