Created DTMLFile as a more secure replacement for HTMLFile.

Moved Bindings.py (used by DTMLFile), Script.py, and associated files to Shared/DC/Scripts.  Refactored Bindings UI into separate BindingsUI class.
Changed PythonScripts to use DTMLFile.

lib/python/App/Management.py

@@ -85,13 +85,13 @@
 
 """Standard management interface support
 
-$Id: Management.py,v 1.36 2001/01/08 22:46:56 brian Exp $"""
+$Id: Management.py,v 1.37 2001/01/09 21:48:40 evan Exp $"""
 
-__version__='$Revision: 1.36 $'[11:-2]
+__version__='$Revision: 1.37 $'[11:-2]
 
 import sys, Globals, ExtensionClass, urllib
 from Dialogs import MessageDialog
-from Globals import HTMLFile
+from Globals import HTMLFile, DTMLFile
 from string import split, join, find
 from AccessControl import getSecurityManager
 
@@ -99,7 +99,7 @@ class Tabs(ExtensionClass.Base):
     """Mix-in provides management folder tab support."""
 
     manage_tabs__roles__=('Anonymous',)
-    manage_tabs=HTMLFile('dtml/manage_tabs', globals())
+    manage_tabs=DTMLFile('dtml/manage_tabs', globals())
     
 
     manage_options  =()

lib/python/App/special_dtml.py

@@ -84,8 +84,6 @@
 ##############################################################################
 
 import DocumentTemplate, Common, Persistence, MethodObject, Globals, os
-from Persistence import Persistent
-
 
 class HTML(DocumentTemplate.HTML,Persistence.Persistent,):
     "Persistent HTML Document Templates"
@@ -109,7 +107,7 @@ class HTMLFile(DocumentTemplate.HTMLFile,MethodObject.Method,):
             kw['__name__']=os.path.split(name)[-1]
         apply(HTMLFile.inheritedAttribute('__init__'),args,kw)
 
-    def __call__(self, *args, **kw):
+    def _cook_check(self):
         if Globals.DevelopmentMode:
             __traceback_info__=self.raw
             try:    mtime=os.stat(self.raw)[8]
@@ -117,10 +115,110 @@ class HTMLFile(DocumentTemplate.HTMLFile,MethodObject.Method,):
             if mtime != self._v_last_read:
                 self.cook()
                 self._v_last_read=mtime
+        elif not hasattr(self,'_v_cooked'):
+            try: changed=self.__changed__()
+            except: changed=1
+            self.cook()
+            if not changed: self.__changed__(0)
+
+    def __call__(self, *args, **kw):
+        self._cook_check()
         return apply(HTMLFile.inheritedAttribute('__call__'),
                      (self,)+args[1:],kw)
 
+defaultBindings = {'name_context': 'context',
+                   'name_container': 'container',
+                   'name_m_self': 'self',
+                   'name_ns': '_',
+                   'name_subpath': 'traverse_subpath'}
+
+from Shared.DC.Scripts.Bindings import Bindings
+from Acquisition import Explicit
+from DocumentTemplate.DT_String import _marker, DTReturn, render_blocks
+from DocumentTemplate.DT_Util import TemplateDict, InstanceDict
+
+class DTMLFile(Bindings, Explicit, HTMLFile):
+    "HTMLFile with bindings and support for __render_with_namespace__"
+    
+    class func_code: pass
+    func_code=func_code()
+    func_code.co_varnames=()
+    func_code.co_argcount=0
+
+    _Bindings_ns_class = TemplateDict
+
+    def __init__(self, name, _prefix=None, **kw):
+        self.ZBindings_edit(defaultBindings)
+        apply(DTMLFile.inheritedAttribute('__init__'),
+              (self, name, _prefix), kw)
+    
+    def _exec(self, bound_data, args, kw):
+        # Cook if we haven't already
+        self._cook_check()
+        
+        # Get our namespace
+        name_ns = self.getBindingAssignments().getAssignedName('name_ns')
+        ns = bound_data[name_ns]
+        push = ns._push
+        ns.validate = None
+
+        # Check for excessive recursion
+        level = ns.level
+        if level > 200: raise SystemError, (
+            'infinite recursion in document template')
+        ns.level = level + 1
+
+        req = None
+        kw_bind = kw
+        if level == 0:
+            # If this is the starting namespace, get the REQUEST.
+            try:
+                req = self.aq_acquire('REQUEST')
+            except: pass
+        else:
+            # Get last set of bindings.  Copy the request reference
+            # forward, and include older keyword arguments in the
+            # current 'keyword_args' binding.
+            try:
+                last_bound = ns[('current bindings',)]
+                req = last_bound.get('REQUEST', None)
+                old_kw = last_bound['keyword_args']
+                if old_kw:
+                    kw_bind = old_kw.copy()
+                    kw_bind.update(kw)
+            except: pass
+        # Add 'REQUEST' and 'keyword_args' bound names.
+        if req:
+            bound_data['REQUEST'] = req
+        bound_data['keyword_args'] = kw_bind
+
+        # Push globals, initialized variables, REQUEST (if any),
+        # and keyword arguments onto the namespace stack, followed
+        # by the the container and the bound names.
+
+        for nsitem in (self.globals, self._vars, req, kw):
+            if nsitem:
+                push(nsitem)
+
+        # This causes dtml files to bypass their context unless they
+        # explicitly use it through the 'context' name binding.
+        push(InstanceDict(self._getContainer(), ns))
+            
+        push(bound_data)
+        push({('current bindings',): bound_data})
 
+        try:
+            value = self.ZDocumentTemplate_beforeRender(ns, _marker)
+            if value is _marker:
+                try: result = render_blocks(self._v_blocks, ns)
+                except DTReturn, v: result = v.v
+                self.ZDocumentTemplate_afterRender(ns, result)
+                return result
+            else:
+                return value
+        finally:
+            # Clear the namespace
+            while len(ns): ns._pop()
 
 
 

lib/python/Globals.py

@@ -85,7 +85,7 @@
 
 """Global definitions"""
 
-__version__='$Revision: 1.43 $'[11:-2]
+__version__='$Revision: 1.44 $'[11:-2]
 
 import Acquisition, ComputedAttribute, App.PersistentExtra, os
 import TreeDisplay, string
@@ -94,7 +94,7 @@ from App.FindHomes import INSTANCE_HOME, SOFTWARE_HOME
 from DateTime import DateTime
 from App.Common import package_home, attrget, Dictionary
 from Persistence import Persistent, PersistentMapping
-from App.special_dtml import HTML, HTMLFile
+from App.special_dtml import HTML, HTMLFile, DTMLFile
 from App.class_init import default__class_init__, ApplicationDefaultPermissions
 from App.Dialogs import MessageDialog
 from App.ImageFile import ImageFile

lib/python/Products/PythonScripts/PythonScript.py

@@ -89,24 +89,23 @@ This product provides support for Script objects containing restricted
 Python code.
 """
 
-__version__='$Revision: 1.10 $'[11:-2]
+__version__='$Revision: 1.11 $'[11:-2]
 
 import sys, os, traceback, re
-from Globals import MessageDialog, HTMLFile, package_home
+from Globals import DTMLFile, package_home
 import AccessControl, OFS, Guarded
 from OFS.SimpleItem import SimpleItem
 from DateTime.DateTime import DateTime
 from string import join, strip, rstrip, split, replace, lower
 from urllib import quote
-from Bindings import Bindings, defaultBindings
-from Script import Script
+from Shared.DC.Scripts.Script import Script, BindingsUI, defaultBindings
 from AccessControl import getSecurityManager
 from OFS.History import Historical, html_diff
 from OFS.Cache import Cacheable
 from zLOG import LOG, ERROR, INFO
 
 _www = os.path.join(package_home(globals()), 'www')
-manage_addPythonScriptForm=HTMLFile('pyScriptAdd', _www)
+manage_addPythonScriptForm = DTMLFile('www/pyScriptAdd', globals())
 
 _marker = []  # Create a new marker object
 
@@ -141,43 +140,34 @@ class PythonScript(Script, Historical, Cacheable):
 
     manage_options = (
         {'label':'Edit', 'action':'ZPythonScriptHTML_editForm'},
-        ) + Bindings.manage_options + (
+        ) + BindingsUI.manage_options + (
         {'label':'Test', 'action':'ZScriptHTML_tryForm'},
         {'label':'Proxy', 'action':'manage_proxyForm'},
         ) + Historical.manage_options + SimpleItem.manage_options + \
         Cacheable.manage_options
 
-    __ac_permissions__ = (
-        ('View management screens',
-          ('ZPythonScriptHTML_editForm', 'ZPythonScriptHTML_changePrefs',
-           'manage_main', 'ZScriptHTML_tryForm', 'read')),
-        ('Change Python Scripts',
-          ('ZPythonScript_edit', 'PUT', 'manage_FTPput', 'write',
-           'ZPythonScript_setTitle', 'ZPythonScriptHTML_upload',
-           'ZPythonScriptHTML_uploadForm', 'manage_historyCopy',
-           'manage_beforeHistoryCopy', 'manage_afterHistoryCopy',
-           'ZPythonScriptHTML_editAction',)),
-        ('Change proxy roles', ('manage_proxyForm', 'manage_proxy')),
-        ('View', ('__call__', '')),
-        )
-
-    security = AccessControl.ClassSecurityInfo()
-
     def __init__(self, id):
         self.id = id
         self.ZBindings_edit(defaultBindings)
         self._makeFunction(1)
 
+    security = AccessControl.ClassSecurityInfo()
+
+    security.declareObjectProtected('View')
+    security.declareProtected('View', '__call__')
+
     security.declareProtected('View management screens',
       'ZPythonScriptHTML_editForm', 'manage_main', 'read',
-      'ZPythonScriptHTML_uploadForm', 'ZPythonScriptHTML_editAction',
-      'document_src')
-    ZPythonScriptHTML_editForm = HTMLFile('pyScriptEdit', _www)
-    manage = manage_main = ZPythonScriptHTML_editForm
-    ZPythonScriptHTML_uploadForm = HTMLFile('pyScriptUpload', _www)
+      'ZScriptHTML_tryForm', 'PrincipiaSearchSource',
+      'document_src', 'params', 'body')
 
-    ZScriptHTML_tryForm = HTMLFile('scriptTry', _www)
+    ZPythonScriptHTML_editForm = DTMLFile('www/pyScriptEdit', globals())
+    manage = manage_main = ZPythonScriptHTML_editForm
 
+    security.declareProtected('Change Python Scripts',
+      'ZPythonScriptHTML_editAction',
+      'ZPythonScript_setTitle', 'ZPythonScript_edit',
+      'ZPythonScriptHTML_upload', 'ZPythonScriptHTML_changePrefs')
     def ZPythonScriptHTML_editAction(self, REQUEST, title, params, body):
         """Change the script's main parameters."""
         self.ZPythonScript_setTitle(title)
@@ -189,8 +179,6 @@ class PythonScript(Script, Historical, Cacheable):
         return self.ZPythonScriptHTML_editForm(self, REQUEST,
                                                manage_tabs_message=message)
 
-    security.declareProtected('Change Python Scripts',
-      'ZPythonScript_setTitle', 'ZPythonScript_edit')
     def ZPythonScript_setTitle(self, title):
         title = str(title)
         if self.title != title:
@@ -213,27 +201,15 @@ class PythonScript(Script, Historical, Cacheable):
         return self.ZPythonScriptHTML_editForm(self, REQUEST,
                                                manage_tabs_message=message)
 
