Prevent calling HostingSubscription_requestUpdateOpenSaleOrder in URL.

9277c236 · Romain Courteaud · 959edf00 · 9277c236 · 9277c236 · 9277c236
Commit 9277c236 authored Dec 11, 2012 by Romain Courteaud
3 changed files
--- a/master/bt5/slapos_accounting/SkinTemplateItem/portal_skins/slapos_accounting/HostingSubscription_requestUpdateOpenSaleOrder.xml
+++ b/master/bt5/slapos_accounting/SkinTemplateItem/portal_skins/slapos_accounting/HostingSubscription_requestUpdateOpenSaleOrder.xml
@@ -50,7 +50,11 @@
        </item>
        <item>
            <key> <string>_body</string> </key>
-            <value> <string>if context.getCausalityState() != \'diverged\':\n
+            <value> <string>from zExceptions import Unauthorized\n
+if REQUEST is not None:\n
+  raise Unauthorized\n
+\n
+if context.getCausalityState() != \'diverged\':\n
  return\n
 person = context.getDestinationSectionValue()\n
 if person is not None:\n
@@ -60,7 +64,7 @@ context.converge()\n
        </item>
        <item>
            <key> <string>_params</string> </key>
-            <value> <string></string> </value>
+            <value> <string>REQUEST=None</string> </value>
        </item>
        <item>
            <key> <string>id</string> </key>

--- a/master/bt5/slapos_accounting/TestTemplateItem/testSlapOSAccountingAlarm.py
+++ b/master/bt5/slapos_accounting/TestTemplateItem/testSlapOSAccountingAlarm.py
@@ -14,6 +14,7 @@ import os
 import tempfile
 from DateTime import DateTime
 from Products.ERP5Type.DateUtils import addToDate
+from zExceptions import Unauthorized

 class Simulator:
  def __init__(self, outfile, method, to_return=None):
@@ -748,6 +749,14 @@ class TestOpenSaleOrderAlarm(testSlapOSMixin):
        subscription.workflow_history['edit_workflow'][-1]['comment'])

 class TestHostingSubscription_requestUpdateOpenSaleOrder(testSlapOSMixin):
+  def test_REQUEST_disallowed(self):
+    subscription = self.portal.hosting_subscription_module\
+        .template_hosting_subscription.Base_createCloneDocument(batch_mode=1)
+    self.assertRaises(
+      Unauthorized,
+      subscription.HostingSubscription_requestUpdateOpenSaleOrder,
+      REQUEST={})
+
  def test_empty_HostingSubscription(self):
    person = self.portal.person_module.template_member\
        .Base_createCloneDocument(batch_mode=1)

--- a/master/bt5/slapos_accounting/bt/revision
+++ b/master/bt5/slapos_accounting/bt/revision
-205
\ No newline at end of file
+206
\ No newline at end of file