[fc] Repository: plone.app.discussion

Branch: refs/heads/master
Date: 2016-09-19T17:10:10+02:00
Author: Maurits van Rees (mauritsvanrees) <maurits@vanrees.org>
Commit: plone/plone.app.discussion@358ec89

Apply security hotfix 20160830 for redirects.

Files changed:
M CHANGES.rst
M plone/app/discussion/browser/moderation.py
M plone/app/discussion/tests/test_moderation_view.py
Repository: plone.app.discussion
Branch: refs/heads/master
Date: 2016-09-20T10:52:21+02:00
Author: Jens W. Klein (jensens) <jk@kleinundpartner.at>
Commit: plone/plone.app.discussion@6082876

Merge pull request #112 from plone/apply-hotfix-20160830-master

Apply security hotfix 20160830 for redirects. [master]

Files changed:
M CHANGES.rst
M plone/app/discussion/browser/moderation.py
M plone/app/discussion/tests/test_moderation_view.py

last_commit.txt

@@ -1,192 +1,256 @@
-Repository: plone.app.content
+Repository: plone.app.discussion
 
 
 Branch: refs/heads/master
-Date: 2016-09-19T11:17:31+02:00
+Date: 2016-09-19T17:10:10+02:00
 Author: Maurits van Rees (mauritsvanrees) <maurits@vanrees.org>
-Commit: https://github.com/plone/plone.app.content/commit/ab6f71df4fb5d76d001cfe6c685a6344a2446133
+Commit: https://github.com/plone/plone.app.discussion/commit/358ec89c03c3068993a1b73499d2e59f9d977088
 
-Apply security hotfix 20160830 for folder factories redirection.
+Apply security hotfix 20160830 for redirects.
 
 Files changed:
 M CHANGES.rst
-M plone/app/content/browser/folderfactories.py
-M plone/app/content/tests/test_folder.py
+M plone/app/discussion/browser/moderation.py
+M plone/app/discussion/tests/test_moderation_view.py
 
 diff --git a/CHANGES.rst b/CHANGES.rst
-index 52eb8e0..2efff9b 100644
+index 9a0748d..894e27f 100644
 --- a/CHANGES.rst
 +++ b/CHANGES.rst
 @@ -14,7 +14,7 @@ New features:
 
  Bug fixes:
 
 -- *add item here*
-+- Apply security hotfix 20160830 for folder factories redirection.  [maurits]
++- Apply security hotfix 20160830 for redirects.  [maurits]
 
+ - Update Traditional Chinese translation.
+   [l34marr]
+diff --git a/plone/app/discussion/browser/moderation.py b/plone/app/discussion/browser/moderation.py
+index 722386d..f1623ea 100644
+--- a/plone/app/discussion/browser/moderation.py
++++ b/plone/app/discussion/browser/moderation.py
+@@ -105,7 +105,9 @@ def __call__(self):
+                 type='info')
+         came_from = self.context.REQUEST.HTTP_REFERER
+         # if the referrer already has a came_from in it, don't redirect back
+-        if len(came_from) == 0 or 'came_from=' in came_from:
++        if (len(came_from) == 0 or 'came_from=' in came_from or
++                not getToolByName(
++                content_object, 'portal_url').isURLInPortal(came_from)):
+             came_from = content_object.absolute_url()
+         return self.context.REQUEST.RESPONSE.redirect(came_from)
 
- 3.3 (2016-09-14)
-diff --git a/plone/app/content/browser/folderfactories.py b/plone/app/content/browser/folderfactories.py
-index 7d505ad..523939d 100644
---- a/plone/app/content/browser/folderfactories.py
-+++ b/plone/app/content/browser/folderfactories.py
-@@ -27,7 +27,10 @@ class FolderFactoriesView(BrowserView):
+@@ -186,7 +188,9 @@ def __call__(self):
+             type='info')
+         came_from = self.context.REQUEST.HTTP_REFERER
+         # if the referrer already has a came_from in it, don't redirect back
+-        if len(came_from) == 0 or 'came_from=' in came_from:
++        if (len(came_from) == 0 or 'came_from=' in came_from or
++                not getToolByName(
++                content_object, 'portal_url').isURLInPortal(came_from)):
+             came_from = content_object.absolute_url()
+         return self.context.REQUEST.RESPONSE.redirect(came_from)
 