-    def ZScriptHTML_tryParams(self):
-        """Parameters to test the script with."""
-        param_names = []
-        for name in split(self._params, ','):
-            name = strip(name)
-            if name and name[0] != '*':
-                param_names.append(name)
-        return param_names
-
     def ZPythonScriptHTML_changePrefs(self, REQUEST, height=None, width=None,
                                       dtpref_cols='50', dtpref_rows='20'):
         """Change editing preferences."""
-        LOG('PythonScript', INFO, 'Change prefs h: %s, w: %s, '
-            'cols: %s, rows: %s' % (height, width, dtpref_cols, dtpref_rows)) 
         szchh = {'Taller': 1, 'Shorter': -1, None: 0}
         szchw = {'Wider': 5, 'Narrower': -5, None: 0}
         try: rows = int(height)
         except: rows = max(1, int(dtpref_rows) + szchh.get(height, 0))
         try: cols = int(width)
         except: cols = max(40, int(dtpref_cols) + szchw.get(width, 0))
-        LOG('PythonScript', INFO, 'to cols: %s, rows: %s' % (cols, rows))
         e = (DateTime('GMT') + 365).rfc822()
         setc = REQUEST['RESPONSE'].setCookie
         setc('dtpref_rows', str(rows), path='/', expires=e)
@@ -241,6 +217,15 @@ class PythonScript(Script, Historical, Cacheable):
         REQUEST.form.update({'dtpref_cols': cols, 'dtpref_rows': rows})
         return apply(self.manage_main, (self, REQUEST), REQUEST.form)
 
+    def ZScriptHTML_tryParams(self):
+        """Parameters to test the script with."""
+        param_names = []
+        for name in split(self._params, ','):
+            name = strip(name)
+            if name and name[0] != '*':
+                param_names.append(name)
+        return param_names
+
     def manage_historyCompare(self, rev1, rev2, REQUEST,
                               historyComparisonResults=''):
         return PythonScript.inheritedAttribute('manage_historyCompare')(
@@ -362,18 +347,24 @@ class PythonScript(Script, Historical, Cacheable):
 
     security.declareProtected('Change proxy roles',
       'manage_proxyForm', 'manage_proxy')
-    manage_proxyForm = HTMLFile('pyScriptProxy', _www)
+
+    manage_proxyForm = DTMLFile('www/pyScriptProxy', globals())
     def manage_proxy(self, roles=(), REQUEST=None):
         "Change Proxy Roles"
         self._validateProxy(roles)
         self._validateProxy()
         self.ZCacheable_invalidate()
         self._proxy_roles=tuple(roles)
-        if REQUEST: return MessageDialog(
+        if REQUEST: return Globals.MessageDialog(
                     title  ='Success!',
                     message='Your changes have been saved',
                     action ='manage_main')
 
+    security.declareProtected('Change Python Scripts',
+      'PUT', 'manage_FTPput', 'write',
+      'manage_historyCopy',
+      'manage_beforeHistoryCopy', 'manage_afterHistoryCopy')
+
     def PUT(self, REQUEST, RESPONSE):
         """ Handle HTTP PUT requests """
         self.dav__init(REQUEST, RESPONSE)

lib/python/Products/PythonScripts/__init__.py

@@ -83,14 +83,21 @@
 # 
 ##############################################################################
 __doc__='''Python Scripts Product Initialization
-$Id: __init__.py,v 1.4 2000/12/13 19:06:37 evan Exp $'''
-__version__='$Revision: 1.4 $'[11:-2]
+$Id: __init__.py,v 1.5 2001/01/09 21:48:42 evan Exp $'''
+__version__='$Revision: 1.5 $'[11:-2]
 
 import PythonScript
 try:
     import standard
 except: pass
 
+# Temporary
+from Shared.DC import Scripts
+__module_aliases__ = (
+    ('Products.PythonScripts.Script', Scripts.Script),
+    ('Products.PythonScripts.Bindings', Scripts.Bindings),
+    ('Products.PythonScripts.BindingsUI', Scripts.BindingsUI),)
+
 __roles__ = None
 __allow_access_to_unprotected_subobjects__ = 1
 

lib/python/Products/PythonScripts/Bindings.py → lib/python/Shared/DC/Scripts/Bindings.py

