[Rt-commit] rt branch, 3.9-trunk, updated. rt-3.8.8-770-g44eb217

[Shawn Moore]

The branch, 3.9-trunk has been updated
       via  44eb2170ac1d9d944f4e3c17bd10b76a9fa09e7f (commit)
       via  193b6894ec2678c05264ac3fe2deec76f2734302 (commit)
       via  8e08c4e4bc64335b692d9edf6c0ea94f1289c09f (commit)
      from  3778546e289e4f35361a081833aee9296844aac1 (commit)

Summary of changes:
 lib/RT/Template_Overlay.pm |   17 +++++++
 lib/RT/Test.pm             |    2 +-
 t/api/execute-code.t       |  108 ++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 126 insertions(+), 1 deletions(-)
 create mode 100644 t/api/execute-code.t

- Log -----------------------------------------------------------------
commit 8e08c4e4bc64335b692d9edf6c0ea94f1289c09f
Author: Shawn M Moore <sartak at bestpractical.com>
Date:   Wed Sep 15 13:28:59 2010 -0400

    Allow RT_TEST_VERBOSE to display diags

diff --git a/lib/RT/Test.pm b/lib/RT/Test.pm
index e8c9840..4772754 100644
--- a/lib/RT/Test.pm
+++ b/lib/RT/Test.pm
@@ -1357,7 +1357,7 @@ sub process_in_file {
 }
 
 sub diag {
-    return unless $ENV{TEST_VERBOSE};
+    return unless $ENV{RT_TEST_VERBOSE} || $ENV{TEST_VERBOSE};
     goto \&Test::More::diag;
 }
 

commit 193b6894ec2678c05264ac3fe2deec76f2734302
Author: Shawn M Moore <sartak at bestpractical.com>
Date:   Wed Sep 15 14:09:17 2010 -0400

    Make sure people without ExecuteCode can't update Content when template is Perl
    
        Ferreted out by an upcoming test file

diff --git a/lib/RT/Template_Overlay.pm b/lib/RT/Template_Overlay.pm
index dd496bd..1a4cda7 100755
--- a/lib/RT/Template_Overlay.pm
+++ b/lib/RT/Template_Overlay.pm
@@ -611,6 +611,23 @@ sub SetType {
     return $self->_Set( Field => 'Type', Value => $NewType );
 }
 
+=head2 SetContent
+
+If changing content and the type is Perl, require the ExecuteCode right.
+
+=cut
+
+sub SetContent {
+    my $self       = shift;
+    my $NewContent = shift;
+
+    if ($self->Type eq 'Perl' && !$self->CurrentUser->HasRight(Right => 'ExecuteCode', Object => $RT::System)) {
+        return ( undef, $self->loc('Permission Denied') );
+    }
+
+    return $self->_Set( Field => 'Content', Value => $NewContent );
+}
+
 sub _UpdateAttributes {
     my $self = shift;
     my %args = (

commit 44eb2170ac1d9d944f4e3c17bd10b76a9fa09e7f
Author: Shawn M Moore <sartak at bestpractical.com>
Date:   Thu Sep 16 10:37:48 2010 -0400

    Add API tests for ExecuteCode

diff --git a/t/api/execute-code.t b/t/api/execute-code.t
new file mode 100644
index 0000000..e9139be
--- /dev/null
+++ b/t/api/execute-code.t
@@ -0,0 +1,108 @@
+use strict;
+use warnings;
+use RT::Test tests => 17;
+
+my $ticket = RT::Ticket->new($RT::SystemUser);
+ok(
+    $ticket->Create(
+        Subject => 'blue lines',
+        Queue   => 'General',
+    )
+);
+
+my $attacker = RT::User->new($RT::SystemUser);
+ok(
+    $attacker->Create(
+        Name       => 'attacker',
+        Password   => 'foobar',
+        Privileged => 1,
+    )
+);
+
+my $template_as_attacker = RT::Template->new($attacker);
+
+# can't create templates without ModifyTemplate
+my ($ok, $msg) = $template_as_attacker->Create(
+    Name    => 'Harmless, honest!',
+    Content => "\nhello ;)",
+    Type    => 'Perl',
+);
+ok(!$ok, 'permission to create denied');
+
+
+# permit modifying templates but they must be simple
+$attacker->PrincipalObj->GrantRight(Right => 'ShowTemplate', Object => $RT::System);
+$attacker->PrincipalObj->GrantRight(Right => 'ModifyTemplate', Object => $RT::System);
+
+($ok, $msg) = $template_as_attacker->Create(
+    Name    => 'Harmless, honest!',
+    Content => "\nhello ;)",
+    Type    => 'Perl',
+);
+ok(!$ok, 'permission to create denied');
+
+
+($ok, $msg) = $template_as_attacker->Create(
+    Name    => 'Harmless, honest!',
+    Content => "\nhello ;)",
+    Type    => 'Simple',
+);
+ok($ok, 'created template now that we have ModifyTemplate');
+
+($ok, $msg) = $template_as_attacker->SetType('Perl');
+ok(!$ok, 'permission to update type to Perl denied');
+
+my $template_as_root = RT::Template->new($RT::SystemUser);
+$template_as_root->Load('Harmless, honest!');
+is($template_as_root->Content, "\nhello ;)");
+is($template_as_root->Type, 'Simple');
+
+$template_as_root->Parse(TicketObj => $ticket);
+is($template_as_root->MIMEObj->stringify_body, "hello ;)");
+
+
+# update the content to include code (even though Simple won't parse it)
+
+($ok, $msg) = $template_as_attacker->SetContent("\nYou are { (my \$message = 'bjarq') =~ tr/a-z/n-za-m/; \$message }!");
+ok($ok, 'updating Content permitted since the template is Simple');
+
+$template_as_root = RT::Template->new($RT::SystemUser);
+$template_as_root->Load('Harmless, honest!');
+
+is($template_as_root->Content, "\nYou are { (my \$message = 'bjarq') =~ tr/a-z/n-za-m/; \$message }!");
+is($template_as_root->Type, 'Simple');
+
+$template_as_root->Parse(TicketObj => $ticket);
+is($template_as_root->MIMEObj->stringify_body, "You are { (my \$message = 'bjarq') =~ tr/a-z/n-za-m/; \$message }!");
+
+
+# try again, why not
+($ok, $msg) = $template_as_attacker->SetType('Perl');
+ok(!$ok, 'permission to update type to Perl denied');
+
+
+# now root will change the template to genuine code
+$template_as_root = RT::Template->new($RT::SystemUser);
+$template_as_root->Load('Harmless, honest!');
+$template_as_root->SetType('Perl');
+$template_as_root->SetContent("\n{ scalar reverse \$Ticket->Subject }");
+
+$template_as_root->Parse(TicketObj => $ticket);
+is($template_as_root->MIMEObj->stringify_body, "senil eulb");
+
+
+# see if we can update anything
+$template_as_attacker = RT::Template->new($attacker);
+$template_as_attacker->Load('Harmless, honest!');
+
+($ok, $msg) = $template_as_attacker->SetContent("\nYou are { (my \$message = 'bjarq') =~ tr/a-z/n-za-m/; \$message }!");
+ok(!$ok, 'updating Content forbidden since the template is Perl');
+
+# try again just to be absolutely sure it doesn't work
+$template_as_root = RT::Template->new($RT::SystemUser);
+$template_as_root->Load('Harmless, honest!');
+$template_as_root->SetType('Perl');
+$template_as_root->SetContent("\n{ scalar reverse \$Ticket->Subject }");
+
+$template_as_root->Parse(TicketObj => $ticket);
+is($template_as_root->MIMEObj->stringify_body, "senil eulb");

-----------------------------------------------------------------------