admin: check object type on import (#5651)

wcs/admin/forms.py

@@ -36,7 +36,7 @@ from qommon import tokens
 from qommon.afterjobs import AfterJob
 from qommon import emails
 
-from wcs.formdef import FormDef
+from wcs.formdef import FormDef, FormdefImportError
 from wcs.categories import Category
 from wcs.roles import Role, logged_users_role, get_user_roles
 from wcs.workflows import Workflow
@@ -768,13 +768,24 @@ class FormDefPage(Directory):
             form.set_error('file', _('You have to enter a file or a URL.'))
             raise ValueError()
 
+        error, reason = False, None
         try:
             new_formdef = FormDef.import_from_xml(fp, include_id=True)
+        except FormdefImportError, e:
+            error = True
+            reason = _(e)
         except ValueError:
-            if form.get_widget('url').parse():
-                form.set_error('url', _('Invalid File'))
+            error = True
+
+        if error:
+            if reason:
+                msg = _('Invalid File (%s)') % reason
             else:
-                form.set_error('file', _('Invalid File'))
+                msg = _('Invalid File')
+            if form.get_widget('url').parse():
+                form.set_error('url', msg)
+            else:
+                form.set_error('file', msg)
             raise ValueError()
 
         if form.get_widget('new_formdef').parse():
@@ -1481,12 +1492,23 @@ class FormsDirectory(AccessControlled, Directory):
 
         try:
             formdef = FormDef.import_from_xml(fp)
+        except FormdefImportError, e:
+            error = True
+            reason = _(e)
         except ValueError:
-            if form.get_widget('url').parse():
-                form.set_error('url', _('Invalid File'))
+            error = True
+
+        if error:
+            if reason:
+                msg = _('Invalid File (%s)') % reason
             else:
-                form.set_error('file', _('Invalid File'))
+                msg = _('Invalid File')
+            if form.get_widget('url').parse():
+                form.set_error('url', msg)
+            else:
+                form.set_error('file', msg)
             raise ValueError()
+
         formdef.disabled = True
         formdef.store()
         get_session().message = ('info',

wcs/admin/workflows.py

@@ -1003,14 +1003,26 @@ class WorkflowsDirectory(Directory):
             form.set_error('file', _('You have to enter a file or a URL.'))
             raise ValueError()
 
+        error, reason = False, None
         try:
             workflow = Workflow.import_from_xml(fp)
+        except WorkflowImportError, e:
+            error = True
+            reason = _(e)
         except ValueError:
-            if form.get_widget('url').parse():
-                form.set_error('url', _('Invalid File'))
+            error = True
+
+        if error:
+            if reason:
+                msg = _('Invalid File (%s)') % reason
             else:
-                form.set_error('file', _('Invalid File'))
+                msg = _('Invalid File')
+            if form.get_widget('url').parse():
+                form.set_error('url', msg)
+            else:
+                form.set_error('file', msg)
             raise ValueError()
+
         initial_workflow_name = workflow.name
         workflow_names = [x.name for x in Workflow.select()]
         copy_no = 1

wcs/formdef.py

@@ -34,6 +34,11 @@ from categories import Category
 from wcs.workflows import Workflow, get_role_translation
 import fields
 
+
+class FormdefImportError(Exception):
+    pass
+
+
 class FormField:
     ### only used to unpickle form fields from older (<200603) versions
     def __setstate__(self, dict):
@@ -557,13 +562,16 @@ class FormDef(StorableObject):
             charset = get_publisher().site_charset
         formdef = cls()
         if tree.find('name') is None or not tree.find('name').text:
-            raise ValueError()
+            raise FormdefImportError(N_('Missing name'))
 
         # if the tree we get is actually a ElementTree for real, we get its
         # root element and go on happily.
         if not ET.iselement(tree):
             tree = tree.getroot()
 
+        if tree.tag != 'formdef':
+            raise FormdefImportError(N_('Not a form'))
+
         if include_id and tree.attrib.get('id'):
             formdef.id = tree.attrib.get('id')
         for text_attribute in list(cls.TEXT_ATTRIBUTES):

wcs/workflows.py

@@ -46,6 +46,10 @@ def lax_int(s):
         return -1
 
 
+class WorkflowImportError(Exception):
+    pass
+
+
 class AttachmentEvolutionPart:
     orig_filename = None
     base_filename = None
@@ -290,13 +294,16 @@ class Workflow(StorableObject):
         charset = get_publisher().site_charset
         workflow = cls()
         if tree.find('name') is None or not tree.find('name').text:
-            raise ValueError()
+            raise WorkflowImportError(N_('Missing name'))
 
         # if the tree we get is actually a ElementTree for real, we get its
         # root element and go on happily.
         if not ET.iselement(tree):
             tree = tree.getroot()
 
+        if tree.tag != 'workflow':
+            raise WorkflowImportError(N_('Not a workflow'))
+
         if include_id and tree.attrib.get('id'):
             workflow.id = tree.attrib.get('id')