Commit f5a3fdd9 authored by Łukasz Nowak's avatar Łukasz Nowak Committed by Eteri

erp5_data_notebook: Respect preference

Before executing any code check if server side is configured to execute
unrestricted code.
parent aa6c37c6
...@@ -43,6 +43,9 @@ except ImportError: ...@@ -43,6 +43,9 @@ except ImportError:
def Base_executeJupyter(self, python_expression=None, reference=None, \ def Base_executeJupyter(self, python_expression=None, reference=None, \
title=None, request_reference=False, **kw): title=None, request_reference=False, **kw):
# Check if implementation is enabled
if not self.getPortalObject().ERP5Site_isDataNotebookEnabled():
return "The synchronous and unrestricted implementation is not enabled on the server"
# Check permissions for current user and display message to non-authorized user # Check permissions for current user and display message to non-authorized user
if not self.Base_checkPermission('portal_components', 'Manage Portal'): if not self.Base_checkPermission('portal_components', 'Manage Portal'):
return "You are not authorized to access the script" return "You are not authorized to access the script"
......
...@@ -46,13 +46,14 @@ ...@@ -46,13 +46,14 @@
<key> <string>text_content_warning_message</string> </key> <key> <string>text_content_warning_message</string> </key>
<value> <value>
<tuple> <tuple>
<string>W:401, 10: Use of exec (exec-used)</string> <string>W:426, 10: Use of exec (exec-used)</string>
<string>W:447, 10: Use of exec (exec-used)</string> <string>W:472, 10: Use of exec (exec-used)</string>
<string>W:460, 10: Use of exec (exec-used)</string> <string>W:485, 10: Use of exec (exec-used)</string>
<string>W:549, 4: No exception type(s) specified (bare-except)</string> <string>W:574, 4: No exception type(s) specified (bare-except)</string>
<string>W:557, 6: No exception type(s) specified (bare-except)</string> <string>W:582, 6: No exception type(s) specified (bare-except)</string>
<string>W:869, 6: Use of exec (exec-used)</string> <string>W:892, 6: Use of exec (exec-used)</string>
<string>W:1104, 2: Redefining name \'IFrame\' from outer scope (line 4) (redefined-outer-name)</string> <string>W:1128, 2: Redefining name \'IFrame\' from outer scope (line 4) (redefined-outer-name)</string>
<string>W: 19, 0: Unused log imported from Products.ERP5Type.Log (unused-import)</string>
</tuple> </tuple>
</value> </value>
</item> </item>
......
return context.getPortalObject().portal_preferences.isPreferredDataNotebookEnabled()
<?xml version="1.0"?>
<ZopeData>
<record id="1" aka="AAAAAAAAAAE=">
<pickle>
<global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>Script_magic</string> </key>
<value> <int>3</int> </value>
</item>
<item>
<key> <string>_bind_names</string> </key>
<value>
<object>
<klass>
<global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
</klass>
<tuple/>
<state>
<dictionary>
<item>
<key> <string>_asgns</string> </key>
<value>
<dictionary>
<item>
<key> <string>name_container</string> </key>
<value> <string>container</string> </value>
</item>
<item>
<key> <string>name_context</string> </key>
<value> <string>context</string> </value>
</item>
<item>
<key> <string>name_m_self</string> </key>
<value> <string>script</string> </value>
</item>
<item>
<key> <string>name_subpath</string> </key>
<value> <string>traverse_subpath</string> </value>
</item>
</dictionary>
</value>
</item>
</dictionary>
</state>
</object>
</value>
</item>
<item>
<key> <string>_params</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>id</string> </key>
<value> <string>ERP5Site_isDataNotebookEnabled</string> </value>
</item>
</dictionary>
</pickle>
</record>
</ZopeData>
...@@ -51,6 +51,13 @@ class TestExecuteJupyter(ERP5TypeTestCase): ...@@ -51,6 +51,13 @@ class TestExecuteJupyter(ERP5TypeTestCase):
user_folder._doAddUser('member_user', '', ['Member','Authenticated',], []) user_folder._doAddUser('member_user', '', ['Member','Authenticated',], [])
# Assign developer role to user # Assign developer role to user
addUserToDeveloperRole('dev_user') addUserToDeveloperRole('dev_user')
# Create script to mock execution
createZODBPythonScript(self.getPortal().portal_skins.custom, "ERP5Site_isDataNotebookEnabled", '', "return True")
self.tic()
def beforeTearDown(self):
removeZODBPythonScript(self.getPortal().portal_skins.custom, "ERP5Site_isDataNotebookEnabled")
self.tic() self.tic()
def _newNotebook(self, reference=None): def _newNotebook(self, reference=None):
...@@ -128,6 +135,20 @@ portal.%s() ...@@ -128,6 +135,20 @@ portal.%s()
# Test that calling Base_runJupyter shouldn't change the context Title # Test that calling Base_runJupyter shouldn't change the context Title
self.assertNotEqual(portal.getTitle(), new_test_title) self.assertNotEqual(portal.getTitle(), new_test_title)
def testBase_executeJupyterRespectPreference(self):
self.login('dev_user')
removeZODBPythonScript(self.getPortal().portal_skins.custom, "ERP5Site_isDataNotebookEnabled")
createZODBPythonScript(self.getPortal().portal_skins.custom, "ERP5Site_isDataNotebookEnabled", '', "return False")
self.tic()
jupyter_code = "a = 1\na"
reference = 'Test.Notebook.PreferenceHandle'
result = self.portal.Base_executeJupyter(
reference=reference,
python_expression=jupyter_code
)
self.assertEqual(result, 'The synchronous and unrestricted implementation is not enabled on the server')
def testJupyterCompileInvalidPythonSyntax(self): def testJupyterCompileInvalidPythonSyntax(self):
""" """
Test how the JupyterCompile extension behaves when it receives Python Test how the JupyterCompile extension behaves when it receives Python
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment