Mercurial > p > roundup > code
view test/test_token.py @ 5232:462b0f76fce8
issue2550864 - Potential information leakage via journal/history
Fix this by making the hyperdb::Class::history function check for view
permissions on the journaled properties. So a user that sees [hidden]
for a property in the web interface doesn;t see the property changes
in the history.
While doing this, relocated the filter for quiet properties
from the templating class to the hyperdb.
Also added the skipquiet option to the history command in
roundup-admin.py to enable filtering of quiet params.
Also changed calls to history() in the backend databases to report all
items.
Changed inline documentation for all history calls that document the
actions. The create action (before nov 6 2002) used to record all
parameters. After that point the create call uses an empty dictionary.
The filtering code depends on the create dictionary being empty.
It may not operate properly on very old roundup databases.
Changed calls to logging.getLogger to roundup.hyperdb.backends to
allow filtering the back end while keeping hyperdb logging.
In cgi/templating.py, changed history() function consolidating
handiling of link and unlink actions
Added tests for quiet property filtering and permission filtering
of history.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Fri, 14 Apr 2017 23:24:18 -0400 |
| parents | 364c54991861 |
| children | 6971c9249c6d |
line wrap: on
line source
# # Copyright (c) 2001 Richard Jones # This module is free software, and you may redistribute it and/or modify # under the same terms as Python, so long as this copyright message and # disclaimer are retained in their original form. # # This module is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. import unittest, time from roundup.token import token_split class TokenTestCase(unittest.TestCase): def testValid(self): l = token_split('hello world') self.assertEqual(l, ['hello', 'world']) def testIgnoreExtraSpace(self): l = token_split('hello world ') self.assertEqual(l, ['hello', 'world']) def testQuoting(self): l = token_split('"hello world"') self.assertEqual(l, ['hello world']) l = token_split("'hello world'") self.assertEqual(l, ['hello world']) def testEmbedQuote(self): l = token_split(r'Roch\'e Compaan') self.assertEqual(l, ["Roch'e", "Compaan"]) l = token_split('address="1 2 3"') self.assertEqual(l, ['address=1 2 3']) def testEscaping(self): l = token_split('"Roch\'e" Compaan') self.assertEqual(l, ["Roch'e", "Compaan"]) l = token_split(r'hello\ world') self.assertEqual(l, ['hello world']) l = token_split(r'\\') self.assertEqual(l, ['\\']) l = token_split(r'\n') self.assertEqual(l, ['\n']) def testBadQuote(self): self.assertRaises(ValueError, token_split, '"hello world') self.assertRaises(ValueError, token_split, "Roch'e Compaan") # vim: set filetype=python ts=4 sw=4 et si