Fixed CodeRabbit issues

Author: chris-adam

src/imio/esign/browser/settings.py

@@ -4,8 +4,8 @@
 from plone import api
 from plone.app.registry.browser.controlpanel import ControlPanelFormWrapper
 from plone.app.registry.browser.controlpanel import RegistryEditForm
-from plone.registry.interfaces import IRecordModifiedEvent
 from plone.z3cform import layout
+from string import Formatter
 from zope import schema
 from zope.interface import Interface
 from zope.interface import Invalid
@@ -38,6 +38,15 @@ def validate_vat_number(va_nb):
 
     return True
 
+def validate_signing_users_email_content(value):
+    """Allow only known placeholders in the email template."""
+    allowed = {"fullname", "firstname", "lastname", "email", "userid"}
+    for _ignored1, field, _ignored2, _ignored3 in Formatter().parse(value or ""):
+        if field and field not in allowed:
+            raise Invalid(
+                _("Unknown placeholder: ${field}", mapping={"field": field})
+            )
+    return True
 
 class IImioEsignSettings(Interface):
 
@@ -85,6 +94,7 @@ class IImioEsignSettings(Interface):
             "Use {fullname}, {firstname}, {lastname}, {email}, {userid} as placeholders."
         ),
         required=False,
+        constraint=validate_signing_users_email_content,
         default=u"""Hello {fullname},
 
 You have been invited to Parapheo, the signing platform of iMio.

src/imio/esign/browser/templates/signing_users.pt

@@ -177,7 +177,7 @@
                             Deselect All
                         </button>
                         <span class="stats">
-                            <strong i18n:translate="">Selected:</strong> 
+                            <strong i18n:translate="">Selected:</strong>
                 <span id="selected-count">0</span>
                             / <span tal:content="python:len(all_users)">0</span>
                         </span>
@@ -195,7 +195,12 @@
                     </div>
                 </div>
 
-                <form id="users-form" method="post">
+                <form id="users-form" method="post" tal:attributes="action string:${context/absolute_url}/@@signing-users-csv">
+                    <!-- Hidden inputs for form submission -->
+                    <input type="hidden" name="_authenticator" tal:attributes="value context/@@authenticator/token" />
+                    <input type="hidden" name="action" id="form-action" value="" />
+                    <input type="hidden" name="selected_users" id="selected-users" value="" />
+
                     <table class="listing" id="users-table" style="width: 100%;">
                         <thead>
                             <tr>
@@ -217,7 +222,7 @@
                                         style python:'background-color: #ffe6e6' if user.get('has_duplicate_email') else ''">
                                     <td>
                                         <input type="checkbox"
-                                            name="selected_users"
+                                            name="user_checkbox"
                                             class="user-checkbox"
                                             tal:attributes="value user/userid;
                                                    checked python:'checked' if user['checked'] else None" />
@@ -286,7 +291,7 @@
         function updateSelectedCount() {
             var count = document.querySelectorAll('.user-checkbox:checked').length;
             selectedCount.textContent = count;
-            
+
             // Update select all checkbox state
             var allChecked = Array.from(checkboxes).every(function(cb) { return cb.checked; });
             var someChecked = Array.from(checkboxes).some(function(cb) { return cb.checked; });
@@ -311,11 +316,11 @@
                 return;
             }
 
-            var url = window.location.href.split('?')[0];
-            var params = 'action=' + action + '&selected_users=' + encodeURIComponent(JSON.stringify(selected));
-            
             if (action === 'download_csv') {
-                window.location.href = url + '?' + params;
+                // For CSV download, set the action and selected users, then submit
+                document.getElementById('form-action').value = action;
+                document.getElementById('selected-users').value = JSON.stringify(selected);
+                form.submit();
             } else if (action === 'send_emails') {
                 // Show confirmation modal
                 document.getElementById('email-count').textContent = selected.length;
@@ -376,9 +381,11 @@
 
         confirmEmailBtn.addEventListener('click', function() {
             var selected = getSelectedUserIds();
-            var url = window.location.href.split('?')[0];
-            var params = 'action=send_emails&selected_users=' + encodeURIComponent(JSON.stringify(selected));
-            window.location.href = url + '?' + params;
+            // Set the action and selected users in hidden inputs
+            document.getElementById('form-action').value = 'send_emails';
+            document.getElementById('selected-users').value = JSON.stringify(selected);
+            // Submit the form via POST
+            form.submit();
         });
 
         // Close modal on outside click

src/imio/esign/browser/views.py

@@ -476,15 +476,21 @@ def get_users_data(self):
         return all_users_data, duplicates
 
     def _get_selected_userids(self):
-        """Get list of selected user IDs from request."""
+        """Get list of selected user IDs from request.
+
+        Expects a JSON-formatted list in 'selected_users' parameter.
+        Returns an empty list if the input is not valid JSON.
+        """
         selected = self.request.get("selected_users", "")
+
         if not selected:
             return []
 
-        # Handle both JSON array and form data
-        if selected.startswith("["):
+        # Parse JSON array
+        try:
             return json.loads(selected)
-        return [uid.strip() for uid in selected.split(",") if uid.strip()]
+        except (json.JSONDecodeError, ValueError, TypeError):
+            return []
 
     def _download_csv(self):
         """Generate and download CSV file with selected users."""
@@ -540,7 +546,7 @@ def _send_emails(self):
             )
             return self.request.RESPONSE.redirect(self.context.absolute_url() + "/@@signing-users-csv")
 
-        all_users_data, duplicates = self.get_users_data()
+        all_users_data, _duplicates = self.get_users_data()
         selected_users = [u for u in all_users_data if u["userid"] in selected_userids]
 
         portal_email = api.portal.get().getProperty("email_from_address")