Skip to content

Z
Zope
Commit 1c7bf350 authored by 's avatar
Browse files
Options

Added security to SQL methods (!)

parent 60d74be4
Hide whitespace changes
Inline Side-by-side
Showing with 27 additions and 6 deletions
lib/python/Shared/DC/ZRDB/DA.py
View file @ 1c7bf350
...@@ -85,8 +85,8 @@ ...@@ -85,8 +85,8 @@
__doc__='''Generic Database adapter __doc__='''Generic Database adapter
$Id: DA.py,v 1.78 2000/01/10 23:05:51 amos Exp $''' $Id: DA.py,v 1.79 2000/03/14 19:26:32 brian Exp $'''
__version__='$Revision: 1.78 $'[11:-2] __version__='$Revision: 1.79 $'[11:-2]
import OFS.SimpleItem, Aqueduct, RDB import OFS.SimpleItem, Aqueduct, RDB
import DocumentTemplate, marshal, md5, base64, Acquisition, os import DocumentTemplate, marshal, md5, base64, Acquisition, os
...@@ -97,6 +97,8 @@ from cStringIO import StringIO ...@@ -97,6 +97,8 @@ from cStringIO import StringIO
import sys, Globals, OFS.SimpleItem, AccessControl.Role import sys, Globals, OFS.SimpleItem, AccessControl.Role
from string import atoi, find, join, split from string import atoi, find, join, split
import DocumentTemplate, sqlvar, sqltest, sqlgroup import DocumentTemplate, sqlvar, sqltest, sqlgroup
from AccessControl.User import verify_watermark
from DocumentTemplate.DT_Util import cDocument
from time import time from time import time
from zlib import compress, decompress from zlib import compress, decompress
from DateTime.DateTime import DateTime from DateTime.DateTime import DateTime
...@@ -107,18 +109,27 @@ from cPickle import dumps, loads ...@@ -107,18 +109,27 @@ from cPickle import dumps, loads
from Results import Results from Results import Results
from App.Extensions import getBrain from App.Extensions import getBrain
try: from IOBTree import Bucket try: from IOBTree import Bucket
except: Bucket=lambda:{} except: Bucket=lambda:{}
class SQL(DocumentTemplate.HTML): class nvSQL(DocumentTemplate.HTML):
# Non-validating SQL Template for use by SQLFiles.
commands={} commands={}
for k, v in DocumentTemplate.HTML.commands.items(): commands[k]=v for k, v in DocumentTemplate.HTML.commands.items(): commands[k]=v
commands['sqlvar' ]=sqlvar.SQLVar commands['sqlvar' ]=sqlvar.SQLVar
commands['sqltest']=sqltest.SQLTest commands['sqltest']=sqltest.SQLTest
commands['sqlgroup' ]=sqlgroup.SQLGroup commands['sqlgroup' ]=sqlgroup.SQLGroup
_proxy_roles=()
class SQL(cDocument, nvSQL):
# Validating SQL template for Zope SQL Methods.
pass
class DA( class DA(
Aqueduct.BaseQuery,Acquisition.Implicit, Aqueduct.BaseQuery,Acquisition.Implicit,
...@@ -135,6 +146,7 @@ class DA( ...@@ -135,6 +146,7 @@ class DA(
class_name_=class_file_='' class_name_=class_file_=''
_zclass=None _zclass=None
allow_simple_one_argument_traversal=None allow_simple_one_argument_traversal=None
template_class=SQL
manage_options=( manage_options=(
{'label':'Edit', 'action':'manage_main', {'label':'Edit', 'action':'manage_main',
...@@ -224,7 +236,7 @@ class DA( ...@@ -224,7 +236,7 @@ class DA(
self.arguments_src=arguments self.arguments_src=arguments
self._arg=parse(arguments) self._arg=parse(arguments)
self.src=template self.src=template
self.template=t=SQL(template) self.template=t=self.template_class(template)
t.cook() t.cook()
self._v_cache={}, Bucket() self._v_cache={}, Bucket()
if REQUEST: if REQUEST:
...@@ -412,7 +424,14 @@ class DA( ...@@ -412,7 +424,14 @@ class DA(
argdata=self._argdata(REQUEST) argdata=self._argdata(REQUEST)
argdata['sql_delimiter']='\0' argdata['sql_delimiter']='\0'
argdata['sql_quote__']=dbc.sql_quote__ argdata['sql_quote__']=dbc.sql_quote__
query=apply(self.template, (p,), argdata)
# Also need the authenticated user.
if REQUEST.has_key('AUTHENTICATED_USER'):
auth_user=REQUEST['AUTHENTICATED_USER']
verify_watermark(auth_user)
argdata['AUTHENTICATED_USER']=auth_user
query=apply(self.template, (p, argdata))
if src__: return query if src__: return query
...@@ -479,6 +498,8 @@ class DA( ...@@ -479,6 +498,8 @@ class DA(
return r return r
Globals.default__class_init__(DA) Globals.default__class_init__(DA)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7