Commit 6ab2ddf7 authored by Jérome Perrin's avatar Jérome Perrin

Don't skip portal_components code in testSecurity

See merge request nexedi/erp5!1693
parents aebfb199 8be39d34
Pipeline #24836 failed with stage
...@@ -45,7 +45,7 @@ class InternetMessagePost(Item, MailMessageMixin): ...@@ -45,7 +45,7 @@ class InternetMessagePost(Item, MailMessageMixin):
def _getMessage(self): def _getMessage(self):
return email.message_from_string(self.getData()) return email.message_from_string(self.getData())
security.declareProtected(Permissions.AccessContentsInformation, 'stripMessageId')
def stripMessageId(self, message_id): def stripMessageId(self, message_id):
""" """
In rfc5322 headers, message-ids may follow the syntax "<msg-id>" in In rfc5322 headers, message-ids may follow the syntax "<msg-id>" in
...@@ -59,11 +59,10 @@ class InternetMessagePost(Item, MailMessageMixin): ...@@ -59,11 +59,10 @@ class InternetMessagePost(Item, MailMessageMixin):
message_id = message_id[:-1] message_id = message_id[:-1]
return message_id return message_id
security.declareProtected(Permissions.AccessContentsInformation, 'getReference')
def getReference(self): def getReference(self):
return self.stripMessageId(self.getSourceReference()) return self.stripMessageId(self.getSourceReference())
def _setReference(self, value): def _setReference(self, value):
""" """
Raise if given value is different from current value, Raise if given value is different from current value,
......
...@@ -62,6 +62,7 @@ class OpenOrderLine(SupplyLine): ...@@ -62,6 +62,7 @@ class OpenOrderLine(SupplyLine):
, PropertySheet.Comment , PropertySheet.Comment
) )
security.declareProtected(Permissions.AccessContentsInformation, 'getTotalQuantity')
def getTotalQuantity(self, default=0): def getTotalQuantity(self, default=0):
"""Returns the total quantity for this open order line. """Returns the total quantity for this open order line.
If the order line contains cells, the total quantity of cells are If the order line contains cells, the total quantity of cells are
...@@ -72,6 +73,7 @@ class OpenOrderLine(SupplyLine): ...@@ -72,6 +73,7 @@ class OpenOrderLine(SupplyLine):
self.getCellValueList(base_id='path')]) self.getCellValueList(base_id='path')])
return self.getQuantity(default) return self.getQuantity(default)
security.declareProtected(Permissions.AccessContentsInformation, 'getTotalPrice')
def getTotalPrice(self): def getTotalPrice(self):
"""Returns the total price for this open order line. """Returns the total price for this open order line.
If the order line contains cells, the total price of cells are If the order line contains cells, the total price of cells are
......
...@@ -66,6 +66,7 @@ class FTPConnector(XMLObject): ...@@ -66,6 +66,7 @@ class FTPConnector(XMLObject):
# XXX Must manage in the future ftp and ftps protocol # XXX Must manage in the future ftp and ftps protocol
raise NotImplementedError("Protocol %s is not yet implemented" %(self.getUrlProtocol(),)) raise NotImplementedError("Protocol %s is not yet implemented" %(self.getUrlProtocol(),))
security.declareProtected(Permissions.AccessContentsInformation, 'renameFile')
def renameFile(self, old_path, new_path): def renameFile(self, old_path, new_path):
""" Move a file """ """ Move a file """
conn = self.getConnection() conn = self.getConnection()
...@@ -74,6 +75,7 @@ class FTPConnector(XMLObject): ...@@ -74,6 +75,7 @@ class FTPConnector(XMLObject):
finally: finally:
conn.logout() conn.logout()
security.declareProtected(Permissions.AccessContentsInformation, 'removeFile')
def removeFile(self, filepath): def removeFile(self, filepath):
"""Delete the file""" """Delete the file"""
conn = self.getConnection() conn = self.getConnection()
...@@ -82,6 +84,7 @@ class FTPConnector(XMLObject): ...@@ -82,6 +84,7 @@ class FTPConnector(XMLObject):
finally: finally:
conn.logout() conn.logout()
security.declareProtected(Permissions.AccessContentsInformation, 'listFiles')
def listFiles(self, path=".", sort_on=None): def listFiles(self, path=".", sort_on=None):
""" List file of a directory """ """ List file of a directory """
conn = self.getConnection() conn = self.getConnection()
...@@ -90,6 +93,7 @@ class FTPConnector(XMLObject): ...@@ -90,6 +93,7 @@ class FTPConnector(XMLObject):
finally: finally:
conn.logout() conn.logout()
security.declareProtected(Permissions.AccessContentsInformation, 'getFile')
def getFile(self, filepath, binary=True): def getFile(self, filepath, binary=True):
""" Try to get a file on the remote server """ """ Try to get a file on the remote server """
conn = self.getConnection() conn = self.getConnection()
...@@ -101,6 +105,7 @@ class FTPConnector(XMLObject): ...@@ -101,6 +105,7 @@ class FTPConnector(XMLObject):
finally: finally:
conn.logout() conn.logout()
security.declareProtected(Permissions.AccessContentsInformation, 'putFile')
def putFile(self, filename, data, remotepath='.', confirm=True): def putFile(self, filename, data, remotepath='.', confirm=True):
""" Send file to the remote server """ """ Send file to the remote server """
conn = self.getConnection() conn = self.getConnection()
...@@ -125,6 +130,7 @@ class FTPConnector(XMLObject): ...@@ -125,6 +130,7 @@ class FTPConnector(XMLObject):
finally: finally:
conn.logout() conn.logout()
security.declareProtected(Permissions.AccessContentsInformation, 'createDirectory')
def createDirectory(self, path, mode=0o777): def createDirectory(self, path, mode=0o777):
"""Create a directory `path`, with file mode `mode`. """Create a directory `path`, with file mode `mode`.
