From 0065371958b690fc6f42cc4306285199f44398a2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= <fpeters@entrouvert.com>
Date: Mon, 19 Sep 2016 09:02:14 +0200
Subject: [PATCH 2/2] workflows: validate ezt syntax of displayed messages
 (#13185)

---
 tests/test_admin_pages.py | 24 ++++++++++++++++++++++++
 wcs/workflows.py          |  3 ++-
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/tests/test_admin_pages.py b/tests/test_admin_pages.py
index c73237b..7b8f473 100644
--- a/tests/test_admin_pages.py
+++ b/tests/test_admin_pages.py
@@ -1793,6 +1793,30 @@ def test_workflows_action_subpath(pub):
     resp = app.get('/backoffice/workflows/%s/status/%s/items/1/crash' % (
         workflow.id, baz_status.id), status=404)
 
+def test_workflows_display_action_ezt_validation(pub):
+    create_superuser(pub)
+    role = create_role()
+    Workflow.wipe()
+    workflow = Workflow(name='foo')
+    baz_status = workflow.add_status(name='baz')
+    display_message = DisplayMessageWorkflowStatusItem()
+    display_message.parent = baz_status
+    baz_status.items.append(display_message)
+    workflow.store()
+
+    app = login(get_app(pub))
+    resp = app.get('/backoffice/workflows/%s/status/%s/items/1/' % (
+        workflow.id, baz_status.id))
+    resp.form['message'] = 'Hello world'
+    resp = resp.form.submit('submit')
+    assert Workflow.get(workflow.id).possible_status[0].items[0].message == 'Hello world'
+
+    resp = app.get('/backoffice/workflows/%s/status/%s/items/1/' % (
+        workflow.id, baz_status.id))
+    resp.form['message'] = '[is test][end]' # invalid ezt
+    resp = resp.form.submit('submit')
+    assert 'error in template' in resp.body
+
 def test_workflows_delete_action(pub):
     create_superuser(pub)
     role = create_role()
diff --git a/wcs/workflows.py b/wcs/workflows.py
index 0186d65..f26d02d 100644
--- a/wcs/workflows.py
+++ b/wcs/workflows.py
@@ -2240,7 +2240,8 @@ class DisplayMessageWorkflowStatusItem(WorkflowStatusItem):
     def add_parameters_widgets(self, form, parameters, prefix='', formdef=None):
         if 'message' in parameters:
             form.add(TextWidget, '%smessage' % prefix, title = _('Message'),
-                value = self.message, cols = 80, rows = 10)
+                value=self.message, cols=80, rows=10,
+                validation_function=ComputedExpressionWidget.validate_ezt)
         if 'to' in parameters:
             form.add(WidgetList, '%sto' % prefix, title=_('To'),
                      element_type=SingleSelectWidget,
-- 
2.9.3