ContributionTool: new isURLIngestionPermitted hook

This allows configuring what URLs can be ingested, by default, no URL can be ingested.

ContributionTool: new isURLIngestionPermitted hook
This allows configuring what URLs can be ingested, by default, no URL can be ingested.
30da809a · Jérome Perrin · 973ab86d · 30da809a · 30da809a · 30da809a
Commit 30da809a authored Nov 20, 2023 by Jérome Perrin
8 changed files
--- a/bt5/erp5_dms/TestTemplateItem/portal_components/test.erp5.testWebCrawler.py
+++ b/bt5/erp5_dms/TestTemplateItem/portal_components/test.erp5.testWebCrawler.py
@@ -29,6 +29,7 @@

 import unittest
 from Products.ERP5Type.tests.ERP5TypeTestCase import ERP5TypeTestCase
+from Products.ERP5Type.tests.utils import createZODBPythonScript, removeZODBPythonScript
 import urlnorm # pylint: disable=unused-import
               # This library is imported to detect lack of
               # urlnorm availibility in python environment
@@ -71,10 +72,20 @@ class TestWebCrawler(ERP5TypeTestCase):
    self.portal = self.getPortal()
    self.setSystemPreference()
    self.bootstrapWebSite()
+    createZODBPythonScript(
+      self.portal.portal_skins.custom,
+      "ContributionTool_isURLIngestionPermitted",
+      "url",
+      "return True",
+    )
    self.tic()

  def beforeTearDown(self):
    portal = self.portal
+    removeZODBPythonScript(
+      portal.portal_skins.custom,
+      'ContributionTool_isURLIngestionPermitted',
+    )
    module_id_list = [
      'web_page_module',
      'web_site_module',

--- a/bt5/erp5_ingestion_test/TestTemplateItem/portal_components/test.erp5.testLiveIngestion.py
+++ b/bt5/erp5_ingestion_test/TestTemplateItem/portal_components/test.erp5.testLiveIngestion.py
@@ -29,6 +29,7 @@


 from Products.ERP5Type.tests.ERP5TypeLiveTestCase import ERP5TypeLiveTestCase
+from Products.ERP5Type.tests.utils import createZODBPythonScript, removeZODBPythonScript
 from Products.CMFCore.utils import getToolByName
 import random
 import string
@@ -57,9 +58,19 @@ class TestIngestion(ERP5TypeLiveTestCase):
    self.login()
    self.portal = self.getPortal()
    self.setSystemPreference()
+    createZODBPythonScript(
+      self.portal.portal_skins.custom,
+      "ContributionTool_isURLIngestionPermitted",
+      "url",
+      "return True",
+    )

  def beforeTearDown(self):
    portal = self.portal
+    removeZODBPythonScript(
+      portal.portal_skins.custom,
+      'ContributionTool_isURLIngestionPermitted',
+    )
    # delete created documents by test
    for path in self._path_to_delete_list:
      document = portal.unrestrictedTraverse(path, None)

--- a/bt5/erp5_km_ui_test/SkinTemplateItem/portal_skins/erp5_km_ui_test/ContributionTool_isURLIngestionPermitted.py
+++ b/bt5/erp5_km_ui_test/SkinTemplateItem/portal_skins/erp5_km_ui_test/ContributionTool_isURLIngestionPermitted.py
+return url in ('http://www.erp5.com/login_form', 'http://www.erp5.com/nosuch_view')
--- a/bt5/erp5_km_ui_test/SkinTemplateItem/portal_skins/erp5_km_ui_test/ContributionTool_isURLIngestionPermitted.xml
+++ b/bt5/erp5_km_ui_test/SkinTemplateItem/portal_skins/erp5_km_ui_test/ContributionTool_isURLIngestionPermitted.xml
+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>_bind_names</string> </key>
+            <value>
+              <object>
+                <klass>
+                  <global name="_reconstructor" module="copy_reg"/>
+                </klass>
+                <tuple>
+                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
+                  <global name="object" module="__builtin__"/>
+                  <none/>
+                </tuple>
+                <state>
+                  <dictionary>
+                    <item>
+                        <key> <string>_asgns</string> </key>
+                        <value>
+                          <dictionary>
+                            <item>
+                                <key> <string>name_container</string> </key>
+                                <value> <string>container</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_context</string> </key>
+                                <value> <string>context</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_m_self</string> </key>
+                                <value> <string>script</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_subpath</string> </key>
+                                <value> <string>traverse_subpath</string> </value>
+                            </item>
+                          </dictionary>
+                        </value>
+                    </item>
+                  </dictionary>
+                </state>
+              </object>
+            </value>
+        </item>
+        <item>
+            <key> <string>_params</string> </key>
+            <value> <string>url</string> </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>ContributionTool_isURLIngestionPermitted</string> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>
--- a/bt5/erp5_ui_test/SkinTemplateItem/portal_skins/erp5_ui_test/ContributionTool_isURLIngestionPermitted.py
+++ b/bt5/erp5_ui_test/SkinTemplateItem/portal_skins/erp5_ui_test/ContributionTool_isURLIngestionPermitted.py
+return url == 'https://www.erp5.com'
--- a/bt5/erp5_ui_test/SkinTemplateItem/portal_skins/erp5_ui_test/ContributionTool_isURLIngestionPermitted.xml
+++ b/bt5/erp5_ui_test/SkinTemplateItem/portal_skins/erp5_ui_test/ContributionTool_isURLIngestionPermitted.xml
+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>_bind_names</string> </key>
+            <value>
+              <object>
+                <klass>
+                  <global name="_reconstructor" module="copy_reg"/>
+                </klass>
+                <tuple>
+                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
+                  <global name="object" module="__builtin__"/>
+                  <none/>
+                </tuple>
+                <state>
+                  <dictionary>
+                    <item>
+                        <key> <string>_asgns</string> </key>
+                        <value>
+                          <dictionary>
+                            <item>
+                                <key> <string>name_container</string> </key>
+                                <value> <string>container</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_context</string> </key>
+                                <value> <string>context</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_m_self</string> </key>
+                                <value> <string>script</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_subpath</string> </key>
+                                <value> <string>traverse_subpath</string> </value>
+                            </item>
+                          </dictionary>
+                        </value>
+                    </item>
+                  </dictionary>
+                </state>
+              </object>
+            </value>
+        </item>
+        <item>
+            <key> <string>_params</string> </key>
+            <value> <string>url</string> </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>ContributionTool_isURLIngestionPermitted</string> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>
--- a/product/ERP5/bootstrap/erp5_core/ToolComponentTemplateItem/portal_components/tool.erp5.ContributionTool.py
+++ b/product/ERP5/bootstrap/erp5_core/ToolComponentTemplateItem/portal_components/tool.erp5.ContributionTool.py
@@ -632,6 +632,9 @@ class ContributionTool(BaseTool):
    read filename and content_type
    return file_object, filename, content_type tuple
    """
+    isURLIngestionPermitted = self._getTypeBasedMethod('isURLIngestionPermitted')
+    if isURLIngestionPermitted is None or not isURLIngestionPermitted(url):
+      raise Unauthorized("URL ingestion not allowed")
    # Quote path part of url
    url = reencodeUrlEscapes(url)
    # build a new file from the url

--- a/product/ERP5OOo/tests/testIngestion.py
+++ b/product/ERP5OOo/tests/testIngestion.py
@@ -55,6 +55,7 @@ import urllib2
 import httplib
 import urlparse
 import base64
+import mock

 # test files' home
 TEST_FILES_HOME = os.path.join(os.path.dirname(__file__), 'test_document')
@@ -110,7 +111,8 @@ class IngestionTestCase(ERP5TypeTestCase):
      assert not activity_status
    self.portal.portal_caches.clearAllCache()
    # Cleanup portal_skins
-    script_id_list = ('Document_getPropertyDictFromContent',
+    script_id_list = ('ContributionTool_isURLIngestionPermitted',
+                      'Document_getPropertyDictFromContent',
                      'Document_getPropertyDictFromInput',
                      'Document_getPropertyDictFromFilename',
                      'Document_getPropertyDictFromUserLogin',
@@ -149,6 +151,12 @@ class TestIngestion(IngestionTestCase):
    self.portal_catalog = self.getCatalogTool()
    self.createDefaultCategoryList()
    self.setSimulatedNotificationScript()
+    createZODBPythonScript(
+      self.portal.portal_skins.custom,
+      "ContributionTool_isURLIngestionPermitted",
+      "url",
+      "return True",
+    )
    super(TestIngestion, self).afterSetUp()

  def setSimulatedNotificationScript(self, sequence=None, sequence_list=None, **kw):
@@ -1957,6 +1965,34 @@ return result
    self.assertEqual(new_doc.getData(), 'Hello World!')
    self.assertEqual(new_doc.getValidationState(), 'submitted')

+  def test_ContributionTool_isURLIngestionPermitted(self):
+    # default behavior when no type based method is to refuse ingestion
+    with mock.patch.object(
+        self.portal.portal_contributions.__class__,
+        '_getTypeBasedMethod',
+        return_value=None,
+      ):
+      with self.assertRaisesRegex(Unauthorized, "URL ingestion not allowed"):
+        self.portal.portal_contributions.newContent(url='https://www.erp5.com')
+
+    # and it can be customized by script
+    self.portal.portal_skins.custom.ContributionTool_isURLIngestionPermitted.ZPythonScript_edit(
+      'url', 'return url == "https://www.erp5.com"',
+    )
+    self.portal.portal_contributions.newContent(url="https://www.erp5.com")
+    self.tic()
+    for url in (
+        "https://www.erp5.com/", # with trailing slash
+        "https://www.erp5.com/path",
+        "https://www.erp5.com/?query",
+        "https://www.nexedi.com/",
+        "file:///tmp",
+        "/tmp",
+      ):
+      with self.assertRaisesRegex(Unauthorized, "URL ingestion not allowed"):
+        self.portal.portal_contributions.newContent(url=url)
+    self.tic()
+
  def test_User_Portal_Type_parameter_is_honoured(self):
    """Check that given portal_type is always honoured
    """