...@@ -136,6 +142,7 @@ class FTPConnector(XMLObject): ...@@ -136,6 +142,7 @@ class FTPConnector(XMLObject):
finally: finally:
conn.logout() conn.logout()
security.declareProtected(Permissions.AccessContentsInformation, 'removeDirectory')
def removeDirectory(self, path): def removeDirectory(self, path):
"""Create a directory `path`, with file mode `mode`. """Create a directory `path`, with file mode `mode`.
......
...@@ -72,21 +72,19 @@ class TestSecurityMixin(ERP5TypeTestCase): ...@@ -72,21 +72,19 @@ class TestSecurityMixin(ERP5TypeTestCase):
i.e. those who have a docstring but have no security declaration. i.e. those who have a docstring but have no security declaration.
""" """
self._prepareDocumentList() self._prepareDocumentList()
white_method_id_list = ['om_icons',] allowed_method_id_list = ['om_icons',]
app = self.portal.aq_parent app = self.portal.aq_parent
meta_type_dict = {} meta_type_set = set([None])
error_dict = {} error_set = set()
for idx, obj in app.ZopeFind(app, search_sub=1): for _, obj in app.ZopeFind(app, search_sub=1):
meta_type = getattr(obj, 'meta_type', None) meta_type = getattr(obj, 'meta_type', None)
if meta_type is None: if meta_type in meta_type_set:
continue continue
if meta_type in meta_type_dict: meta_type_set.add(meta_type)
continue
meta_type_dict[meta_type] = True
if '__roles__' in obj.__class__.__dict__: if '__roles__' in obj.__class__.__dict__:
continue continue
for method_id in dir(obj): for method_id in dir(obj):
if method_id.startswith('_') or method_id in white_method_id_list or not callable(getattr(obj, method_id, None)): if method_id.startswith('_') or method_id in allowed_method_id_list or not callable(getattr(obj, method_id, None)):
continue continue
method = getattr(obj, method_id) method = getattr(obj, method_id)
if isinstance(method, MethodType) and \ if isinstance(method, MethodType) and \
...@@ -96,16 +94,19 @@ class TestSecurityMixin(ERP5TypeTestCase): ...@@ -96,16 +94,19 @@ class TestSecurityMixin(ERP5TypeTestCase):
method.__module__: method.__module__:
if method.__module__ == 'Products.ERP5Type.Accessor.WorkflowState' and method.func_code.co_name == 'serialize': if method.__module__ == 'Products.ERP5Type.Accessor.WorkflowState' and method.func_code.co_name == 'serialize':
continue continue
func_code = method.func_code func_code = method.__code__
error_dict[(func_code.co_filename, func_code.co_firstlineno, method_id)] = True error_set.add((func_code.co_filename, func_code.co_firstlineno, method_id))
error_list = error_dict.keys()
if os.environ.get('erp5_debug_mode', None): error_list = []
pass for filename, lineno, method_id in sorted(error_set):
else: # ignore security problems with non ERP5 documents, unless running in debug mode.
error_list = filter(lambda x:'/erp5/' in x[0], error_list) if os.environ.get('erp5_debug_mode') or '/erp5/' in filename or '<portal_components' in filename:
error_list.append('%s:%s %s' % (filename, lineno, method_id))
else:
print('Ignoring missing security definition for %s in %s:%s ' % (method_id, filename, lineno))
if error_list: if error_list:
message = '\nThe following %s methods have a docstring but have no security assertions.\n\t%s' \ message = '\nThe following %s methods have a docstring but have no security assertions.\n\t%s' \
% (len(error_list), '\n\t'.join(['%s:%s %s' % x for x in sorted(error_list)])) % (len(error_list), '\n\t'.join(error_list))
self.fail(message) self.fail(message)
def test_workflow_transition_protection(self): def test_workflow_transition_protection(self):
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment