Merge pull request #395 from david-batranu/master

fix #99 Call processForm with empty values.
plone · Mar 13, 2018 · 2be4760 · 2be4760
2 parents 189b362 + a543fba
commit 2be4760
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 2 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -14,7 +14,11 @@ New features:
 
 Bug fixes:
 
-- *add item here*
+- Call ``processForm`` with ``{None: None}`` dict as values.
+  This prevents ``processForm`` using ``REQUEST.form`` and overwriting 
+  values already set by ``invokeFactory``.
+  Fixes `issue 99 <https://github.com/plone/plone.api/issues/99>`_.
+  [david-batranu]
 
 
 1.8.3 (2018-02-23)

diff --git a/src/plone/api/content.py b/src/plone/api/content.py
@@ -110,7 +110,10 @@ def create(
     if IBaseObject.providedBy(content):
         # Will finish Archetypes content item creation process,
         # rename-after-creation and such
-        content.processForm(values=kwargs)
+        # Passing values as a dict with None values so values set by
+        # invokeFactory don't get overridden.
+        # None: None is required so that bool(values) is True.
+        content.processForm(values={None: None})
 
     if not id or (safe_id and id):
         # Create a new id from title

diff --git a/src/plone/api/tests/test_content.py b/src/plone/api/tests/test_content.py
@@ -345,6 +345,37 @@ def unregister_indexer():
         # check that the exception is the one we raised
         self.assertEqual(ude.exception.reason, unicode_exception_message)
 
+    def test_create_at_with_title_in_request(self):
+        """ Test that content gets created with the correct title, even if
+            request.form['title'] already exists and has a different value.
+            This can occur, for example, when adding a Plone with an enabled
+            product that creates a site structure. In that case, the 'title'
+            would be that of the portal.
+            Only AT content types are affected, due to content.processForm.
+        """
+        leaked_title = 'This should not be set on content items'
+        self.layer['request'].form['title'] = leaked_title
+
+        container = self.portal
+
+        # Create a folder
+        folder = api.content.create(
+            container=container,
+            type='Folder',
+            title='Test folder',
+        )
+
+        self.assertEqual(folder.title, 'Test folder')
+
+        # Create a document
+        page = api.content.create(
+            container=folder,
+            type='Document',
+            title='Test document',
+        )
+
+        self.assertEqual(page.title, 'Test document')
+
     def test_get_constraints(self):
         """Test the constraints when content is fetched with get."""