Commit c4e5b100 authored by Jérome Perrin's avatar Jérome Perrin

*: restrict send API usage

parent c503f318
if REQUEST is not None:
from zExceptions import Unauthorized
raise Unauthorized
from email.utils import formataddr
portal = context.getPortalObject()
event = portal.restrictedTraverse(event_relative_url)
......
......@@ -50,7 +50,7 @@
</item>
<item>
<key> <string>_params</string> </key>
<value> <string>event_relative_url, **kw</string> </value>
<value> <string>event_relative_url, REQUEST=None, **kw</string> </value>
</item>
<item>
<key> <string>_proxy_roles</string> </key>
......
......@@ -2,6 +2,9 @@
This script is also used by notification tool, that's why it is in erp5_base.
"""
if REQUEST is not None:
from zExceptions import Unauthorized
raise Unauthorized
from email.utils import formataddr
portal = context.getPortalObject()
......
......@@ -50,7 +50,7 @@
</item>
<item>
<key> <string>_params</string> </key>
<value> <string>from_url=None, to_url=None, reply_url=None, subject=None, body=None, attachment_format=None, attachment_list=None, download=None, extra_header_dict=None, **kw</string> </value>
<value> <string>from_url=None, to_url=None, reply_url=None, subject=None, body=None, attachment_format=None, attachment_list=None, download=None, extra_header_dict=None, REQUEST=None, **kw</string> </value>
</item>
<item>
<key> <string>_proxy_roles</string> </key>
......
......@@ -2069,6 +2069,28 @@ class TestCRMMailSend(BaseTestCRM):
message = message_from_string(last_message)
self.assertEqual("test", message.get("X-test-header"))
def test_MailMessage_send_security(self):
mail_message = self.portal.event_module.newContent(
portal_type="Mail Message",
source='person_module/me',
destination='person_module/recipient')
self.assertGreater(
self.publish(
mail_message.getPath() + '/send',
user='ERP5TypeTestCase').getStatus(),
300)
self.assertGreater(
self.publish(
mail_message.getPath() + '/MailMessage_send',
user='ERP5TypeTestCase').getStatus(),
300)
self.assertGreater(
self.publish(
self.portal.MailHost.getPath() + '/send',
user='ERP5TypeTestCase').getStatus(),
300)
self.assertFalse(self.portal.MailHost.getMessageList())
def test_suite():
suite = unittest.TestSuite()
......
if REQUEST is not None:
from zExceptions import Unauthorized
raise Unauthorized
if body is None:
body = context.getTextContent() #XXX This does not support structured text format.
......
......@@ -50,7 +50,7 @@
</item>
<item>
<key> <string>_params</string> </key>
<value> <string>from_url=None, to_url=None, reply_url=None, subject=None, body=None, attachment_format=None, attachment_list=None, download=None, **kw</string> </value>
<value> <string>from_url=None, to_url=None, reply_url=None, subject=None, body=None, attachment_format=None, attachment_list=None, download=None, REQUEST=None, **kw</string> </value>
</item>
<item>
<key> <string>id</string> </key>
......
......@@ -5,5 +5,8 @@
# spawned with parameters :
# conflict_retry=False,
# max_retry=0,
if REQUEST is not None:
from zExceptions import Unauthorized
raise Unauthorized
context.getPortalObject().MailHost.send(context.getData())
......@@ -50,7 +50,7 @@
</item>
<item>
<key> <string>_params</string> </key>
<value> <string></string> </value>
<value> <string>REQUEST=None</string> </value>
</item>
<item>
<key> <string>id</string> </key>
......
......@@ -2,6 +2,9 @@
Send the current sms by using a SMS gateway.
Use default mobile phone of source and destination
"""
if REQUEST is not None:
from zExceptions import Unauthorized
raise Unauthorized
#Get recipients
recipient_phone_list = [
......
......@@ -50,7 +50,7 @@
</item>
<item>
<key> <string>_params</string> </key>
<value> <string>from_url=None, from_title=None, to_url=None, reply_url=None, subject=None, body=None, attachment_format=None, attachment_list=None, download=False, **kw</string> </value>
<value> <string>from_url=None, from_title=None, to_url=None, reply_url=None, subject=None, body=None, attachment_format=None, attachment_list=None, download=False, REQUEST=None, **kw</string> </value>
</item>
<item>
<key> <string>_proxy_roles</string> </key>
......
......@@ -30,14 +30,13 @@
from AccessControl import ClassSecurityInfo
from Products.ERP5Type.Tool.BaseTool import BaseTool
from Products.ERP5Type.Permissions import ManagePortal
from Products.ERP5Type.Utils import non_publishable
#from Products.ERP5ShortMessage import _dtmldir
class SMSTool(BaseTool):
"""
This tool manages gadgets.
It is used as a central point to manage gadgets (ERP5 or external ones)...
This tool takes care of sending SMS.
"""
id = 'portal_sms'
meta_type = 'ERP5 SMS Tool'
......@@ -50,6 +49,7 @@ class SMSTool(BaseTool):
#manage_overview = DTMLFile('explainSMSTool', _dtmldir )
security.declareProtected(ManagePortal, 'send')
@non_publishable
def send(self, text, recipient, sender, gateway_reference='default',
document_relative_url=None, activate_kw=None):
"""Send the message
......
......@@ -32,6 +32,7 @@ from DateTime import DateTime
from AccessControl import ClassSecurityInfo
from Products.ERP5Type.Accessor.Constant import PropertyGetter as ConstantGetter
from Products.ERP5Type import Permissions, PropertySheet
from Products.ERP5Type.Utils import non_publishable
from erp5.component.document.TextDocument import TextDocument
from erp5.component.document.File import File
from erp5.component.mixin.MailMessageMixin import MailMessageMixin, testCharsetAndConvert
......@@ -359,6 +360,7 @@ class EmailDocument(TextDocument, MailMessageMixin):
return content_information.get('Return-Path', content_information.get('From'))
security.declareProtected(Permissions.UseMailhostServices, 'sendMailHostMessage')
@non_publishable
def sendMailHostMessage(self, message):
"""
Send one by one
......
......@@ -32,9 +32,11 @@ from AccessControl import ClassSecurityInfo
from Products.ERP5Type import Permissions, PropertySheet
from Products.ERP5Type.Accessor.Constant import PropertyGetter as ConstantGetter
from Products.ERP5Type.Globals import InitializeClass
from Products.ERP5Type.Utils import non_publishable
from erp5.component.document.Movement import Movement
from erp5.component.document.EmailDocument import EmailDocument
class AcknowledgeableMixin:
"""
Mixin class for all documents that we can acknowledge
......@@ -154,6 +156,7 @@ class Event(Movement, EmailDocument, AcknowledgeableMixin):
return self
security.declareProtected(Permissions.UseMailhostServices, 'send')
@non_publishable
def send(self, from_url=None, to_url=None, reply_url=None, subject=None,
body=None, attachment_format=None, attachment_list=None,
download=False, **kw):
......
......@@ -20,6 +20,7 @@ In ERP5, we have Activity Tool to postpone mail delivery.
from inspect import getargspec, isfunction
from Products.MailHost.MailHost import MailBase
from Products.ERP5Type.Utils import non_publishable
import six
for f in six.itervalues(MailBase.__dict__):
......@@ -44,3 +45,5 @@ def _makeMailer(self):
return smtp_mailer
MailBase._makeMailer = _makeMailer
MailBase.send = non_publishable(MailBase.send)
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment