Skip to main content

Customized z3c.form and plone.z3cform library for PMR2

Project description

Introduction

This package extends z3c.form and plone.z3cform for usage within PMR2 and related libraries. Problems this package attempt to tackle are:

  • Ensure the correct root template is adapted when forms (and views/ pages) are rendered, such that there will only be one class used for testing and production, without having to subclass for specific uses or make use of wrapper classes/methods. It may be possible to support other frameworks by registering the root view to the desired layer.

  • CSRF (Cross-Site Request Forgery) prevention via the use of appropriate form authenticators, e.g. plone.protect for Plone.

  • Offer the same adaptable browser class (pages) to standard non-form views.

  • Forms with traversal subpaths.

Installation and usage

Just add or modified the install_requires option into the setup function in a typical setup.py. Example:

from setuptools import setup

setup(
    ...
    install_requires=[
        ...
        'pmr2.z3cform',
    ]
)

Forms

Forms in PMR2 are built on top of z3c.forms. There are certain changes we made to allow this library to better fit into our use cases. There are a couple modifications, the first being the enforcement of request method, and the other is CSRF (Cross-site Request Forgery) protection.

First we import some base classes and create a test form class:

>>> import zope.interface
>>> import zope.schema
>>> import z3c.form.field
>>> from pmr2.z3cform.testing import BaseTestRequest as TestRequest
>>> from pmr2.z3cform.tests import base
>>> from pmr2.z3cform.form import AddForm
>>>
>>> class IDummy(zope.interface.Interface):
...     id = zope.schema.DottedName(title=u'id')
...
>>> class Dummy(object):
...     zope.interface.implements(IDummy)
...     def __init__(self, id_):
...         self.id = id_
...
>>> class TestAddForm(AddForm):
...     fields = z3c.form.field.Fields(IDummy)
...     def create(self, data):
...         return Dummy(data['id'])
...     def add_data(self, ctxobject):
...         ctxobject.id = self._data['id']
...     def add(self, obj):
...         self.context.append(obj)
...     def nextURL(self):
...         return ''  # unnecessary.

First thing to demonstrate is is the request method verification. Forms that manipulate data must not be activated by a simple GET request:

>>> context = []
>>> request = TestRequest(form={
...     'form.widgets.id': 'test',
...     'form.buttons.add': '1',
... })
>>> request.method = 'GET'
>>> form = TestAddForm(context, request)
>>> result = form()
Traceback (most recent call last):
...
Unauthorized: Unauthorized()
>>> context == []
True

On the other hand, POST requests will not trigger the permission error:

>>> request.method = 'POST'
>>> form = TestAddForm(context, request)
>>> form.disableAuthenticator = True
>>> result = form()
>>> print context[0].id
test

However, notice that the security authenticator is disabled. What this provide is the check for a CSRF prevention token that must be part of a request. Now try the above with the check enabled, as it will be by default:

>>> context = []
>>> request.method = 'POST'
>>> form = TestAddForm(context, request)
>>> result = form()
Traceback (most recent call last):
...
Unauthorized: Unauthorized()
>>> context == []
True

If the token is provided, as part of a normal form submission process using a form rendered by this site, the token will be included within a hidden input field. In the case of Plone, this token is provided by an authenticator view. If we include the generated token the form will be submitted properly:

>>> context = []
>>> authed_request = base.TestRequest(form=request.form)
>>> authed_request.method = 'POST'
>>> '_authenticator' in authed_request.form
True
>>> form = TestAddForm(context, authed_request)
>>> result = form()
>>> print context[0].id
test

Pages

These were just simple rendering pages meant for wrapping by the layout classes to be replaced by more standard Plone way of rendering templates.

Let’s subclass one:

>>> from pmr2.z3cform.tests.base import TestRequest
>>> from pmr2.z3cform.page import SimplePage
>>>
>>> class TestPage(SimplePage):
...     template = lambda x: 'Hello'

Then render it:

>>> context = self.portal
>>> request = TestRequest()
>>> page = TestPage(context, request)
>>> print page()
<h1 class="documentFirstHeading">Plone site</h1>
<div id="content-core">
  <div>Hello</div>
</div>

If we register this view on the main site, we should be able to render this using the testbrowser. This will then render the same page with all the templates associated with Plone:

>>> import zope.component
>>> from Testing.testbrowser import Browser
>>> zope.component.provideAdapter(TestPage, (None, None),
...     zope.publisher.interfaces.browser.IBrowserView,
...     name='pmr2z3cform-testpage')
...
>>> tb = Browser()
>>> tb.open(context.absolute_url() + '/@@pmr2z3cform-testpage')
>>> 'Plone - http://plone.org' in tb.contents
True
>>> '<div>Hello</div>' in tb.contents
True

While traversal views are generally implementation specific, a quick demonstration is still possible. Try subclassing one:

>>> from pmr2.z3cform.page import TraversePage
>>>
>>> class TestTraversePage(TraversePage):
...     _template = 'Subpath is: %s'
...     def template(self):
...          subpath = '/'.join(self.traverse_subpath)
...          return self._template % subpath

Manually simulate traversal and render the form:

>>> context = self.portal
>>> request = TestRequest()
>>> page = TestTraversePage(context, request)
>>> p = page.publishTraverse(request, 'a')
>>> p = page.publishTraverse(request, 'b')
>>> print page()
<h1 class="documentFirstHeading">Plone site</h1>
<div id="content-core">
  <div>Subpath is: a/b</div>
</div>

Much like the SimplePage example, do the registration again:

>>> zope.component.provideAdapter(TestTraversePage, (None, None),
...     zope.publisher.interfaces.browser.IBrowserView,
...     name='pmr2z3cform-testtraversepage')
...
>>> tb = Browser()
>>> tb.open(context.absolute_url() + '/@@pmr2z3cform-testtraversepage' +
...     '/a/b/c/some_path')
>>> 'Plone - http://plone.org' in tb.contents
True
>>> '<div>Subpath is: a/b/c/some_path</div>' in tb.contents
True

Changelog

0.3.3 - 2017-01-11

  • Using the view directly should work for both plone.protect 2 and 3 within the unittesting environment.

  • Ensure the local test cases here work with fixes introduced by Products.PloneHotfix20160830.

  • Update the keyring support to deal with anonymous test users to permit following of the same logic.

0.3 - 2017-01-05

  • Support for the form specific keyring introduced by plone.protect>3 and plone.keyring>3; fallback is also supported.

0.2.1 - 2013-10-24

  • Packaging fixes; this is done for wording and cleaner generic setup integration.

0.2 - 2013-07-09

  • Now provide the customized ploneform macros, migrated in from the pmr2.app module.

  • Making use of bootstrap classes

  • Removed deprecated zope.app.* imports.

0.1 - 2013-01-17

  • Initial release of various helper forms and view classes for the pmr2 libraries.

  • Provide a wrapped BrowserView class that can adapt to multiple wrapper templates much like how plone.z3cform does, so that views don’t invoke items that may not be available due to lack of a full portal.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pmr2.z3cform-0.3.3.tar.gz (24.5 kB view hashes)

Uploaded Source

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page