* Create new help page for comment template context variables

( see /help/context/; also linked from comment form) * Refactor API help page to share template with context help * Allow a limited number of Ticket & Queue model fields to be accessible in comments, as per 'Help' page. * New function in lib.py to build a dict of 'safe' fields from ticket & queue, to prevent the power of the Django model API from exposing things like passwords (imagine if a user typed a comment containing {{ ticket.queue.email_box_password }} !!!! * When accessing the ticket list with no filter params (eg by clicking on the "Tickets" button in the menu), the default search is for tickets that aren't closed, rather than showing all tickets. * Updated English locale with changed message strings.
2025-08-09 23:07:38 +02:00 · 2008-08-29 09:11:02 +00:00
parent 0068eccbf4
commit a162d77d70
10 changed files with 285 additions and 64 deletions
--- a/lib.py
+++ b/lib.py
@ -279,3 +279,49 @@ def apply_query(queryset, params):
        queryset = queryset.order_by(params['sorting'])

    return queryset
+
+
+def safe_template_context(ticket):
+    """
+    Return a dictionary that can be used as a template context to render
+    comments and other details with ticket or queue paramaters. Note that
+    we don't just provide the Ticket & Queue objects to the template as 
+    they could reveal confidential information. Just imagine these two options:
+        * {{ ticket.queue.email_box_password }}
+        * {{ ticket.assigned_to.password }}
+
+    Ouch!
+
+    The downside to this is that if we make changes to the model, we will also
+    have to update this code. Perhaps we can find a better way in the future.
+    """
+
+    context = {
+        'queue': {},
+        'ticket': {},
+        }
+    queue = ticket.queue
+
+    for field in (  'title', 'slug', 'email_address', 'from_address'):
+        attr = getattr(queue, field, None)
+        if callable(attr):
+            context['queue'][field] = attr()
+        else:
+            context['queue'][field] = attr
+
+    for field in (  'title', 'created', 'modified', 'submitter_email', 
+                    'status', 'get_status_display', 'on_hold', 'description',
+                    'resolution', 'priority', 'get_priority_display',
+                    'last_escalation', 'ticket', 'ticket_for_url',
+                    'get_status', 'ticket_url', 'staff_url', '_get_assigned_to'
+                 ):
+        attr = getattr(ticket, field, None)
+        if callable(attr):
+            context['ticket'][field] = '%s' % attr()
+        else:
+            context['ticket'][field] = attr
+   
+    context['ticket']['queue'] = context['queue']
+    context['ticket']['assigned_to'] = context['ticket']['_get_assigned_to']
+
+    return context