[Mpuls-commits] r2826 - in base/trunk: . mpulsweb/lib mpulsweb/model mpulsweb/templates/documents

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Mon May 31 12:04:13 CEST 2010 

Author: torsten
Date: 2010-05-31 12:04:07 +0200 (Mon, 31 May 2010)
New Revision: 2826

Modified:
   base/trunk/ChangeLog
   base/trunk/mpulsweb/lib/validators.py
   base/trunk/mpulsweb/model/document.py
   base/trunk/mpulsweb/model/user.py
   base/trunk/mpulsweb/templates/documents/case_overview.mako
   base/trunk/mpulsweb/templates/documents/global_overview.mako
Log:
Merged



Modified: base/trunk/ChangeLog
===================================================================
--- base/trunk/ChangeLog	2010-05-31 10:03:49 UTC (rev 2825)
+++ base/trunk/ChangeLog	2010-05-31 10:04:07 UTC (rev 2826)
@@ -1,3 +1,29 @@
+2010-05-25  Bernhard Herzog  <bh at intevation.de>
+
+	* mpulsweb/model/user.py (log): Add logger.
+
+2010-05-25  Bernhard Herzog  <bh at intevation.de>
+
+	* mpulsweb/templates/documents/case_overview.mako,
+	mpulsweb/templates/documents/global_overview.mako: Avoid
+	unnecessary html-escaping.
+
+2010-05-25  Bernhard Herzog  <bh at intevation.de>
+
+	* mpulsweb/model/document.py (Document.getName): Remove encoding
+	parameter.  No caller used anything but the default value anyway.
+	Also, make non-ascii names actually work by using ensure_unicode
+	to convert the name to unicode instead of unconditionally
+	converting to byte-string first.
+
+2010-05-25  Bernhard Herzog  <bh at intevation.de>
+
+	* mpulsweb/lib/validators.py (FileExistsChecker.casedoc_sql)
+	(FileExistsChecker.globaldoc_sql): Fix parameter markers so that
+	the normal DB-API parameter substitution can be used.
+	(FileExistsChecker.validate_python): Use the standard DB-API
+	parameter substitution mechanism.  This avoids SQL-injections.
+
 2010-05-21  Bernhard Herzog  <bh at intevation.de>
 
 	* mpulsweb/lib/renderer.py (tag): Allow attribute names that

Modified: base/trunk/mpulsweb/lib/validators.py
===================================================================
--- base/trunk/mpulsweb/lib/validators.py	2010-05-31 10:03:49 UTC (rev 2825)
+++ base/trunk/mpulsweb/lib/validators.py	2010-05-31 10:04:07 UTC (rev 2826)
@@ -68,9 +68,9 @@
     """
 
     casedoc_sql = ("SELECT id FROM ka_fall_dokumente_tbl_view"
-                   " WHERE name = '%(filename)s' and master_id = %(case)s")
+                   " WHERE name = %(filename)s and master_id = %(case)s")
     globaldoc_sql = ("SELECT id FROM ka_global_dokumente_tbl_view"
-                     " WHERE name = '%(filename)s'")
+                     " WHERE name = %(filename)s")
     field_names = None
     validate_partial_form = True
     __unpackargs__ = ('*', 'field_names')
@@ -124,7 +124,7 @@
                 conn = db.getConnection()
                 cur = conn.cursor()
                 fields = {'filename': name, 'case': case}
-                cur.execute(sql % fields)
+                cur.execute(sql, fields)
                 result = cur.fetchone()
                 if result:
                     errors['name'] = self.message('fileexists', state)

Modified: base/trunk/mpulsweb/model/document.py
===================================================================
--- base/trunk/mpulsweb/model/document.py	2010-05-31 10:03:49 UTC (rev 2825)
+++ base/trunk/mpulsweb/model/document.py	2010-05-31 10:04:07 UTC (rev 2826)
@@ -159,13 +159,11 @@
     def isCaseAttached(self):
         return not self.case is None
 
-    def getName(self, encoding="utf-8"):
+    def getName(self):
         name = self.name
         if name is None:
             return None
-        if encoding:
-            return unicode(str(name), encoding)
-        return name
+        return h.ensure_unicode(name)
 
     def create(self, name, src, case=None, uuid=None):
         name = name.strip().rsplit('\\', 1)[-1].rsplit('/', 1)[-1]

