[gen] Added attribute 'xml' on every field allowing to customize the XML marshalling process. [gen] Added new layout 'xml', now different from the 'view' layout, allowing to define which fields are to be dumped in the XML version of some object. [gen] Security fix in ToolMixin::getUser. [gen] Bugfix in Mixin::getUrl. [shared] dav.py: method 'get' can now accept parameters. [shared] xml_parser: changes to the XmlMarshaller (due to XML-related changes).

2014-12-08 14:52:04 +01:00 · 2014-12-08 14:52:04 +01:00 · c53654a1a1
commit c53654a1a1
parent f055ec1754
19 changed files with 119 additions and 80 deletions
--- a/gen/mixins/ToolMixin.py
+++ b/gen/mixins/ToolMixin.py
@ -920,9 +920,9 @@ class ToolMixin(BaseMixin):
        # to authentify the user, we ask to identify a user or, if impossible,
        # a special user.
        login, password = self.identifyUser(alsoSpecial=not authentify)
-        # Stop here if no user was found and authentication was required.
+        # Stop here if no user was found and authentication was required
        if authentify and not login: return
-        # Now, get the User instance.
+        # Now, get the User instance
        if source == 'zodb':
            # Get the User object, but only if it is a true local user.
            user = tool.search1('User', noSecurity=True, login=login)
@ -933,11 +933,14 @@ class ToolMixin(BaseMixin):
            # Get the user object, be it really local or a copy of a LDAP user.
            user = tool.search1('User', noSecurity=True, login=login)
        if not user: return
-        # Authentify the user if required.
+        # Authentify the user if required
        if authentify:
            if (user.state == 'inactive') or (not user.checkPassword(password)):
-                # Disable the authentication cookie.
+                # Disable the authentication cookie and remove credentials
+                # stored on the request.
                req.RESPONSE.expireCookie('_appy_', path='/')
+                k = 'HTTP_AUTHORIZATION'
+                req._auth = req[k] = req._orig_env[k] = None
                return
            # Create an authentication cookie for this user.
            gutils.writeCookie(login, password, req)
@ -957,7 +960,7 @@ class ToolMixin(BaseMixin):
        if jsEnabled and not cookiesEnabled:
            msg = self.translate('enable_cookies')
            return self.goto(urlBack, msg)
-        # Authenticate the user.
+        # Authenticate the user
        if self.getUser(authentify=True) or \
           self.getUser(authentify=True, source='ldap'):
            msg = self.translate('login_ok')
--- a/gen/mixins/init.py
+++ b/gen/mixins/init.py
@ -530,7 +530,7 @@ class BaseMixin:
                    res = XmlMarshaller().marshall(methodRes, objectType='appy')
            except Exception, e:
                tb = sutils.Traceback.get()
-                res = XmlMarshaller().marshall(tb, objectType='appy')
+                res = XmlMarshaller(rootTag='exception').marshall(tb)
        return res

    def say(self, msg, type='info'):
@ -1430,10 +1430,12 @@ class BaseMixin:
        return layoutType in showValue

    getUrlDefaults = {'page':True, 'nav':True}
-    def getUrl(self, base=None, mode='view', inPopup=False, **kwargs):
+    def getUrl(self, base=None, mode='view', inPopup=False, relative=False,
+               **kwargs):
        '''Returns an URL for this object.
           * If p_base is None, it will be the base URL for this object
-             (ie, Zope self.absolute_url()).
+             (ie, Zope self.absolute_url() or an URL this is relative to the
+             root site if p_relative is True).
           * p_mode can be "edit", "view" or "raw" (a non-param, base URL)
           * If p_inPopup is True, the link will be opened in the Appy iframe.
             An additional param "popup=1" will be added to URL params, in order
@ -1447,19 +1449,20 @@ class BaseMixin:
        # Define the URL suffix
        suffix = ''
        if mode != 'raw': suffix = '/%s' % mode
-        # Define base URL if omitted
+        # Define the base URL if omitted
        if not base:
-            base = self.absolute_url() + suffix
+            base = relative and self.absolute_url_path() or self.absolute_url()
+            base += suffix
            existingParams = ''
        else:
            existingParams = urllib.splitquery(base)[1]
-        # If a raw URL is asked, remove any param and suffix.
+        # If a raw URL is asked, remove any param and suffix
        if mode == 'raw':
            if '?' in base: base = base[:base.index('?')]
-            base = base.strip('/')
+            base = base.rstrip('/')
            for mode in ('view', 'edit'):
                if base.endswith(mode):
-                    base = base[:-len(mode)].strip('/')
+                    base = base[:-len(mode)].rstrip('/')
                    break
            return base
        # Manage default args