Listbox,SelectionTool: use make_query instead of crafting URL manually

Using make_query makes sure that the query parameters are properly
encoded and also change selection_index to become an int, because
it keeps the type of parameters.

As a consequence, we had to adjust a few place in the code where
selection_index was tested for truthiness: because "0" as a string is
true, but 0 as an int is not. For that, we changed to test the presence
of selection_name instead of testing selection_index, as they are always
used together.

This fixes a problem that & in URL was encoded twice for listbox
anchor links ( bug_module/1137 )

product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/Base_edit.py

@@ -26,9 +26,13 @@ if dialog_id not in ('', None):
 # editing it by calling the Base_edit script with correct
 # parameters directly.
 if not silent_mode and not request.AUTHENTICATED_USER.has_permission('Modify portal content', context) :
-  msg = Base_translateString("You do not have the permissions to edit the object.")
-  redirect_url = '%s/%s?selection_index=%s&selection_name=%s&%s' % (context.absolute_url(), form_id, selection_index, selection_name, 'portal_status_message=%s' % msg)
-  return request['RESPONSE'].redirect(redirect_url)
+  redirect_kw = {
+    'portal_status_message': Base_translateString("You do not have the permissions to edit the object.")
+  }
+  if selection_name:
+    redirect_kw['selection_name'] = selection_name
+    redirect_kw['selection_index'] = selection_index
+  return request['RESPONSE'].redirect('%s/%s?%s' % (context.absolute_url(), form_id, make_query(redirect_kw)))
 
 # Get the form
 form = getattr(context,form_id)
@@ -262,7 +266,7 @@ redirect_url_kw = dict(
     editable_mode=editable_mode,
     portal_status_message=message
     )
-if selection_index:
+if selection_name:
   redirect_url_kw.update(
     selection_index=selection_index,
     selection_name=selection_name

product/ERP5/bootstrap/erp5_xhtml_style/SkinTemplateItem/portal_skins/erp5_xhtml_style/context_box_render.zpt

@@ -159,7 +159,7 @@
           <span class="description" i18n:translate="" i18n:domain="ui">Delete</span>
         </button>
         <tal:block tal:condition="not: list_mode">
-          <tal:block tal:condition="request/selection_index | nothing">
+          <tal:block tal:condition="request/selection_name | nothing">
             <span class="separator"><!--separator--></span>
             <a class="jump_first" title="First"
                tal:attributes="href string:portal_selections/viewFirst?$http_parameters"

product/ERP5Form/ListBox.py

@@ -49,6 +49,7 @@ from Acquisition import aq_base, aq_self, aq_inner
 import Acquisition
 from zLOG import LOG, WARNING
 from ZODB.POSException import ConflictError
+from ZTUtils import make_query
 
 from Products.ERP5Type.Globals import InitializeClass, get_request
 from Products.PythonScripts.Utility import allow_class
@@ -2149,22 +2150,24 @@ class ListBoxRendererLine:
     except AttributeError:
       return None
 
-    params = []
+    params = {}
     selection_name = renderer.getSelectionName()
     if int(request.get(
       'ignore_layout',
       0 if request.get('is_web_mode') else 1)):
-      params.append('ignore_layout:int=1')
+      params['ignore_layout'] = 1
     if int(request.get('editable_mode', 0)):
-      params.append('editable_mode:int=1')
+      params['editable_mode'] = 1
     if selection_name:
-      params.extend(('selection_name=%s' % selection_name,
-                      'selection_index=%s' % self.index,
-                      'reset:int=1'))
+      params.update({
+        'selection_name': selection_name,
+        'selection_index': self.index,
+        'reset': 1,
+      })
       if renderer.getSelectionTool().isAnonymous():
-        params.append('selection_key=%s' % renderer.getSelection().getAnonymousSelectionKey())
+        params['selection_key'] = renderer.getSelection().getAnonymousSelectionKey()
     if params:
-      url = '%s?%s' % (url, '&'.join(params))
+      url = '%s?%s' % (url, make_query(params))
     return url
 
   def isSummary(self):

product/ERP5Form/Tool/SelectionTool.py

@@ -34,6 +34,7 @@
 from OFS.SimpleItem import SimpleItem
 from Products.ERP5Type.Globals import InitializeClass, DTMLFile, PersistentMapping, get_request
 from AccessControl import ClassSecurityInfo
+from ZTUtils import make_query
 from Products.ERP5Type.Tool.BaseTool import BaseTool
 from Products.ERP5Type import Permissions as ERP5Permissions
 from Products.ERP5Type.TransactionalVariable import getTransactionalVariable
@@ -730,15 +731,17 @@ class SelectionTool( BaseTool, SimpleItem ):
           url = REQUEST.getURL()
       else:
         url = REQUEST.getURL()
-      ignore_layout = int(REQUEST.get('ignore_layout', 0))
       if form_id != 'view':
         url += '/%s' % form_id
-      url += '?selection_index=%s&selection_name=%s' % (selection_index, selection_name)
-      if ignore_layout:
-        url += '&ignore_layout:int=1'
+      query_kw = {
+        'selection_index': selection_index,
+        'selection_name': selection_name,
+      }
+      if int(REQUEST.get('ignore_layout', 0)):
+        query_kw['ignore_layout'] = 1
       if self.isAnonymous():
-        url += '&selection_key=%s' % self.getAnonymousSelectionKey(selection_name, REQUEST=REQUEST)
-      REQUEST.RESPONSE.redirect(url)
+        query_kw['selection_key'] = self.getAnonymousSelectionKey(selection_name, REQUEST=REQUEST)
+      REQUEST.RESPONSE.redirect('%s?%s' % (url, make_query(query_kw)))
 
     # ListBox related methods