@@ -83,16 +83,12 @@
 # 
 ##############################################################################
 
-__version__='$Revision: 1.5 $'[11:-2]
+__version__='$Revision$'[11:-2]
 
 import Globals
-from Globals import Persistent, HTMLFile, package_home
-from DocumentTemplate.DT_Util import TemplateDict
+from Persistence import Persistent
 from string import join, strip
 import re
-import os
-
-_www = os.path.join(package_home(globals()), 'www')
 
 defaultBindings = {'name_context': 'context',
                    'name_container': 'container',
@@ -217,33 +213,18 @@ class NameAssignments:
         return self._generateCodeBlock(text, assigned_names)
 
 
-class Bindings (Persistent):
+class Bindings:
     
-    manage_options = (
-        {'label':'Bindings', 'action':'ZBindingsHTML_editForm'},
-        )
-
     __ac_permissions__ = (
-        ('View management screens', ('ZBindingsHTML_editForm',
-                                     'getBindingAssignments',)),
-        ('Change Python Scripts', ('ZBindingsHTML_editAction',
-                                   'ZBindings_edit')),
+        ('View management screens', ('getBindingAssignments',)),
+        ('Change bindings', ('ZBindings_edit')),
         )
 
-    ZBindingsHTML_editForm = HTMLFile('scriptBindings', _www)
-
     def ZBindings_edit(self, mapping):
         names = self._setupBindings(mapping)
         self._prepareBindCode()
         self._editedBindings()
 
-    def ZBindingsHTML_editAction(self, REQUEST):
-        '''Changes binding names.
-        '''
-        self.ZBindings_edit(REQUEST)
-        message = "Bindings changed."
-        return self.manage_main(self, REQUEST, manage_tabs_message=message)
-
     def _editedBindings(self):
         # Override to receive notification when the bindings are edited.
         pass
@@ -325,7 +306,7 @@ class Bindings (Persistent):
             assigned_name = names.getAssignedName('name_ns')
             caller_namespace = kw.get(assigned_name, None)
         # Create a local namespace.
-        my_namespace = TemplateDict()
+        my_namespace = self._Bindings_ns_class()
         if caller_namespace is not None:
             # Include the caller's namespace.
             my_namespace._push(caller_namespace)
@@ -366,5 +347,5 @@ class Bindings (Persistent):
             bound_data = bound_data[0]
         return self._exec(bound_data, args, kw)
 
