issue2550891: Allow subdir in template value. Anthony (antmail)

requested the ability to put templates into subdirectories. So
the issue class can accept @template=issues/item to get the
html/issues/issue.item.html template.

Inlcude a test case for missing and existing (tal) templates.
Also include a test that fails path traversal check.

Add mention of subdiectoy use to customizing.txt along with some
spelling fixes and ^M removal.

Author: rouilj

CHANGES.txt

@@ -130,6 +130,10 @@ Features:
   'msg_header_property' we can do this easily. Setting the
   'msg_header_property' to the empty string '' (not to None) will
   suppress the header for that property. (John Rouillard)
+- issue2550891: Allow subdir in template value. Anthony (antmail)
+  requested the ability to put templates into subdirectories. So
+  the issue class can accept @template=issues/item to get the
+  html/issues/issue.item.html template. See ``doc/upgrading.txt``.
 
 Fixed:
 

doc/customizing.txt

@@ -94,7 +94,7 @@ Section **main**
 
  templates -- ``html``
   Path to the HTML templates directory. The path may be either absolute
-  or relative to the directory containig this config file.
+  or relative to the directory containing this config file.
 
  static_files -- default *blank*
   Path to directory holding additional static files available via Web
@@ -1480,11 +1480,11 @@ e. if the path starts with an item designator and is longer than one
    with (i.e. "file1/kitten.png" is nicer to download than "file1").
    This raises a ``SendFile`` exception.
 
-Neither b. or e. use templates and stop before the template is
-determined. For other contexts the template used is specified by the
+Neither b. or e. use templates and stop before the template is
+determined. For other contexts the template used is specified by the
 ``@template`` variable, which defaults to:
 
-- only classname suplied:        "index"
+- only classname supplied:       "index"
 - full item designator supplied: "item"
 
 
@@ -1798,6 +1798,15 @@ access the test template using the "@template" URL argument::
 
 and it won't affect your users using the "issue.item" template.
 
+You can also put templates into a subdirectory of the template
+directory. So if you specify::
+
+   http://your.tracker.example/tracker/issue?@template=test/item
+
+you will use the template at: ``test/issue.item.html``. If that
+template doesn't exit it will try to use
+``test/_generic.item.html``. If that template doesn't exist
+it will return an error.
 
 How the templates work
 ----------------------

doc/upgrading.txt

@@ -173,6 +173,19 @@ If your deployed tracker is based on: classic, minimal, responsive or
 devel templates and has not changed the html/_generic.404.html file,
 you can copy in the new file to get this additional functionality.
 
+Organize templates into subdirectories
+--------------------------------------
+
+The @template parameter to the web interface allows the use of
+subdirectories. So a setting of @template=view/view for an issue would
+use the template in the tracker's html/view/issue.view.html. Similarly
+for a caller class, you could put all the templates under the
+html/caller directory with names like: html/caller/caller.item.html,
+html/caller/caller.index.html etc. You may want to symbolically link the
+html/_generic* templates into your subdirectory so that missing
+templates (e.g. a missing caller.edit.html template) can be satisfied
+by the _generic.edit.html template.
+
 Schema change to allow "Show Unassigned" issues link to work for Anonymous user
 -------------------------------------------------------------------------------
 

roundup/cgi/client.py

@@ -1157,7 +1157,17 @@ def selectTemplate(self, name, view):
 
         tplname = name     
         if view:
-            tplname = '%s.%s' % (name, view)
+            # Support subdirectories for templates. Value is path/to/VIEW
+            # or just VIEW if the template is in the html directory of
+            # the tracker.
+            slash_loc = view.rfind("/")
+            if slash_loc == -1:
+                # try plain class.view
+                tplname = '%s.%s' % (name, view)
+            else:
+                # try path/class.view
+                tplname = '%s/%s.%s'%(
+                    view[:slash_loc], name, view[slash_loc+1:])
 
         if loader.check(tplname):
             return tplname
@@ -1167,7 +1177,10 @@ def selectTemplate(self, name, view):
         if not view:
             raise templating.NoTemplate('Template "%s" doesn\'t exist' % name)
 