-     def __call__(self):
-         if 'form.button.Add' in self.request.form:
-+            urltool = getToolByName(self.context, 'portal_url')
-             url = self.request.form.get('url')
-+            if not urltool.isURLInPortal(url):
-+                url = self.context.absolute_url()
-             self.request.response.redirect(url)
-             return ''
-         else:
-diff --git a/plone/app/content/tests/test_folder.py b/plone/app/content/tests/test_folder.py
-index 058b17b..6e3b816 100644
---- a/plone/app/content/tests/test_folder.py
-+++ b/plone/app/content/tests/test_folder.py
-@@ -2,6 +2,7 @@
- from DateTime import DateTime
- from plone.app.content.testing import PLONE_APP_CONTENT_AT_INTEGRATION_TESTING
- from plone.app.content.testing import PLONE_APP_CONTENT_DX_INTEGRATION_TESTING
-+from plone.app.content.testing import PLONE_APP_CONTENT_DX_FUNCTIONAL_TESTING
- from plone.app.testing import login
+diff --git a/plone/app/discussion/tests/test_moderation_view.py b/plone/app/discussion/tests/test_moderation_view.py
+index 9233a8c..849a0d0 100644
+--- a/plone/app/discussion/tests/test_moderation_view.py
++++ b/plone/app/discussion/tests/test_moderation_view.py
+@@ -1,12 +1,17 @@
+ # -*- coding: utf-8 -*-
+ from plone.app.discussion.browser.moderation import BulkActionsView
++from plone.app.discussion.browser.moderation import DeleteComment
++from plone.app.discussion.browser.moderation import PublishComment
+ from plone.app.discussion.browser.moderation import View
+ from plone.app.discussion.interfaces import IConversation
++from plone.app.discussion.interfaces import IDiscussionSettings
+ from plone.app.discussion.testing import PLONE_APP_DISCUSSION_INTEGRATION_TESTING  # noqa
  from plone.app.testing import setRoles
  from plone.app.testing import TEST_USER_ID
-@@ -473,3 +474,37 @@ def test_item_order_move_by_delta(self):
- class RearrangeATTest(RearrangeDXTest):
++from plone.registry.interfaces import IRegistry
+ from Products.CMFCore.utils import getToolByName
+ from zope.component import createObject
++from zope.component import queryUtility
 
-     layer = PLONE_APP_CONTENT_AT_INTEGRATION_TESTING
+ import unittest
+
+@@ -155,3 +160,48 @@ def test_delete(self):
+         comment = self.conversation.getComments().next()
+         self.assertTrue(comment)
+         self.assertEqual(comment, self.comment2)
++
 +
++class RedirectionTest(unittest.TestCase):
 +
-+class FolderFactoriesTest(unittest.TestCase):
-+    layer = PLONE_APP_CONTENT_DX_FUNCTIONAL_TESTING
++    layer = PLONE_APP_DISCUSSION_INTEGRATION_TESTING
 +
 +    def setUp(self):
++        # Update settings.
 +        self.portal = self.layer['portal']
 +        self.request = self.layer['request']
-+        login(self.portal, TEST_USER_NAME)
 +        setRoles(self.portal, TEST_USER_ID, ['Manager'])
++        # applyProfile(self.portal, 'plone.app.discussion:default')
++        registry = queryUtility(IRegistry)
++        settings = registry.forInterface(IDiscussionSettings)
++        settings.globally_enabled = True
++        self.portal.portal_workflow.setChainForPortalTypes(
++            ('Discussion Item',),
++            ('comment_review_workflow',))
++        # Create page plus comment.
++        self.portal.invokeFactory(
++            id='page',
++            title='Page 1',
++            type_name='Document'
++        )
++        self.page = self.portal.page
++        self.conversation = IConversation(self.page)
++        comment = createObject('plone.Comment')
++        comment.text = 'Comment text'
++        self.comment_id = self.conversation.addComment(comment)
++        self.comment = list(self.conversation.getComments())[0]
 +
-+    def test_folder_factories_regression(self):
-+        from plone.app.content.browser.folderfactories import (
-+            FolderFactoriesView as FFV)
-+        view = FFV(self.portal, self.request)
-+        self.request.form.update({
-+            'form.button.Add': 'yes',
-+            'url': self.portal.absolute_url()
-+        })
-+        view()
-+        self.assertEqual(self.request.response.headers.get('location'),
-+                         self.portal.absolute_url())
++    def test_regression(self):
++        page_url = self.page.absolute_url()
++        self.request['HTTP_REFERER'] = page_url
++        for Klass in (DeleteComment, PublishComment):
++            view = Klass(self.comment, self.request)
++            view.__parent__ = self.comment
++            self.assertEqual(page_url, view())
 +
-+    def test_folder_factories(self):
-+        from plone.app.content.browser.folderfactories import (
-+            FolderFactoriesView as FFV)
-+        view = FFV(self.portal, self.request)
-+        self.request.form.update({
-+            'form.button.Add': 'yes',
-+            'url': 'http://www.foobar.com'
-+        })
-+        view()
-+        self.assertNotEqual(self.request.response.headers.get('location'),
-+                            'http://www.foobar.com')
++    def test_valid_next_url(self):
++        self.request['HTTP_REFERER'] = 'http://attacker.com'
++        for Klass in (DeleteComment, PublishComment):
++            view = Klass(self.comment, self.request)
++            view.__parent__ = self.comment
++            self.assertNotEqual('http://attacker.com', view())
 