-Globals.default__class_init__(Bindings)
+
 

lib/python/Shared/DC/Scripts/BindingsUI.py

+##############################################################################
+# 
+# Zope Public License (ZPL) Version 1.0
+# -------------------------------------
+# 
+# Copyright (c) Digital Creations.  All rights reserved.
+# 
+# This license has been certified as Open Source(tm).
+# 
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+# 
+# 1. Redistributions in source code must retain the above copyright
+#    notice, this list of conditions, and the following disclaimer.
+# 
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions, and the following disclaimer in
+#    the documentation and/or other materials provided with the
+#    distribution.
+# 
+# 3. Digital Creations requests that attribution be given to Zope
+#    in any manner possible. Zope includes a "Powered by Zope"
+#    button that is installed by default. While it is not a license
+#    violation to remove this button, it is requested that the
+#    attribution remain. A significant investment has been put
+#    into Zope, and this effort will continue if the Zope community
+#    continues to grow. This is one way to assure that growth.
+# 
+# 4. All advertising materials and documentation mentioning
+#    features derived from or use of this software must display
+#    the following acknowledgement:
+# 
+#      "This product includes software developed by Digital Creations
+#      for use in the Z Object Publishing Environment
+#      (http://www.zope.org/)."
+# 
+#    In the event that the product being advertised includes an
+#    intact Zope distribution (with copyright and license included)
+#    then this clause is waived.
+# 
+# 5. Names associated with Zope or Digital Creations must not be used to
+#    endorse or promote products derived from this software without
+#    prior written permission from Digital Creations.
+# 
+# 6. Modified redistributions of any form whatsoever must retain
+#    the following acknowledgment:
+# 
+#      "This product includes software developed by Digital Creations
+#      for use in the Z Object Publishing Environment
+#      (http://www.zope.org/)."
+# 
+#    Intact (re-)distributions of any official Zope release do not
+#    require an external acknowledgement.
+# 
+# 7. Modifications are encouraged but must be packaged separately as
+#    patches to official Zope releases.  Distributions that do not
+#    clearly separate the patches from the original work must be clearly
+#    labeled as unofficial distributions.  Modifications which do not
+#    carry the name Zope may be packaged in any form, as long as they
+#    conform to all of the clauses above.
+# 
+# 
+# Disclaimer
+# 
+#   THIS SOFTWARE IS PROVIDED BY DIGITAL CREATIONS ``AS IS'' AND ANY
+#   EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+#   IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+#   PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL DIGITAL CREATIONS OR ITS
+#   CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+#   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+#   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+#   USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+#   ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+#   OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+#   OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+#   SUCH DAMAGE.
+# 
+# 
+# This software consists of contributions made by Digital Creations and
+# many individuals on behalf of Digital Creations.  Specific
+# attributions are listed in the accompanying credits file.
+# 
+##############################################################################
+
+__version__='$Revision$'[11:-2]
+
+import Globals
+from Bindings import Bindings
+
+class BindingsUI(Bindings):
+    
+    manage_options = (
+        {'label':'Bindings', 'action':'ZBindingsHTML_editForm'},
+        )
+
+    __ac_permissions__ = (
+        ('View management screens', ('ZBindingsHTML_editForm',)),
+        ('Change bindings', ('ZBindingsHTML_editAction',)),
+        )
+
+    ZBindingsHTML_editForm = Globals.DTMLFile('dtml/scriptBindings', globals())
+
+    def ZBindingsHTML_editAction(self, REQUEST):
+        '''Changes binding names.
+        '''
+        self.ZBindings_edit(REQUEST)
+        message = "Bindings changed."
+        return self.manage_main(self, REQUEST, manage_tabs_message=message)
+
+Globals.default__class_init__(BindingsUI)

lib/python/Products/PythonScripts/Script.py → lib/python/Shared/DC/Scripts/Script.py

@@ -88,14 +88,16 @@
 This provides generic script support
 """
 
-__version__='$Revision: 1.2 $'[11:-2]
+__version__='$Revision$'[11:-2]
 
 import os
-from Globals import package_home, HTMLFile
+from Globals import package_home, DTMLFile
 from OFS.SimpleItem import SimpleItem
 from string import join
 from urllib import quote
-from Bindings import Bindings
+from BindingsUI import BindingsUI
+from Bindings import defaultBindings
+from DocumentTemplate.DT_Util import TemplateDict
 
 class FuncCode:
 
@@ -109,9 +111,7 @@ class FuncCode:
                         (other.co_argcount, other.co_varnames))
         except: return 1
 
-_www = os.path.join(package_home(globals()), 'www')
-
-class Script(SimpleItem, Bindings):
+class Script(SimpleItem, BindingsUI):
     """Web-callable script mixin
     """
 
@@ -119,12 +119,14 @@ class Script(SimpleItem, Bindings):
     func_defaults=()
     func_code=None
 
+    _Bindings_ns_class = TemplateDict
+
     __ac_permissions__ = (
         ('View management screens', ('ZScriptHTML_tryForm',)),
-        ('View', ('__call__','','ZScriptHTML_tryAction')),
+        ('View', ('__call__','','ZPythonScriptHTML_tryAction')),
         )
 
-    ZScriptHTML_tryForm = HTMLFile('scriptTry', _www)
+    ZScriptHTML_tryForm = DTMLFile('dtml/scriptTry', globals())
     def ZScriptHTML_tryAction(self, REQUEST, argvars):
         """Apply the test parameters.
         """