Changeset 13934 for main/waeup.kofa/branches/uli-scores-upload/src/waeup

Timestamp:

14 Jun 2016, 00:42:14 (8 years ago)

Author:

uli

Message:

Create safety belt for CSV upload data.

This is the bare minimum we can do to protect from evil files, but
it might do for starters.

Location:

main/waeup.kofa/branches/uli-scores-upload/src/waeup/kofa/students

Files:

• browser.py (modified) (1 diff)
• tests/test_browser.py (modified) (2 diffs)

main/waeup.kofa/branches/uli-scores-upload/src/waeup/kofa/students/browser.py

@@ -3146 +3146 @@
         formvals = dict(zip(form['sids'], form['scores']))
         if form['uploadfile']:
-            formvals = self._extract_uploadfile(form['uploadfile'])
+            try:
+                formvals = self._extract_uploadfile(form['uploadfile'])
+            except:
+                self.flash(
+                    _('Uploaded file contains illegal data. Ignored'),
+                    type="danger")
         for ticket in editable_tickets:
             score = ticket.score

main/waeup.kofa/branches/uli-scores-upload/src/waeup/kofa/students/tests/test_browser.py

@@ +1 @@
+# -*- coding: utf-8 -*-
 ## $Id$
 ##
@@ -4072 +4073 @@
         upload_ctrl.add_file(upload_file, 'text/csv', 'myscores.csv')
         self.browser.getControl("Update scores").click()
+        # value changed
         self.assertEqual(
             self.student['studycourse']['100']['COURSE1'].score, 65)
+
+    def test_scores_csv_upload_ignored(self):
+        # for many type of file contents we simply ignore uploaded data
+        self.login_as_lecturer()
+        self.student['studycourse']['100']['COURSE1'].score = 55
+        self.browser.open(self.edit_scores_url)
+        for content, mimetype, name in (
+                # empty file
+                ('', 'text/foo', 'my.foo'),
+                # plain ASCII text, w/o comma
+                ('abcdef' * 200, 'text/plain', 'my.txt'),
+                # plain UTF-8 text, with umlauts
+                ('umlauts: äöü', 'text/plain', 'my.txt'),
+                # csv file with only a header row
+                ('student_id,score', 'text/csv', 'my.csv'),
+                # csv with student_id column missing
+                ('foo,score\r\nbar,66\r\n', 'text/csv', 'my.csv'),
+                # csv with score column missing
+                ('student_id,foo\r\nK1000000,bar\r\n', 'text/csv', 'my.csv'),
+                # csv with non number as score value
+                (UPLOAD_CSV_TEMPLATE % 'not-a-number', 'text/csv', 'my.csv'),
+                ):
+            upload_ctrl = self.browser.getControl(name='uploadfile:file')
+            upload_ctrl.add_file(StringIO(content), mimetype, name)
+            self.browser.getControl("Update scores").click()
+            self.assertEqual(
+                self.student['studycourse']['100']['COURSE1'].score, 55)
+            self.assertFalse(
+                'Uploaded file contains illegal data' in self.browser.contents)
+
+    def test_scores_csv_upload_warn_illegal_chars(self):
+        # for some types of files we issue a warning if upload data
+        # contains illegal chars (and ignore the data)
+        self.login_as_lecturer()
+        self.student['studycourse']['100']['COURSE1'].score = 55
+        self.browser.open(self.edit_scores_url)
+        for content, mimetype, name in (
+                # plain ASCII text, commas, control chars
+                ('abv,qwe\n\r\r\t\b\n' * 20, 'text/plain', 'my.txt'),
+                # image data (like a JPEG image)
+                (open(SAMPLE_IMAGE, 'rb').read(), 'image/jpg', 'my.jpg'),
+                ):
+            upload_ctrl = self.browser.getControl(name='uploadfile:file')
+            upload_ctrl.add_file(StringIO(content), mimetype, name)
+            self.browser.getControl("Update scores").click()
+            self.assertEqual(
+                self.student['studycourse']['100']['COURSE1'].score, 55)
+            self.assertTrue(
+                'Uploaded file contains illegal data' in self.browser.contents)