misc: option to disable python expressions (#55978)

tests/admin_pages/test_datasource.py

@@ -180,13 +180,6 @@ def test_data_sources_new(pub):
     resp.forms[0]['name'] = 'a new data source'
     resp.forms[0]['description'] = 'description of the data source'
 
-    assert resp.form['data_source$type'].options == [
-        ('None', True, 'None'),
-        ('json', False, 'JSON URL'),
-        ('jsonp', False, 'JSONP URL'),
-        ('geojson', False, 'GeoJSON URL'),
-        ('python', False, 'Python Expression'),
-    ]
     resp.forms[0]['data_source$type'] = 'python'
     resp = resp.forms[0].submit('data_source$apply')
     resp.forms[0]['data_source$value'] = repr([{'id': '1', 'text': 'un'}, {'id': '2', 'text': 'deux'}])
@@ -215,6 +208,41 @@ def test_data_sources_new(pub):
     assert NamedDataSource.count() == 2
 
 
+def test_data_sources_type_options(pub):
+    create_superuser(pub)
+
+    data_source = NamedDataSource(name='foobar')
+    data_source.store()
+
+    if not pub.site_options.has_section('options'):
+        pub.site_options.add_section('options')
+    pub.site_options.set('options', 'disable-python-expressions', 'false')
+    with open(os.path.join(pub.app_dir, 'site-options.cfg'), 'w') as fd:
+        pub.site_options.write(fd)
+
+    app = login(get_app(pub))
+    resp = app.get('/backoffice/settings/data-sources/%s/edit' % data_source.id)
+    assert resp.form['data_source$type'].options == [
+        ('None', True, 'None'),
+        ('json', False, 'JSON URL'),
+        ('jsonp', False, 'JSONP URL'),
+        ('geojson', False, 'GeoJSON URL'),
+        ('python', False, 'Python Expression'),
+    ]
+
+    pub.site_options.set('options', 'disable-python-expressions', 'true')
+    with open(os.path.join(pub.app_dir, 'site-options.cfg'), 'w') as fd:
+        pub.site_options.write(fd)
+
+    resp = app.get('/backoffice/settings/data-sources/%s/edit' % data_source.id)
+    assert resp.form['data_source$type'].options == [
+        ('None', True, 'None'),
+        ('json', False, 'JSON URL'),
+        ('jsonp', False, 'JSONP URL'),
+        ('geojson', False, 'GeoJSON URL'),
+    ]
+
+
 def test_data_sources_view(pub):
     create_superuser(pub)
     NamedDataSource.wipe()

tests/admin_pages/test_form.py

@@ -1549,6 +1549,44 @@ def test_form_prefill_field(pub):
     assert 'syntax error in Django template: Unexpected end of expression' in resp.text
 
 
+def test_form_prefill_type_options(pub):
+    create_superuser(pub)
+
+    FormDef.wipe()
+    formdef = FormDef()
+    formdef.name = 'form title'
+    formdef.fields = [fields.StringField(id='1', label='1st field', type='string')]
+    formdef.store()
+
+    if not pub.site_options.has_section('options'):
+        pub.site_options.add_section('options')
+    pub.site_options.set('options', 'disable-python-expressions', 'false')
+    with open(os.path.join(pub.app_dir, 'site-options.cfg'), 'w') as fd:
+        pub.site_options.write(fd)
+
+    app = login(get_app(pub))
+    resp = app.get('/backoffice/forms/1/fields/1/')
+    assert resp.forms[0]['prefill$type'].options == [
+        ('None', False, 'None'),
+        ('String / Template', False, 'String / Template'),
+        ('Python Expression', False, 'Python Expression'),
+        ('User Field', False, 'User Field'),
+        ('Geolocation', False, 'Geolocation'),
+    ]
+
+    pub.site_options.set('options', 'disable-python-expressions', 'true')
+    with open(os.path.join(pub.app_dir, 'site-options.cfg'), 'w') as fd:
+        pub.site_options.write(fd)
+
+    resp = app.get('/backoffice/forms/1/fields/1/')
+    assert resp.forms[0]['prefill$type'].options == [
+        ('None', False, 'None'),
+        ('String / Template', False, 'String / Template'),
+        ('User Field', False, 'User Field'),
+        ('Geolocation', False, 'Geolocation'),
+    ]
+
+
 def test_form_edit_string_field_validation(pub):
     create_superuser(pub)
     create_role(pub)
@@ -2159,6 +2197,40 @@ def test_form_limit_display_to_page(pub):
     assert '{{ form_var_baz }}' in hidden_fields
 
 
+def test_form_page_field_condition_types(pub):
+    create_superuser(pub)
+
+    FormDef.wipe()
+    formdef = FormDef()
+    formdef.name = 'form title'
+    formdef.fields = [
+        fields.PageField(id='0', label='1st page', type='page'),
+    ]
+    formdef.store()
+
+    if not pub.site_options.has_section('options'):
+        pub.site_options.add_section('options')
+    pub.site_options.set('options', 'disable-python-expressions', 'false')
+    with open(os.path.join(pub.app_dir, 'site-options.cfg'), 'w') as fd:
+        pub.site_options.write(fd)
+
+    app = login(get_app(pub))
+    resp = app.get('/backoffice/forms/1/fields/0/')
+    assert resp.form['condition$type'].options == [
+        ('django', False, 'Django Expression'),
+        ('python', False, 'Python Expression'),
+    ]
+
+    pub.site_options.set('options', 'disable-python-expressions', 'true')
+    with open(os.path.join(pub.app_dir, 'site-options.cfg'), 'w') as fd:
+        pub.site_options.write(fd)
+
+    resp = app.get('/backoffice/forms/1/fields/0/')
+    assert resp.form['condition$type'].options == [
+        ('django', False, 'Django Expression'),
+    ]
+
+
 def test_form_fields_reorder(pub):
     create_superuser(pub)
     create_role(pub)

tests/admin_pages/test_workflow.py

@@ -1990,6 +1990,46 @@ def test_workflows_global_actions_webservice_trigger(pub):
     assert 'External call (foobar)' in resp
 
 
+def test_workflows_global_actions_timeout_trigger_anchor_options(pub):
+    create_superuser(pub)
+
+    workflow = Workflow(name='global')
+    action = workflow.add_global_action('Global')
+    action.append_item('modify_criticality')
+    trigger = action.append_trigger('timeout')
+    workflow.store()
+
+    if not pub.site_options.has_section('options'):
+        pub.site_options.add_section('options')
+    pub.site_options.set('options', 'disable-python-expressions', 'false')
+    with open(os.path.join(pub.app_dir, 'site-options.cfg'), 'w') as fd:
+        pub.site_options.write(fd)
+
+    app = login(get_app(pub))
+    resp = app.get('/backoffice/workflows/%s/global-actions/1/triggers/%s/' % (workflow.id, trigger.id))
+    assert resp.form['anchor'].options == [
+        ('Creation', False, 'Creation'),
+        ('First arrival in status', False, 'First arrival in status'),
+        ('Latest arrival in status', False, 'Latest arrival in status'),
+        ('Arrival in final status', False, 'Arrival in final status'),
+        ('String / Template', False, 'String / Template'),
+        ('Python expression', False, 'Python expression'),
+    ]
+
+    pub.site_options.set('options', 'disable-python-expressions', 'true')
+    with open(os.path.join(pub.app_dir, 'site-options.cfg'), 'w') as fd:
+        pub.site_options.write(fd)
+
+    resp = app.get('/backoffice/workflows/%s/global-actions/1/triggers/%s/' % (workflow.id, trigger.id))
+    assert resp.form['anchor'].options == [
+        ('Creation', False, 'Creation'),
+        ('First arrival in status', False, 'First arrival in status'),
+        ('Latest arrival in status', False, 'Latest arrival in status'),
+        ('Arrival in final status', False, 'Arrival in final status'),
+        ('String / Template', False, 'String / Template'),
+    ]
+
+
 def test_workflows_global_actions_external_workflow_action(pub):
     create_superuser(pub)
     Workflow.wipe()
@@ -2278,6 +2318,47 @@ def test_workflows_create_carddata_action_config(pub):
     assert "syntax error: Could not parse the remainder: '{{' from '{{'" in resp
 