 
-Repository: plone.app.content
+Repository: plone.app.discussion
 
 
 Branch: refs/heads/master
-Date: 2016-09-19T12:43:14+02:00
+Date: 2016-09-20T10:52:21+02:00
 Author: Jens W. Klein (jensens) <jk@kleinundpartner.at>
-Commit: https://github.com/plone/plone.app.content/commit/7e72ab71ddd41c8bd8bbc0572c48279cdc1dd0a3
+Commit: https://github.com/plone/plone.app.discussion/commit/608287692ce4399771387da6a651ade27a97e835
 
-Merge pull request #108 from plone/apply-hotfix-20160830-master
+Merge pull request #112 from plone/apply-hotfix-20160830-master
 
-Apply security hotfix 20160830 for folder factories redirection. [master]
+Apply security hotfix 20160830 for redirects. [master]
 
 Files changed:
 M CHANGES.rst
-M plone/app/content/browser/folderfactories.py
-M plone/app/content/tests/test_folder.py
+M plone/app/discussion/browser/moderation.py
+M plone/app/discussion/tests/test_moderation_view.py
 
 diff --git a/CHANGES.rst b/CHANGES.rst
-index 52eb8e0..2efff9b 100644
+index 9a0748d..894e27f 100644
 --- a/CHANGES.rst
 +++ b/CHANGES.rst
 @@ -14,7 +14,7 @@ New features:
 
  Bug fixes:
 
 -- *add item here*
-+- Apply security hotfix 20160830 for folder factories redirection.  [maurits]
++- Apply security hotfix 20160830 for redirects.  [maurits]
 
+ - Update Traditional Chinese translation.
+   [l34marr]
+diff --git a/plone/app/discussion/browser/moderation.py b/plone/app/discussion/browser/moderation.py
+index 722386d..f1623ea 100644
+--- a/plone/app/discussion/browser/moderation.py
++++ b/plone/app/discussion/browser/moderation.py
+@@ -105,7 +105,9 @@ def __call__(self):
+                 type='info')
+         came_from = self.context.REQUEST.HTTP_REFERER
+         # if the referrer already has a came_from in it, don't redirect back
+-        if len(came_from) == 0 or 'came_from=' in came_from:
++        if (len(came_from) == 0 or 'came_from=' in came_from or
++                not getToolByName(
++                content_object, 'portal_url').isURLInPortal(came_from)):
+             came_from = content_object.absolute_url()
+         return self.context.REQUEST.RESPONSE.redirect(came_from)
 
- 3.3 (2016-09-14)
-diff --git a/plone/app/content/browser/folderfactories.py b/plone/app/content/browser/folderfactories.py
-index 7d505ad..523939d 100644
---- a/plone/app/content/browser/folderfactories.py
-+++ b/plone/app/content/browser/folderfactories.py
-@@ -27,7 +27,10 @@ class FolderFactoriesView(BrowserView):
+@@ -186,7 +188,9 @@ def __call__(self):
+             type='info')
+         came_from = self.context.REQUEST.HTTP_REFERER
+         # if the referrer already has a came_from in it, don't redirect back
+-        if len(came_from) == 0 or 'came_from=' in came_from:
++        if (len(came_from) == 0 or 'came_from=' in came_from or
++                not getToolByName(
++                content_object, 'portal_url').isURLInPortal(came_from)):
+             came_from = content_object.absolute_url()
+         return self.context.REQUEST.RESPONSE.redirect(came_from)
 