Modified: base/trunk/mpulsweb/model/user.py
===================================================================
--- base/trunk/mpulsweb/model/user.py	2010-05-31 10:03:49 UTC (rev 2825)
+++ base/trunk/mpulsweb/model/user.py	2010-05-31 10:04:07 UTC (rev 2826)
@@ -24,6 +24,7 @@
 
 import sys
 import datetime
+import logging
 
 from pylons import session
 
@@ -32,6 +33,9 @@
 from mpulsweb.lib.db import db
 
 
+log = logging.getLogger(__name__)
+
+
 MARK_NEWS_AS_READ_SQL = """SELECT markNewsAsRead(%(user_id)s, %(news_id)s)"""
 FETCH_USER_LIST_SQL = """\
 SELECT id, vorname, nachname, rolle, login, gid

Modified: base/trunk/mpulsweb/templates/documents/case_overview.mako
===================================================================
--- base/trunk/mpulsweb/templates/documents/case_overview.mako	2010-05-31 10:03:49 UTC (rev 2825)
+++ base/trunk/mpulsweb/templates/documents/case_overview.mako	2010-05-31 10:04:07 UTC (rev 2826)
@@ -48,10 +48,10 @@
     %>
     % for num, f in enumerate(c.files):
       <tr class="${num%2 and 'hl' or ''}">
-        <td>${ f.getName() | F.shorten, h}</td>
+        <td>${ f.getName() | F.shorten}</td>
         <td class="number_field">${kb(f.size)} KB</td>
         <td class="actions">
-          <a href="/casedocument/show/${f.id}/${f.getName() | F.H}" 
+          <a href="/casedocument/show/${f.id}/${f.getName()}" 
           target="_blank">
             <img src="/images/icons/open_active_22.png" border="0" 
             alt="${_('cm_overview_a_show')}" title="${_('cm_overview_a_show')}"></a>

Modified: base/trunk/mpulsweb/templates/documents/global_overview.mako
===================================================================
--- base/trunk/mpulsweb/templates/documents/global_overview.mako	2010-05-31 10:03:49 UTC (rev 2825)
+++ base/trunk/mpulsweb/templates/documents/global_overview.mako	2010-05-31 10:04:07 UTC (rev 2826)
@@ -34,13 +34,13 @@
   % if idset==0:
   <tr>
     <td>
-        <a href="/document/globalShow/${f.id}/${f.getName() | F.H}" target="_blank">${ f.getName() | F.shorten, h}</a>
+        <a href="/document/globalShow/${f.id}/${f.getName()}" target="_blank">${ f.getName() | F.shorten}</a>
     </td>
     <td class="number_field">
         ${kb(f.size)} KB
     </td>
     <td class="table_action">
-        <a href="/document/globalShow/${f.id}/${f.getName() | F.H}" target="_blank"><img src="/images/icons/open_active_22.png" border="0" alt="${_('cm_overview_a_show')}" 
+        <a href="/document/globalShow/${f.id}/${f.getName()}" target="_blank"><img src="/images/icons/open_active_22.png" border="0" alt="${_('cm_overview_a_show')}" 
         title="${_('cm_overview_a_show')}" title="${_('cm_overview_a_show')}"></a>
         % if h.hasRole(['admin_ka']):
         <a href="/document/globalDelete/${f.id}"><img src="/images/icons/delete_active_22.png" border="0" alt="${_('cm_overview_a_delete')}" title="${_('cm_overview_a_delete')}"></a>
@@ -51,13 +51,13 @@
   % else:
     <tr  class="table_row_h">
       <td>
-        <a href="/document/globalShow/${f.id}/${f.getName() | F.H}" target="_blank">${ f.getName() | F.shorten, h}</a>
+        <a href="/document/globalShow/${f.id}/${f.getName()}" target="_blank">${ f.getName() | F.shorten}</a>
       </td>
       <td class="number_field">
         ${kb(f.size)} KB
       </td>
       <td class="table_action">
-        <a href="/document/globalShow/${f.id}/${f.getName() | F.H}" target="_blank"><img src="/images/icons/open_active_22.png" border="0" alt="${_('cm_overview_a_show')}" 
+        <a href="/document/globalShow/${f.id}/${f.getName()}" target="_blank"><img src="/images/icons/open_active_22.png" border="0" alt="${_('cm_overview_a_show')}" 
         title="${_('cm_overview_a_show')}" title="${_('cm_overview_a_show')}"></a>
         % if h.hasRole(['admin_ka']):
           <a href="/document/globalDelete/${f.id}"><img src="/images/icons/delete_active_22.png" border="0" alt="${_('cm_overview_a_delete')}" title="${_('cm_overview_a_delete')}"></a>

More information about the Mpuls-commits mailing list