Hello
', 'Hello {{ object.name }}
', """{{ 'English Speaker' if object.lang == 'en_US' else 'Other Speaker' }}
""", """{{ 13 + 13 }}
Bonjour
', 'Bonjour {{ object.name }}
', """{{ 'Narrateur Anglais' if object.lang == 'en_US' else 'Autre Narrateur' }}
""" ] # some qweb templates, their views and their xml ids cls.base_qweb_bits = [ 'Hello
', 'Hello
English Speaker Other Speaker
""" ] cls.base_qweb_bits_fr = [ 'Bonjour
', 'Bonjour
Narrateur Anglais Autre Narrateur
""" ] cls.base_qweb_templates = cls.env['ir.ui.view'].create([ {'name': 'TestRender%d' % index, 'type': 'qweb', 'arch': qweb_content, } for index, qweb_content in enumerate(cls.base_qweb_bits) ]) cls.base_qweb_templates_data = cls.env['ir.model.data'].create([ {'name': template.name, 'module': 'mail', 'model': template._name, 'res_id': template.id, } for template in cls.base_qweb_templates ]) cls.base_qweb_templates_xmlids = [ model_data.complete_name for model_data in cls.base_qweb_templates_data ] # render result cls.base_rendered = [ 'Hello
', 'Hello %s
' % cls.render_object.name, """English Speaker
""" ] cls.base_rendered_fr = [ 'Bonjour
', 'Bonjour %s
' % cls.render_object_fr.name, """Autre Narrateur
""" ] cls.base_rendered_void = [ 'Hello
', 'Hello
', """English Speaker
""" ] # link to mail template cls.test_template = cls.env['mail.template'].create({ 'name': 'Test Template', 'subject': cls.base_inline_template_bits[0], 'body_html': cls.base_qweb_bits[1], 'model_id': cls.env['ir.model']._get('res.partner').id, 'lang': '{{ object.lang }}' }) # some translations cls.test_template.with_context(lang='fr_FR').subject = cls.base_qweb_bits_fr[0] cls.test_template.with_context(lang='fr_FR').body_html = cls.base_qweb_bits_fr[1] cls.env['ir.model.data'].create({ 'name': 'test_template_xmlid', 'module': 'mail', 'model': cls.test_template._name, 'res_id': cls.test_template.id, }) # Enable group-based template management cls.env['ir.config_parameter'].set_param('mail.restrict.template.rendering', True) # User without the group "mail.group_mail_template_editor" cls.user_rendering_restricted = common.mail_new_test_user( cls.env, login='user_rendering_restricted', groups='base.group_user', company_id=cls.company_admin.id, name='Code Template Restricted User', notification_type='inbox', signature='--\nErnest' ) cls.user_rendering_restricted.groups_id -= cls.env.ref('mail.group_mail_template_editor') cls.user_employee.groups_id += cls.env.ref('mail.group_mail_template_editor') @tagged('mail_render') class TestMailRender(TestMailRenderCommon): @users('employee') def test_evaluation_context(self): """ Test evaluation context and various ways of tweaking it. """ partner = self.env['res.partner'].browse(self.render_object.ids) MailRenderMixin = self.env['mail.render.mixin'] custom_ctx = {'custom_ctx': 'Custom Context Value'} add_context = { 'custom_value': 'Custom Render Value' } srces = [ 'I am {{ user.name }}', 'Datetime is {{ format_datetime(datetime.datetime(2021, 6, 1), dt_format="MM - d - YYY") }}', 'Context {{ ctx.get("custom_ctx") }}, value {{ custom_value }}', ] results = [ 'I am %s' % self.env.user.name, 'Datetime is 06 - 1 - 2021', 'Context Custom Context Value, value Custom Render Value' ] for src, expected in zip(srces, results): for engine in ['inline_template']: result = MailRenderMixin.with_context(**custom_ctx)._render_template( src, partner._name, partner.ids, engine=engine, add_context=add_context )[partner.id] self.assertEqual(expected, result) @users('employee') def test_prepend_preview_inline_template_to_qweb(self): body = 'body' preview = 'foo{{"false" if 1 > 2 else "true"}}bar' result = self.env['mail.render.mixin']._prepend_preview(Markup(body), preview) self.assertEqual(result, '''body''') @users('employee') def test_render_field(self): template = self.env['mail.template'].browse(self.test_template.ids) partner = self.env['res.partner'].browse(self.render_object.ids) for fname, expected in zip(['subject', 'body_html'], self.base_rendered): rendered = template._render_field( fname, partner.ids, compute_lang=True )[partner.id] self.assertEqual(rendered, expected) @users('employee') def test_render_field_lang(self): """ Test translation in french """ template = self.env['mail.template'].browse(self.test_template.ids) partner = self.env['res.partner'].browse(self.render_object_fr.ids) for fname, expected in zip(['subject', 'body_html'], self.base_rendered_fr): rendered = template._render_field( fname, partner.ids, compute_lang=True )[partner.id] self.assertEqual(rendered, expected) @users('employee') def test_render_field_no_records(self): """ Test rendering on void IDs, or a list with dummy / falsy ID """ template = self.test_template.with_env(self.env) partner = self.render_object.with_env(self.env) for res_ids in ([], (), [False], [''], [None], [False, partner.id]): # various corner cases for fname, expected_obj, expected_void in zip(['subject', 'body_html'], self.base_rendered, self.base_rendered_void): with self.subTest(): rendered_all = template._render_field( fname, res_ids, compute_lang=True ) if res_ids: self.assertTrue(res_ids[0] in rendered_all, f'Rendering: key {repr(res_ids[0])} is considered as valid and should have an entry') self.assertEqual(rendered_all[res_ids[0]], expected_void) if len(res_ids) == 2: # second is partner self.assertTrue(res_ids[1] in rendered_all) self.assertEqual(rendered_all[res_ids[1]], expected_obj) if not res_ids: self.assertFalse(rendered_all, 'Rendering: void input -> void output') @users('employee') def test_render_field_not_existing(self): """ Test trying to render a not-existing field: raise a proper ValueError instead of crashing / raising a KeyError """ template = self.env['mail.template'].browse(self.test_template.ids) partner = self.env['res.partner'].browse(self.render_object_fr.ids) with self.assertRaises(ValueError): _rendered = template._render_field( 'not_existing', partner.ids, compute_lang=True )[partner.id] @users('employee') def test_render_template_inline_template(self): partner = self.env['res.partner'].browse(self.render_object.ids) for source, expected in zip(self.base_inline_template_bits, self.base_rendered): rendered = self.env['mail.render.mixin']._render_template( source, partner._name, partner.ids, engine='inline_template', )[partner.id] self.assertEqual(rendered, expected) @users('employee') def test_render_template_qweb(self): partner = self.env['res.partner'].browse(self.render_object.ids) for source, expected in zip(self.base_qweb_bits, self.base_rendered): rendered = self.env['mail.render.mixin']._render_template( source, partner._name, partner.ids, engine='qweb', )[partner.id] self.assertEqual(rendered, expected) @users('employee') def test_render_template_qweb_view(self): partner = self.env['res.partner'].browse(self.render_object.ids) for source, expected in zip(self.base_qweb_templates_xmlids, self.base_rendered): rendered = self.env['mail.render.mixin']._render_template( source, partner._name, partner.ids, engine='qweb_view', )[partner.id] self.assertEqual(rendered, expected) @users('employee') def test_render_template_various(self): """ Test static rendering """ partner = self.env['res.partner'].browse(self.render_object.ids) MailRenderMixin = self.env['mail.render.mixin'] # static string src = 'This is a string' expected = 'This is a string' for engine in ['inline_template']: result = MailRenderMixin._render_template( src, partner._name, partner.ids, engine=engine, )[partner.id] self.assertEqual(expected, result) # code string src = 'This is a string with a number {{ 13+13 }}' expected = 'This is a string with a number 26' for engine in ['inline_template']: result = MailRenderMixin._render_template( src, partner._name, partner.ids, engine=engine, )[partner.id] self.assertEqual(expected, result) # block string src = "This is a string with a block {{ 'hidden' if False else 'displayed' }}" expected = 'This is a string with a block displayed' for engine in ['inline_template']: result = MailRenderMixin._render_template( src, partner._name, partner.ids, engine=engine, )[partner.id] self.assertEqual(expected, result) # static xml src = 'This is a string
' expected = 'This is a string
' for engine in ['inline_template', 'qweb']: result = MailRenderMixin._render_template( src, partner._name, partner.ids, engine=engine, )[partner.id] self.assertEqual(expected, result) # tde: checkme # code xml srces = [ 'This is a string with a number {{ 13+13 }}
', 'This is a string with a number
This is a string with a number 26
' for engine, src in zip(['inline_template', 'qweb'], srces): result = MailRenderMixin._render_template( src, partner._name, partner.ids, engine=engine, )[partner.id] self.assertEqual(expected, str(result)) src = """
We have 3 cookies in stock We have 4 cookies in stock
""" for engine in ['qweb']: result = MailRenderMixin._render_template( src, partner._name, partner.ids, engine=engine, )[partner.id] self.assertEqual(result, expected) @users('employee') def test_replace_local_links(self): local_links_template_bits = [ '', '{{ cust_function() }}
""" expected = """return value
""" context = {'cust_function': cust_function} result = self.env['mail.render.mixin'].with_user(self.user_admin)._render_template_inline_template( src, partner._name, partner.ids, add_context=context )[partner.id] self.assertEqual(expected, result) self.assertTrue(cust_function.call) with self.assertRaises(AccessError, msg='Simple user should not be able to render dynamic code'): MailRenderMixin._render_template_inline_template(src, model, res_ids, add_context=context) @users('user_rendering_restricted') def test_security_inline_template_restricted(self): """Test if we correctly detect condition block (which might contains code).""" res_ids = self.env['res.partner'].search([], limit=1).ids with self.assertRaises(AccessError, msg='Simple user should not be able to render dynamic code'): self.env['mail.render.mixin']._render_template_inline_template(self.base_inline_template_bits[4], 'res.partner', res_ids) @users('employee') def test_security_inline_template_unrestricted(self): """Test if we correctly detect condition block (which might contains code).""" res_ids = self.env['res.partner'].search([], limit=1).ids result = self.env['mail.render.mixin']._render_template_inline_template(self.base_inline_template_bits[4], 'res.partner', res_ids)[res_ids[0]] self.assertNotIn('Code not executed', result, 'The condition block did not work') @users('user_rendering_restricted') def test_security_qweb_template_restricted(self): """Test if we correctly detect condition block (which might contains code).""" res_ids = self.env['res.partner'].search([], limit=1).ids with self.assertRaises(AccessError, msg='Simple user should not be able to render qweb code'): self.env['mail.render.mixin']._render_template_qweb(self.base_qweb_bits[1], 'res.partner', res_ids) @users('user_rendering_restricted') def test_security_qweb_template_restricted_cached(self): """Test if we correctly detect condition block (which might contains code).""" res_ids = self.env['res.partner'].search([], limit=1).ids # Render with the admin first to fill the cache self.env['mail.render.mixin'].with_user(self.user_admin)._render_template_qweb( self.base_qweb_bits[1], 'res.partner', res_ids) # Check that it raise even when rendered previously by an admin with self.assertRaises(AccessError, msg='Simple user should not be able to render qweb code'): self.env['mail.render.mixin']._render_template_qweb( self.base_qweb_bits[1], 'res.partner', res_ids) @users('employee') def test_security_qweb_template_unrestricted(self): """Test if we correctly detect condition block (which might contains code).""" res_ids = self.env['res.partner'].search([], limit=1).ids result = self.env['mail.render.mixin']._render_template_qweb(self.base_qweb_bits[1], 'res.partner', res_ids)[res_ids[0]] self.assertNotIn('Code not executed', result, 'The condition block did not work')