Merge remote-tracking branch 'upstream/bug13327-invalid-comment-urls'

CHANGES.txt

@@ -4,6 +4,10 @@ Changelog
 2.2.1 (unreleased)
 ------------------
 
+- Make conversation view not break when comment-id cannot be converted to long.
+  Fixes #13327
+  [khink]
+
 - fix insufficient privileges when trying to view
   the RSS feed of a comment collection
   [maartenkling]

plone/app/discussion/conversation.py

@@ -210,7 +210,11 @@ class Conversation(Traversable, Persistent, Explicit):
     def __getitem__(self, key):
         """Get an item by its long key
         """
-        return self._comments[long(key)].__of__(self)
+        try:
+            comment_id = long(key)
+        except ValueError:
+            return
+        return self._comments[comment_id].__of__(self)
 
     def __delitem__(self, key, suppress_container_modified=False):
         """Delete an item by its long key

plone/app/discussion/tests/functional_test_comment_url.txt

@@ -0,0 +1,70 @@
+===================================
+ Dealing with faulty comment links
+===================================
+
+Make sure that calling specially crafted URLs doesn't break the conversation
+view. 
+
+See also https://dev.plone.org/ticket/13327
+
+
+Setting up and logging in
+=========================
+
+First we have to set up some things and login.
+
+    >>> app = layer['app']
+    >>> from plone.testing.z2 import Browser
+    >>> browser = Browser(app)
+    >>> browser.addHeader('Authorization', 'Basic admin:secret')
+    >>> portal = layer['portal']
+    >>> portal_url = 'http://nohost/plone'
+
+As we're expecting to see 404s, the test should not break on HTTP errors.
+
+    >>> browser.raiseHttpErrors = False
+
+Enable commenting.
+
+    >>> from zope.component import queryUtility
+    >>> from plone.registry.interfaces import IRegistry
+    >>> from plone.app.discussion.interfaces import IDiscussionSettings
+    >>> registry = queryUtility(IRegistry)
+    >>> settings = registry.forInterface(IDiscussionSettings)
+    >>> settings.globally_enabled = True
+
+Create a public page with comments allowed.
+
+    >>> browser.open(portal_url)
+    >>> browser.getLink(id='document').click()
+    >>> browser.getControl(name='title').value = "Doc1"
+    >>> browser.getControl(name='allowDiscussion:boolean').value = True
+    >>> browser.getControl(name='form.button.save').click()
+    >>> urldoc1 = browser.url
+
+Check that the form has been properly submitted
+
+    >>> browser.url
+    'http://nohost/plone/doc1'
+
+
+Checking invalid comment links
+==============================
+
+URL has invalid comment id
+--------------------------
+
+Test a URL with a comment id that cannot be converted to long integer.
+
+    >>> url_invalid_comment_id = "%s/++conversation++default/ThisCantBeRight" % urldoc1
+    >>> browser.open(url_invalid_comment_id)
+
+We should not get an error,
+
+    >>> "500 Internal Server Error" in str(browser.headers)
+    False
+
+but we should get a 404:
+
+    >>> "404 Not Found" in str(browser.headers)
+    True

plone/app/discussion/tests/test_functional.py

@@ -20,7 +20,8 @@ optionflags = (
     doctest.REPORT_ONLY_FIRST_FAILURE)
 normal_testfiles = [
     'functional_test_comments.txt',
-    'functional_test_comment_review_workflow.txt'
+    'functional_test_comment_review_workflow.txt',
+    'functional_test_comment_url.txt',
 ]