[Erp5-report] r24812 - in /erp5/trunk/products/ERP5Catalog: ./ tests/

nobody at svn.erp5.org nobody at svn.erp5.org
Fri Dec 5 18:55:40 CET 2008 

Author: nicolas
Date: Fri Dec  5 18:55:40 2008
New Revision: 24812

URL: http://svn.erp5.org?rev=24812&view=rev
Log:
Escape login with sql_quote in Security Query

Modified:
    erp5/trunk/products/ERP5Catalog/CatalogTool.py
    erp5/trunk/products/ERP5Catalog/tests/testERP5Catalog.py

Modified: erp5/trunk/products/ERP5Catalog/CatalogTool.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5Catalog/CatalogTool.py?rev=24812&r1=24811&r2=24812&view=diff
==============================================================================
--- erp5/trunk/products/ERP5Catalog/CatalogTool.py [utf8] (original)
+++ erp5/trunk/products/ERP5Catalog/CatalogTool.py [utf8] Fri Dec  5 18:55:40 2008
@@ -50,6 +50,7 @@
 from MethodObject import Method
 
 from Products.ERP5Security.ERP5UserManager import SUPER_USER
+from DocumentTemplate.DT_Var import sql_quote
 
 import os, time, urllib, warnings
 import sys
@@ -564,7 +565,7 @@
           else:
             # XXX: What with this string transformation ?! Souldn't it be done in
             # dtml instead ?
-            allowedRolesAndUsers = ["'%s'" % (role, ) for role in allowedRolesAndUsers]
+            allowedRolesAndUsers = ["'%s'" % (sql_quote(role), ) for role in allowedRolesAndUsers]
             security_uid_list = [x.uid for x in method(security_roles_list = allowedRolesAndUsers)]
           security_uid_cache[cache_key] = security_uid_list
       else:

Modified: erp5/trunk/products/ERP5Catalog/tests/testERP5Catalog.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5Catalog/tests/testERP5Catalog.py?rev=24812&r1=24811&r2=24812&view=diff
==============================================================================
--- erp5/trunk/products/ERP5Catalog/tests/testERP5Catalog.py [utf8] (original)
+++ erp5/trunk/products/ERP5Catalog/tests/testERP5Catalog.py [utf8] Fri Dec  5 18:55:40 2008
@@ -2961,6 +2961,23 @@
                            strict_group_related_description='c')]
     self.assertEquals(category_list,[sub_group_nexedi])
 
+  def test_EscapingLoginInSescurityQuery(self,
+                                  quiet=quiet, run=run_all_test):
+    if not run: return
+    if not quiet:
+      message = 'Test that login are escaped when call security_query'
+      ZopeTestCase._print('\n%s ' % message)
+      LOG('Testing... ',0,message)
+
+    # Create some objects
+    reference = "aaa.o'connor at fake.ie"
+    portal = self.getPortal()
+    uf = self.portal.acl_users
+    uf._doAddUser(reference, 'secret', ['Member'], [])
+    user = uf.getUserById(reference).__of__(uf)
+    newSecurityManager(None, user)
+    portal.view()
+
 def test_suite():
   suite = unittest.TestSuite()
   suite.addTest(unittest.makeSuite(TestERP5Catalog))

More information about the Erp5-report mailing list