Launchpad itself

Merge lp:~stevenk/launchpad/ppa-packages-deletion-grammar into lp:launchpad

  1. ppa-packages-deletion-grammar
  2. Merge into devel
Proposed by Steve Kowalik on 2012-01-30
Status: Merged
Approved by: Steve Kowalik on 2012-01-30
Approved revision: no longer in the source branch.
Merged at revision: 14734
Proposed branch: lp:~stevenk/launchpad/ppa-packages-deletion-grammar
Merge into: lp:launchpad
Diff against target: 126 lines (+21/-23)
3 files modified
lib/lp/soyuz/browser/archive.py (+9/-14)
lib/lp/soyuz/stories/ppa/xx-delete-packages.txt (+11/-8)
lib/lp/soyuz/stories/soyuz/xx-person-packages.txt (+1/-1)
To merge this branch: bzr merge lp:~stevenk/launchpad/ppa-packages-deletion-grammar
Reviewer Review Type Date Requested Status
William Grant code 2012-01-30 Approve on 2012-01-30
Review via email: mp+90646@code.launchpad.net

Commit Message

[r=wgrant][bug=923604] Use better grammar and kill two XSSes in the notification when deleting packages from a PPA.

Description of the Change

At least *try* for better grammar in the deletion notification when deleting packages from a PPA.

As an added bonus, fix two XSSes since we weren't escaping untrusted data.

To post a comment you must log in.
William Grant (wgrant) wrote :

33 + notification = '\n'.join([msg.escapedtext for msg in messages])
34 + self.request.response.addNotification(structured(notification))

I'd prefer to see the structured() in the previous line, as that's where the .escapedtext which makes calling structured() safe is. Calling structured() with a variable as the first arg is going to lead to mistakes.

review: Approve (code)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'lib/lp/soyuz/browser/archive.py'
2--- lib/lp/soyuz/browser/archive.py 2012-01-06 14:22:17 +0000
3+++ lib/lp/soyuz/browser/archive.py 2012-01-30 12:14:24 +0000
4@@ -1,4 +1,4 @@
5-# Copyright 2009-2011 Canonical Ltd. This software is licensed under the
6+# Copyright 2009-2012 Canonical Ltd. This software is licensed under the
7 # GNU Affero General Public License version 3 (see the file LICENSE).
8
9 """Browser views for archive."""
10@@ -1211,20 +1211,15 @@
11 publishing_set.requestDeletion(selected_sources, self.user, comment)
12
13 # Present a page notification describing the action.
14- messages = []
15- messages.append(
16- '<p>Source and binaries deleted by %s request:'
17- % self.user.displayname)
18+ messages = [structured(
19+ '<p>Source and binaries deleted by %s:', self.user.displayname)]
20 for source in selected_sources:
21- messages.append('<br/>%s' % source.displayname)
22- messages.append('</p>')
23- # Replace the 'comment' content added by the user via structured(),
24- # so it will be quoted appropriately.
25- messages.append("<p>Deletion comment: %(comment)s</p>")
26-
27- notification = "\n".join(messages)
28- self.request.response.addNotification(
29- structured(notification, comment=comment))
30+ messages.append(structured('<br/>%s', source.displayname))
31+ messages.append(structured(
32+ '</p>\n<p>Deletion comment: %s</p>', comment))
33+ notification = structured(
34+ '\n'.join([msg.escapedtext for msg in messages]))
35+ self.request.response.addNotification(notification)
36
37 self.setNextURL()
38
39
40=== modified file 'lib/lp/soyuz/stories/ppa/xx-delete-packages.txt'
41--- lib/lp/soyuz/stories/ppa/xx-delete-packages.txt 2012-01-15 11:06:57 +0000
42+++ lib/lp/soyuz/stories/ppa/xx-delete-packages.txt 2012-01-30 12:14:24 +0000
43@@ -1,4 +1,5 @@
44-= PPA package deletion =
45+PPA package deletion
46+====================
47
48 The PPA 'Delete packages' view allows users to delete packages form
49 their PPAs via the web UI. Only the owner of the PPA and Launchpad
50@@ -111,7 +112,7 @@
51 >>> messages = get_feedback_messages(admin_browser.contents)
52 >>> for msg in messages:
53 ... print msg
54- Source and binaries deleted by Foo Bar request:
55+ Source and binaries deleted by Foo Bar:
56 iceweasel 1.0 in breezy-autotest
57 Deletion comment: None
58
59@@ -155,7 +156,7 @@
60 >>> messages = get_feedback_messages(admin_browser.contents)
61 >>> for msg in messages:
62 ... print msg
63- Source and binaries deleted by Foo Bar request:
64+ Source and binaries deleted by Foo Bar:
65 cdrkit 1.0 in breezy-autotest
66 Deletion comment: DO &lt;where is my XSS ?&gt; IT
67
68@@ -242,7 +243,7 @@
69 >>> messages = get_feedback_messages(admin_browser.contents)
70 >>> for msg in messages:
71 ... print msg
72- Source and binaries deleted by Foo Bar request:
73+ Source and binaries deleted by Foo Bar:
74 iceweasel 1.0 in warty
75 pmount 0.1-1 in warty
76 Deletion comment: DO IT AGAIN !
77@@ -307,7 +308,8 @@
78 ...
79 This PPA does not contain any source packages published.
80
81-== Removing source partially deleted ==
82+Removing source partially deleted
83+---------------------------------
84
85 The 'delete-packages' interface should allow users to enforce removal
86 of packages partially removed or superseded. It happens, for instance,
87@@ -459,7 +461,7 @@
88 >>> messages = get_feedback_messages(user_browser.contents)
89 >>> for msg in messages:
90 ... print msg
91- Source and binaries deleted by No Privileges Person request:
92+ Source and binaries deleted by No Privileges Person:
93 foo 1.0 in hoary
94 Deletion comment: Deletion of a number of base pairs that is ...
95
96@@ -470,7 +472,7 @@
97 downloaded from librarian.
98
99 Please note also how the deletion comment is diplayed in its entirety as
100-opposed to being truncated after the fisrt 20 characters.
101+opposed to being truncated after the first 20 characters.
102
103 >>> user_browser.open(
104 ... 'http://launchpad.dev/~no-priv/+archive/ppa/+packages')
105@@ -488,7 +490,8 @@
106 >>> print extract_text(anon_browser.contents)
107 Publishing details
108 Deleted ... ago by No Privileges Person
109- Deletion of a number of base pairs that is not evenly divisible by three will lead to a frameshift mutation.
110+ Deletion of a number of base pairs that is not evenly divisible by three
111+ will lead to a frameshift mutation.
112 Changelog
113 Builds
114 i386
115
116=== modified file 'lib/lp/soyuz/stories/soyuz/xx-person-packages.txt'
117--- lib/lp/soyuz/stories/soyuz/xx-person-packages.txt 2011-12-30 06:14:56 +0000
118+++ lib/lp/soyuz/stories/soyuz/xx-person-packages.txt 2012-01-30 12:14:24 +0000
119@@ -375,7 +375,7 @@
120 >>> messages = get_feedback_messages(admin_browser.contents)
121 >>> for msg in messages:
122 ... print msg
123- Source and binaries deleted by Foo Bar request:
124+ Source and binaries deleted by Foo Bar:
125 source2 666 in breezy-autotest
126 Deletion comment: Bug 184490
127