 
+def test_workflows_create_formdata_expression_types(pub):
+    create_superuser(pub)
+
+    target_formdef = FormDef()
+    target_formdef.name = 'target form'
+    target_formdef.fields = []
+    target_formdef.store()
+
+    wf = Workflow(name='create-formdata')
+    st1 = wf.add_status('New')
+    create_formdata = CreateFormdataWorkflowStatusItem()
+    create_formdata.formdef_slug = target_formdef.url_name
+    create_formdata.parent = st1
+    st1.items.append(create_formdata)
+    wf.store()
+
+    if not pub.site_options.has_section('options'):
+        pub.site_options.add_section('options')
+    pub.site_options.set('options', 'disable-python-expressions', 'false')
+    with open(os.path.join(pub.app_dir, 'site-options.cfg'), 'w') as fd:
+        pub.site_options.write(fd)
+
+    app = login(get_app(pub))
+    resp = app.get('/backoffice/workflows/%s/status/%s/items/1/' % (wf.id, st1.id))
+    assert resp.form['mappings$element0$expression$type'].options == [
+        ('text', False, 'Text'),
+        ('template', False, 'Template'),
+        ('python', False, 'Python Expression'),
+    ]
+
+    pub.site_options.set('options', 'disable-python-expressions', 'true')
+    with open(os.path.join(pub.app_dir, 'site-options.cfg'), 'w') as fd:
+        pub.site_options.write(fd)
+
+    resp = app.get('/backoffice/workflows/%s/status/%s/items/1/' % (wf.id, st1.id))
+    assert resp.form['mappings$element0$expression$type'].options == [
+        ('text', False, 'Text'),
+        ('template', False, 'Template'),
+    ]
+
+
 def test_workflows_edit_carddata_action_config(pub):
     create_superuser(pub)
 

wcs/data_sources.py

@@ -109,7 +109,8 @@ class DataSourceSelectionWidget(CompositeWidget):
             options.append(('jsonp', _('JSONP URL'), 'jsonp'))
         if allow_geojson:
             options.append(('geojson', _('GeoJSON URL'), 'geojson'))
-        options.append(('formula', _('Python Expression'), 'python'))
+        if not get_publisher().has_site_option('disable-python-expressions'):
+            options.append(('formula', _('Python Expression'), 'python'))
 
         self.add(
             SingleSelectWidget,

wcs/fields.py

@@ -96,7 +96,10 @@ class PrefillSelectionWidget(CompositeWidget):
         options = [
             ('none', _('None')),
             ('string', _('String / Template')),
-            ('formula', _('Python Expression')),
+        ]
+        if not get_publisher().has_site_option('disable-python-expressions'):
+            options.append(('formula', _('Python Expression')))
+        options += [
             ('user', _('User Field')),
             ('geolocation', _('Geolocation')),
         ]

wcs/qommon/form.py

@@ -2769,7 +2769,7 @@ class ComputedExpressionWidget(CompositeWidget):
             ('text', _('Text'), 'text'),
             ('template', _('Template'), 'template'),
         ]
-        if self.allow_python:
+        if self.allow_python and not get_publisher().has_site_option('disable-python-expressions'):
             options.append(('python', _('Python Expression'), 'python'))
 
         self.add(
@@ -2893,7 +2893,9 @@ class ConditionWidget(CompositeWidget):
 
         options = []
         options.append(('django', _('Django Expression'), 'django'))
-        if not kwargs.get('django_only'):
+        if not kwargs.get('django_only') and not get_publisher().has_site_option(
+            'disable-python-expressions'
+        ):
             options.append(('python', _('Python Expression'), 'python'))
 
         self.add(

wcs/workflows.py

@@ -1267,16 +1267,16 @@ class WorkflowGlobalActionTimeoutTrigger(WorkflowGlobalActionTrigger):
         )
 
     def get_anchor_labels(self):
-        return collections.OrderedDict(
-            [
-                ('creation', _('Creation')),
-                ('1st-arrival', _('First arrival in status')),
-                ('latest-arrival', _('Latest arrival in status')),
-                ('finalized', _('Arrival in final status')),
-                ('template', _('String / Template')),
-                ('python', _('Python expression')),
-            ]
-        )
+        options = [
+            ('creation', _('Creation')),
+            ('1st-arrival', _('First arrival in status')),
+            ('latest-arrival', _('Latest arrival in status')),
+            ('finalized', _('Arrival in final status')),
+            ('template', _('String / Template')),
+        ]
+        if not get_publisher().has_site_option('disable-python-expressions'):
+            options.append(('python', _('Python expression')))
+        return collections.OrderedDict(options)
 
     def properly_configured(self):
         workflow = self.parent.parent