-        generic = '_generic.%s' % view
+        if slash_loc == -1:
+            generic = '_generic.%s' % view
+        else:
+            generic = '%s/_generic.%s' % (view[:slash_loc], view[slash_loc+1:])
         if loader.check(generic):
             return generic
 

test/test_cgi.py

@@ -12,7 +12,7 @@
 
 from roundup.cgi import client, actions, exceptions
 from roundup.cgi.exceptions import FormError
-from roundup.cgi.templating import HTMLItem, HTMLRequest
+from roundup.cgi.templating import HTMLItem, HTMLRequest, NoTemplate
 from roundup.cgi.form_parser import FormParser
 from roundup import init, instance, password, hyperdb, date
 
@@ -1085,4 +1085,83 @@ def testCSVExportFailPermission(self):
         self.assertRaises(exceptions.SeriousError,
             actions.ExportCSVAction(cl).handle)
 
+class TemplateTestCase(unittest.TestCase):
+    ''' Test the template resolving code, i.e. what can be given to @template
+    '''
+    def setUp(self):
+        self.dirname = '_test_template'
+        # set up and open a tracker
+        self.instance = db_test_base.setupTracker(self.dirname)
+
+        # open the database
+        self.db = self.instance.open('admin')
+        self.db.tx_Source = "web"
+        self.db.user.create(username='Chef', address='[email protected]',
+            realname='Bork, Chef', roles='User')
+        self.db.user.create(username='mary', address='[email protected]',
+            roles='User', realname='Contrary, Mary')
+        self.db.post_init()
+
+    def tearDown(self):
+        self.db.close()
+        try:
+            shutil.rmtree(self.dirname)
+        except OSError, error:
+            if error.errno not in (errno.ENOENT, errno.ESRCH): raise
+
+    def testTemplateSubdirectory(self):
+        # test for templates in subdirectories
+
+        # make the directory
+        subdir = self.dirname + "/html/subdir"
+        os.mkdir(subdir)
+
+        # get the client instance The form is needed to initialize,
+        # but not used since I call selectTemplate directly.
+        t = client.Client(self.instance, "user",
+                {'PATH_INFO':'/user', 'REQUEST_METHOD':'POST'},
+         form=makeForm({"@template": "item"}))
+
+        # create new file in subdir and a dummy file outside of
+        # the tracker's html subdirectory
+        shutil.copyfile(self.dirname + "/html/issue.item.html",
+                        subdir + "/issue.item.html")
+        shutil.copyfile(self.dirname + "/html/user.item.html",
+                        self.dirname + "/user.item.html")
+
+        # create link outside the html subdir. This should fail due to
+        # path traversal check.
+        os.symlink("../../user.item.html", subdir + "/user.item.html")
+        # it will be removed and replaced by a later test
+
+        # make sure a simple non-subdir template works.
+        # user.item.html exists so this works.
+        # note that the extension is not included just the basename
+        self.assertEqual("user.item", t.selectTemplate("user", "item"))
+
+        # there is no html/subdir/user.item.{,xml,html} so it will
+        # raise NoTemplate.
+        self.assertRaises(NoTemplate,
+                          t.selectTemplate, "user", "subdir/item")
+
+        # there is an html/subdir/issue.item.html so this succeeeds
+        r = t.selectTemplate("issue", "subdir/item")
+        self.assertEqual("subdir/issue.item", r)
+
+        # there is a self.directory + /html/subdir/user.item.html file,
+        # but it is a link to self.dir /user.item.html which is outside
+        # the html subdir so is rejected by the path traversal check.
+        self.assertRaises(NoTemplate,
+                          t.selectTemplate, "user", "subdir/item")
+
+        # clear out the link and create a new one to self.dirname +
+        # html/user.item.html which is inside the html subdir
+        # so the template check returns the symbolic link path.
+        os.remove(subdir + "/user.item.html")
+        os.symlink("../user.item.html", subdir + "/user.item.xml")
+
+        # template check works
+        r = t.selectTemplate("user", "subdir/item")
+        self.assertEquals("subdir/user.item", r)
+
 # vim: set filetype=python sts=4 sw=4 et si :