Roundup Tracker - Issues

Message5924

Author rouilj
Recipients rouilj
Date 2017-01-31.23:57:01
Message-id <1485907046.55.0.810256723389.issue2550933@psf.upfronthosting.co.za>
In-reply-to 
If you go to  the edit for for a user e.g. tracker/user3 and type in two
different passwords for the password fields, you get a traceback:

   <type 'exceptions.AttributeError'>: 'str' object has no attribute
'dummystr'

   Debugging information follows

    While evaluating the standard:'context/history' expression on line 163 


In cgi/templating.py PasswordHTMLProperty::plain calls:

        if isinstance(self._value, hyperdb.Password):
            value = self._value.dummystr()
        else:
            value = self._('[hidden]')
        if escape:
            value = cgi.escape(value)

I think the intent is to hide the hashed password but display the
schema. I'll bet this worked until the latest changes to better
preserve form data when there is an error. The string value assigned
to the password field is now assigned to _value. I think it used to
initialize _value from the password object in the database.

The password object (via JournalPassword) has a dummystr that represents
the password using the scheme used to encrypt the password and then displays
a placeholder for the encrypted password.

I can fix this by changing the code above to:

       if self._value is None:
            return ''
        if isinstance(self._value, hyperdb.Password):
            value = self._value.dummystr()
        else:
            value = self._('[hidden]')
        if escape:
            value = cgi.escape(value)
        return value

so this hides the password if it's a string.

Arguably an alternate fix could be to access the db and pull the
password from
here and call the dummystr() on it, but this only triggers when people
are changing
the password and the password field is masked so why waste the time
doing that.

I am not sure when the self._value.dummystr() code would be triggered. I
guess if
somebody had a custom index page that displayed the password field it
could be shown.

For history (and in case this helps others understand what is happening
if I got it wrong)
full traceback of the failure:

Traceback (most recent call last):
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/client.py",
line 1227, in renderContext
    result = pt.render(self, None, None, **args)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/engine_zopetal.py",
line 92, in render
    getEngine().getContext(c), output, tal=1, strictinsert=0)()
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 192, in __call__
    self.interpret(self.program)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 236, in interpret
    handlers[opcode](self, args)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 666, in do_useMacro
    self.interpret(macro)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 236, in interpret
    handlers[opcode](self, args)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 411, in do_optTag_tal
    self.do_optTag(stuff)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 396, in do_optTag
    return self.no_tag(start, program)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 391, in no_tag
    self.interpret(program)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 236, in interpret
    handlers[opcode](self, args)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 689, in do_defineSlot
    self.interpret(slot)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 236, in interpret
    handlers[opcode](self, args)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 632, in do_condition
    self.interpret(block)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 236, in interpret
    handlers[opcode](self, args)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 632, in do_condition
    self.interpret(block)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 236, in interpret
    handlers[opcode](self, args)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 411, in do_optTag_tal
    self.do_optTag(stuff)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 396, in do_optTag
    return self.no_tag(start, program)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 391, in no_tag
    self.interpret(program)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 236, in interpret
    handlers[opcode](self, args)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 632, in do_condition
    self.interpret(block)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 236, in interpret
    handlers[opcode](self, args)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/TAL/TALInterpreter.py",
line 564, in do_insertStructure_tal
    structure = self.engine.evaluateStructure(expr)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/PageTemplates/TALES.py",
line 225, in evaluate
    return expression(self)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/PageTemplates/Expressions.py",
line 193, in __call__
    return self._eval(econtext)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/PageTemplates/Expressions.py",
line 188, in _eval
    return render(ob, econtext.vars)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/PageTemplates/Expressions.py",
line 94, in render
    ob = ob()
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/templating.py",
line 893, in history
    current[prop_n] = prop.plain(escape=1)
  File
"/home/rouilj/develop/roundup.dev/roundup.sysadmin/roundup/cgi/templating.py",
line 1557, in plain
    value = self._value.dummystr()
AttributeError: 'str' object has no attribute 'dummystr'
History
Date User Action Args
2017-01-31 23:57:26rouiljsetrecipients: + rouilj
2017-01-31 23:57:26rouiljsetmessageid: <1485907046.55.0.810256723389.issue2550933@psf.upfronthosting.co.za>
2017-01-31 23:57:03rouiljlinkissue2550933 messages
2017-01-31 23:57:01rouiljcreate

Supported by The Python Software Foundation,
Powered by Roundup

Last modified: Fri Feb 28 22:02:04 EST 2020