-     def __call__(self):
-         if 'form.button.Add' in self.request.form:
-+            urltool = getToolByName(self.context, 'portal_url')
-             url = self.request.form.get('url')
-+            if not urltool.isURLInPortal(url):
-+                url = self.context.absolute_url()
-             self.request.response.redirect(url)
-             return ''
-         else:
-diff --git a/plone/app/content/tests/test_folder.py b/plone/app/content/tests/test_folder.py
-index 058b17b..6e3b816 100644
---- a/plone/app/content/tests/test_folder.py
-+++ b/plone/app/content/tests/test_folder.py
-@@ -2,6 +2,7 @@
- from DateTime import DateTime
- from plone.app.content.testing import PLONE_APP_CONTENT_AT_INTEGRATION_TESTING
- from plone.app.content.testing import PLONE_APP_CONTENT_DX_INTEGRATION_TESTING
-+from plone.app.content.testing import PLONE_APP_CONTENT_DX_FUNCTIONAL_TESTING
- from plone.app.testing import login
+diff --git a/plone/app/discussion/tests/test_moderation_view.py b/plone/app/discussion/tests/test_moderation_view.py
+index 9233a8c..849a0d0 100644
+--- a/plone/app/discussion/tests/test_moderation_view.py
++++ b/plone/app/discussion/tests/test_moderation_view.py
+@@ -1,12 +1,17 @@
+ # -*- coding: utf-8 -*-
+ from plone.app.discussion.browser.moderation import BulkActionsView
++from plone.app.discussion.browser.moderation import DeleteComment
++from plone.app.discussion.browser.moderation import PublishComment
+ from plone.app.discussion.browser.moderation import View
+ from plone.app.discussion.interfaces import IConversation
++from plone.app.discussion.interfaces import IDiscussionSettings
+ from plone.app.discussion.testing import PLONE_APP_DISCUSSION_INTEGRATION_TESTING  # noqa
  from plone.app.testing import setRoles
  from plone.app.testing import TEST_USER_ID
-@@ -473,3 +474,37 @@ def test_item_order_move_by_delta(self):
- class RearrangeATTest(RearrangeDXTest):
++from plone.registry.interfaces import IRegistry
+ from Products.CMFCore.utils import getToolByName
+ from zope.component import createObject
++from zope.component import queryUtility
 
-     layer = PLONE_APP_CONTENT_AT_INTEGRATION_TESTING
+ import unittest
+
+@@ -155,3 +160,48 @@ def test_delete(self):
+         comment = self.conversation.getComments().next()
+         self.assertTrue(comment)
+         self.assertEqual(comment, self.comment2)
++
 +
++class RedirectionTest(unittest.TestCase):
 +
-+class FolderFactoriesTest(unittest.TestCase):
-+    layer = PLONE_APP_CONTENT_DX_FUNCTIONAL_TESTING
++    layer = PLONE_APP_DISCUSSION_INTEGRATION_TESTING
 +
 +    def setUp(self):
++        # Update settings.
 +        self.portal = self.layer['portal']
 +        self.request = self.layer['request']
-+        login(self.portal, TEST_USER_NAME)
 +        setRoles(self.portal, TEST_USER_ID, ['Manager'])
++        # applyProfile(self.portal, 'plone.app.discussion:default')
++        registry = queryUtility(IRegistry)
++        settings = registry.forInterface(IDiscussionSettings)
++        settings.globally_enabled = True
++        self.portal.portal_workflow.setChainForPortalTypes(
++            ('Discussion Item',),
++            ('comment_review_workflow',))
++        # Create page plus comment.
++        self.portal.invokeFactory(
++            id='page',
++            title='Page 1',
++            type_name='Document'
++        )
++        self.page = self.portal.page
++        self.conversation = IConversation(self.page)
++        comment = createObject('plone.Comment')
++        comment.text = 'Comment text'
++        self.comment_id = self.conversation.addComment(comment)
++        self.comment = list(self.conversation.getComments())[0]
 +
-+    def test_folder_factories_regression(self):
-+        from plone.app.content.browser.folderfactories import (
-+            FolderFactoriesView as FFV)
-+        view = FFV(self.portal, self.request)
-+        self.request.form.update({
-+            'form.button.Add': 'yes',
-+            'url': self.portal.absolute_url()
-+        })
-+        view()
-+        self.assertEqual(self.request.response.headers.get('location'),
-+                         self.portal.absolute_url())
++    def test_regression(self):
++        page_url = self.page.absolute_url()
++        self.request['HTTP_REFERER'] = page_url
++        for Klass in (DeleteComment, PublishComment):
++            view = Klass(self.comment, self.request)
++            view.__parent__ = self.comment
++            self.assertEqual(page_url, view())
 +
-+    def test_folder_factories(self):
-+        from plone.app.content.browser.folderfactories import (
-+            FolderFactoriesView as FFV)
-+        view = FFV(self.portal, self.request)
-+        self.request.form.update({
-+            'form.button.Add': 'yes',
-+            'url': 'http://www.foobar.com'
-+        })
-+        view()
-+        self.assertNotEqual(self.request.response.headers.get('location'),
-+                            'http://www.foobar.com')
++    def test_valid_next_url(self):
++        self.request['HTTP_REFERER'] = 'http://attacker.com'
++        for Klass in (DeleteComment, PublishComment):
++            view = Klass(self.comment, self.request)
++            view.__parent__ = self.comment
++            self.assertNotEqual('http://attacker.com', view())