1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
##############################################################################
#
# Zope Public License (ZPL) Version 1.0
# -------------------------------------
#
# Copyright (c) Digital Creations. All rights reserved.
#
# This license has been certified as Open Source(tm).
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
#
# 1. Redistributions in source code must retain the above copyright
# notice, this list of conditions, and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions, and the following disclaimer in
# the documentation and/or other materials provided with the
# distribution.
#
# 3. Digital Creations requests that attribution be given to Zope
# in any manner possible. Zope includes a "Powered by Zope"
# button that is installed by default. While it is not a license
# violation to remove this button, it is requested that the
# attribution remain. A significant investment has been put
# into Zope, and this effort will continue if the Zope community
# continues to grow. This is one way to assure that growth.
#
# 4. All advertising materials and documentation mentioning
# features derived from or use of this software must display
# the following acknowledgement:
#
# "This product includes software developed by Digital Creations
# for use in the Z Object Publishing Environment
# (http://www.zope.org/)."
#
# In the event that the product being advertised includes an
# intact Zope distribution (with copyright and license included)
# then this clause is waived.
#
# 5. Names associated with Zope or Digital Creations must not be used to
# endorse or promote products derived from this software without
# prior written permission from Digital Creations.
#
# 6. Modified redistributions of any form whatsoever must retain
# the following acknowledgment:
#
# "This product includes software developed by Digital Creations
# for use in the Z Object Publishing Environment
# (http://www.zope.org/)."
#
# Intact (re-)distributions of any official Zope release do not
# require an external acknowledgement.
#
# 7. Modifications are encouraged but must be packaged separately as
# patches to official Zope releases. Distributions that do not
# clearly separate the patches from the original work must be clearly
# labeled as unofficial distributions. Modifications which do not
# carry the name Zope may be packaged in any form, as long as they
# conform to all of the clauses above.
#
#
# Disclaimer
#
# THIS SOFTWARE IS PROVIDED BY DIGITAL CREATIONS ``AS IS'' AND ANY
# EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL DIGITAL CREATIONS OR ITS
# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
# OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
#
# This software consists of contributions made by Digital Creations and
# many individuals on behalf of Digital Creations. Specific
# attributions are listed in the accompanying credits file.
#
##############################################################################
"""Page Template Expression Engine
Page Template-specific implementation of TALES, with handlers
for Python expressions, string literals, and paths.
"""
__version__='$Revision: 1.20 $'[11:-2]
import re, sys
from TALES import Engine, CompilerError, _valid_name, NAME_RE, \
TALESError, Undefined, Default
from string import strip, split, join, replace, lstrip
from Acquisition import aq_base, aq_inner, aq_parent
_engine = None
def getEngine():
global _engine
if _engine is None:
_engine = Engine()
installHandlers(_engine)
_engine._nocatch = (TALESError, 'Redirect')
return _engine
def installHandlers(engine):
reg = engine.registerType
pe = PathExpr
for pt in ('standard', 'path', 'exists', 'nocall'):
reg(pt, pe)
reg('string', StringExpr)
reg('python', PythonExpr)
reg('not', NotExpr)
if sys.modules.has_key('Zope'):
import AccessControl
from AccessControl import getSecurityManager
if hasattr(AccessControl, 'full_read_guard'):
from ZRPythonExpr import PythonExpr, _SecureModuleImporter, \
call_with_ns
else:
from ZPythonExpr import PythonExpr, _SecureModuleImporter, \
call_with_ns
else:
from PythonExpr import getSecurityManager, PythonExpr
def call_with_ns(f, ns, arg=1):
if arg==2:
return f(None, ns)
else:
return f(ns)
def render(ob, ns):
"""
Calls the object, possibly a document template, or just returns it if
not callable. (From DT_Util.py)
"""
if hasattr(ob, '__render_with_namespace__'):
ob = call_with_ns(ob.__render_with_namespace__, ns)
else:
base = aq_base(ob)
if callable(base):
try:
if getattr(base, 'isDocTemp', 0):
ob = call_with_ns(ob, ns, 2)
else:
ob = ob()
except AttributeError, n:
if str(n) != '__call__':
raise
return ob
class PathExpr:
def __init__(self, name, expr, engine):
self._s = expr
self._name = name
self._paths = map(self._prepPath, split(expr, '|'))
def _prepPath(self, path):
path = split(strip(path), '/')
base = path.pop(0)
if not _valid_name(base):
raise CompilerError, 'Invalid variable name "%s"' % base
# Parse path
dp = []
for i in range(len(path)):
e = path[i]
if e[:1] == '?' and _valid_name(e[1:]):
dp.append((i, e[1:]))
dp.reverse()
return base, path, dp
def _eval(self, econtext, securityManager,
list=list, isinstance=isinstance, StringType=type(''),
render=render):
vars = econtext.vars
exists = 0
for base, path, dp in self._paths:
path = list(path) # Copy!
# Expand dynamic path parts from right to left.
for i, varname in dp:
val = vars[varname]
if isinstance(val, StringType):
path[i] = val
else:
# If the value isn't a string, assume it's a sequence
# of path names.
path[i:i+1] = list(val)
try:
__traceback_info__ = base
if base == 'CONTEXTS':
ob = econtext.contexts
else:
ob = vars[base]
if path:
ob = restrictedTraverse(ob, path, securityManager)
exists = 1
break
except (AttributeError, KeyError, TypeError, IndexError,
'Unauthorized'), e:
ob = Undefined(self._s, sys.exc_info())
if self._name == 'exists':
# All we wanted to know is whether one of the paths exist.
return exists
if self._name == 'nocall' or isinstance(ob, StringType):
return ob
# Return the rendered object
return render(ob, vars)
def __call__(self, econtext):
return self._eval(econtext, getSecurityManager())
def __str__(self):
return '%s expression "%s"' % (self._name, self._s)
def __repr__(self):
return '<PathExpr %s:%s>' % (self._name, self._s)
_interp = re.compile(r'\$(%(n)s)|\${(%(n)s(?:/%(n)s)*)}' % {'n': NAME_RE})
class StringExpr:
def __init__(self, name, expr, engine):
self._s = expr
if '%' in expr:
expr = replace(expr, '%', '%%')
self._vars = vars = []
if '$' in expr:
parts = []
for exp in split(expr, '$$'):
if parts: parts.append('$')
m = _interp.search(exp)
while m is not None:
parts.append(exp[:m.start()])
parts.append('%s')
vars.append(PathExpr('path', m.group(1) or m.group(2),
engine))
exp = exp[m.end():]
m = _interp.search(exp)
if '$' in exp:
raise CompilerError, (
'$ must be doubled or followed by a variable name '
'in string expression "%s"' % expr)
parts.append(exp)
expr = join(parts, '')
self._expr = expr
def __call__(self, econtext):
vvals = []
for var in self._vars:
v = var(econtext)
if isinstance(v, Exception):
raise v
vvals.append(v)
return self._expr % tuple(vvals)
def __str__(self):
return 'string expression %s' % `self._s`
def __repr__(self):
return '<StringExpr %s>' % `self._s`
class NotExpr:
def __init__(self, name, expr, compiler):
self._s = expr = lstrip(expr)
self._c = compiler.compile(expr)
def __call__(self, econtext):
return not econtext.evaluateBoolean(self._c)
def __repr__(self):
return '<NotExpr %s>' % `self._s`
def restrictedTraverse(self, path, securityManager,
get=getattr, has=hasattr, N=None, M=[]):
i = 0
if not path[0]:
# If the path starts with an empty string, go to the root first.
self = self.getPhysicalRoot()
if not securityManager.validateValue(self):
raise 'Unauthorized', name
i = 1
plen = len(path)
REQUEST={'TraversalRequestNameStack': path}
validate = securityManager.validate
object = self
while i < plen:
__traceback_info__ = (path, i)
name = path[i]
i = i + 1
if name[0] == '_':
# Never allowed in a URL.
raise AttributeError, name
if name=='..':
o = get(object, 'aq_parent', M)
if o is not M:
if not validate(object, object, name, o):
raise 'Unauthorized', name
object=o
continue
t=get(object, '__bobo_traverse__', N)
if t is not N:
o=t(REQUEST, name)
container = None
if has(o, 'im_self'):
container = o.im_self
elif (has(get(object, 'aq_base', object), name)
and get(object, name) == o):
container = object
if not validate(object, container, name, o):
raise 'Unauthorized', name
else:
o=get(object, name, M)
if o is not M:
# Check security.
if has(object, 'aq_acquire'):
object.aq_acquire(
name, validate2, validate)
else:
if not validate(object, object, name, o):
raise 'Unauthorized', name
else:
try:
o=object[name]
except (AttributeError, TypeError):
raise AttributeError, name
if not validate(object, object, name, o):
raise 'Unauthorized', name
object = o
return object
def validate2(orig, inst, name, v, real_validate):
if not real_validate(orig, inst, name, v):
raise 'Unauthorized', name
return 1