Commit b8ab0663 authored by Romain Courteaud's avatar Romain Courteaud

erp5_web_js_style: do not accept double reference in the URL.

Reference must always be after the web section path.

This will also forbid using document relative url directly (web_page_module/123).
parent 348f8803
...@@ -9,6 +9,7 @@ ...@@ -9,6 +9,7 @@
dummy python: request.set('editable_mode', False); dummy python: request.set('editable_mode', False);
web_site python: here.getWebSiteValue(); web_site python: here.getWebSiteValue();
web_section python: here.getWebSectionValue(); web_section python: here.getWebSectionValue();
is_unexpected_reference_access python: '/' in here.getRelativeUrl()[len(web_section.getRelativeUrl()) + 1:];
relative_url_prefix python: web_section.WebSection_generateRelativeUrlPrefix(); relative_url_prefix python: web_section.WebSection_generateRelativeUrlPrefix();
no_style_gadget_url python: web_section.WebSection_generateLayoutPropertyUrl('configuration_style_gadget_url'); no_style_gadget_url python: web_section.WebSection_generateLayoutPropertyUrl('configuration_style_gadget_url');
no_style_css_url python: relative_url_prefix + 'jsstyle.css'; no_style_css_url python: relative_url_prefix + 'jsstyle.css';
...@@ -23,6 +24,16 @@ ...@@ -23,6 +24,16 @@
current_language python: web_site.getPortalObject().Localizer.get_selected_language(); current_language python: web_site.getPortalObject().Localizer.get_selected_language();
global_definitions_macros here/global_definitions/macros; global_definitions_macros here/global_definitions/macros;
include_document python: web_section.isSiteMapDocumentParent() and ((here.getRelativeUrl() == web_section.getRelativeUrl()) or request.get('is_web_section_default_document', False));"> include_document python: web_section.isSiteMapDocumentParent() and ((here.getRelativeUrl() == web_section.getRelativeUrl()) or request.get('is_web_section_default_document', False));">
<tal:block tal:condition="python: is_unexpected_reference_access">
<tal:block metal:use-macro="context/error_main/macros/master">
<metal:slot metal:fill-slot="main" i18n:domain="erp5_ui">
<h2 i18n:translate="" tal:define="dummy python: request.response.setStatus(404);">Unexpected URL</h2>
<p i18n:translate="">The URL path only accept a single document reference.</p>
</metal:slot>
</tal:block>
</tal:block>
<tal:block tal:condition="python: not is_unexpected_reference_access">
<tal:block metal:use-macro="global_definitions_macros/header_definitions" /> <tal:block metal:use-macro="global_definitions_macros/header_definitions" />
<!DOCTYPE html> <!DOCTYPE html>
<html tal:attributes="lang current_language"> <html tal:attributes="lang current_language">
...@@ -91,3 +102,4 @@ ...@@ -91,3 +102,4 @@
</tal:block> </tal:block>
</tal:block> </tal:block>
</tal:block>
\ No newline at end of file
<?xml version="1.0"?>
<ZopeData>
<record id="1" aka="AAAAAAAAAAE=">
<pickle>
<global name="ZopePageTemplate" module="Products.PageTemplates.ZopePageTemplate"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>_bind_names</string> </key>
<value>
<object>
<klass>
<global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
</klass>
<tuple/>
<state>
<dictionary>
<item>
<key> <string>_asgns</string> </key>
<value>
<dictionary>
<item>
<key> <string>name_subpath</string> </key>
<value> <string>traverse_subpath</string> </value>
</item>
</dictionary>
</value>
</item>
</dictionary>
</state>
</object>
</value>
</item>
<item>
<key> <string>content_type</string> </key>
<value> <string>text/html</string> </value>
</item>
<item>
<key> <string>expand</string> </key>
<value> <int>0</int> </value>
</item>
<item>
<key> <string>id</string> </key>
<value> <string>testJsStyleDoubleReferenceTraversal</string> </value>
</item>
<item>
<key> <string>output_encoding</string> </key>
<value> <string>utf-8</string> </value>
</item>
<item>
<key> <string>title</string> </key>
<value> <unicode></unicode> </value>
</item>
</dictionary>
</pickle>
</record>
</ZopeData>
<html xmlns:tal="http://xml.zope.org/namespaces/tal"
xmlns:metal="http://xml.zope.org/namespaces/metal">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Test JS Style No Style</title>
</head>
<body>
<table cellpadding="1" cellspacing="1" border="1">
<thead>
<tr><td rowspan="1" colspan="3">Test JS Style No Style</td></tr>
</thead><tbody>
<tal:block metal:use-macro="here/Zuite_CommonTemplate/macros/init" />
<tr>
<td>open</td>
<td>${base_url}/ERP5Site_createWebJSStyleZuiteTestData?configuration=nostyle</td>
<td></td>
</tr>
<tr>
<td>assertTextPresent</td>
<td>Web Site created.</td>
<td></td>
</tr>
<tal:block metal:use-macro="here/Zuite_CommonTemplate/macros/wait_for_activities" />
<!-- Initialize -->
<tr>
<td>open</td>
<td>${base_url}/web_site_module/erp5_web_js_style_test_site/erp5_web_js_style_test_contentpage/erp5_web_js_style_test_frontpage</td>
<td></td>
</tr>
<tr>
<td>assertElementNotPresent</td>
<td>//head/link[@rel='prerender']</td>
<td></td>
</tr>
<tr>
<td>assertElementNotPresent</td>
<td>//head/link[@rel='alternate' and @type='application/rss+xml' and @href='feed.rss']</td>
<td></td>
</tr>
<tr>
<td>waitForElementPresent</td>
<td>//head/link[@rel='stylesheet' and @href='jsstyle.css']</td>
<td></td>
</tr>
<tr>
<td>assertElementPresent</td>
<td>//head/link[@rel='stylesheet' and @href='jsstyle.css']</td>
<td></td>
</tr>
<tr>
<td>assertElementPresent</td>
<td>//nav[@id='sitemap']/a[text()='No Style']</td>
<td></td>
</tr>
<tr>
<td>assertElementPresent</td>
<td>//nav[@id='language']//a[@hreflang='en']</td>
<td></td>
</tr>
<tr>
<td>assertElementNotPresent</td>
<td>//aside[@id='document_list']</td>
<td></td>
</tr>
<tr>
<td>assertElementNotPresent</td>
<td>//div[@class='input']</td>
<td></td>
</tr>
<tr>
<td>assertElementPresent</td>
<td>//main//h2[text()='Unexpected URL']</td>
<td></td>
</tr>
<tr>
<td>assertElementPresent</td>
<td>//main//p[text()='The URL path only accept a single document reference.']</td>
<td></td>
</tr>
</tbody></table>
</body>
</html>
\ No newline at end of file
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment