Don't skip portal_components code in testSecurity

See merge request nexedi/erp5!1693

Don't skip portal_components code in testSecurity
See merge request nexedi/erp5!1693
6ab2ddf7 · Jérome Perrin · aebfb199 · 8be39d34 · 6ab2ddf7 · 6ab2ddf7
Commit 6ab2ddf7 authored Nov 17, 2022 by Jérome Perrin
4 changed files
--- a/bt5/erp5_interface_post/DocumentTemplateItem/portal_components/document.erp5.InternetMessagePost.py
+++ b/bt5/erp5_interface_post/DocumentTemplateItem/portal_components/document.erp5.InternetMessagePost.py
@@ -45,7 +45,7 @@ class InternetMessagePost(Item, MailMessageMixin):
  def _getMessage(self):
    return email.message_from_string(self.getData())

-
+  security.declareProtected(Permissions.AccessContentsInformation, 'stripMessageId')
  def stripMessageId(self, message_id):
    """
    In rfc5322 headers, message-ids may follow the syntax "<msg-id>" in
@@ -59,11 +59,10 @@ class InternetMessagePost(Item, MailMessageMixin):
        message_id = message_id[:-1]
    return message_id

-
+  security.declareProtected(Permissions.AccessContentsInformation, 'getReference')
  def getReference(self):
    return self.stripMessageId(self.getSourceReference())

-
  def _setReference(self, value):
    """
    Raise if given value is different from current value,

--- a/bt5/erp5_open_trade/DocumentTemplateItem/portal_components/document.erp5.OpenOrderLine.py
+++ b/bt5/erp5_open_trade/DocumentTemplateItem/portal_components/document.erp5.OpenOrderLine.py
@@ -62,6 +62,7 @@ class OpenOrderLine(SupplyLine):
                    , PropertySheet.Comment
                    )

+  security.declareProtected(Permissions.AccessContentsInformation, 'getTotalQuantity')
  def getTotalQuantity(self, default=0):
    """Returns the total quantity for this open order line.
    If the order line contains cells, the total quantity of cells are
@@ -72,6 +73,7 @@ class OpenOrderLine(SupplyLine):
                    self.getCellValueList(base_id='path')])
    return self.getQuantity(default)

+  security.declareProtected(Permissions.AccessContentsInformation, 'getTotalPrice')
  def getTotalPrice(self):
    """Returns the total price for this open order line.
    If the order line contains cells, the total price of cells are

--- a/bt5/erp5_web_service/DocumentTemplateItem/portal_components/document.erp5.FTPConnector.py
+++ b/bt5/erp5_web_service/DocumentTemplateItem/portal_components/document.erp5.FTPConnector.py
@@ -66,6 +66,7 @@ class FTPConnector(XMLObject):
      # XXX Must manage in the future ftp and ftps protocol
      raise NotImplementedError("Protocol %s is not yet implemented" %(self.getUrlProtocol(),))

+  security.declareProtected(Permissions.AccessContentsInformation, 'renameFile')
  def renameFile(self, old_path, new_path):
    """ Move a file """
    conn = self.getConnection()
@@ -74,6 +75,7 @@ class FTPConnector(XMLObject):
    finally:
      conn.logout()

+  security.declareProtected(Permissions.AccessContentsInformation, 'removeFile')
  def removeFile(self, filepath):
    """Delete the file"""
    conn = self.getConnection()
@@ -82,6 +84,7 @@ class FTPConnector(XMLObject):
    finally:
      conn.logout()

+  security.declareProtected(Permissions.AccessContentsInformation, 'listFiles')
  def listFiles(self, path=".", sort_on=None):
    """ List file of a directory """
    conn = self.getConnection()
@@ -90,6 +93,7 @@ class FTPConnector(XMLObject):
    finally:
      conn.logout()

+  security.declareProtected(Permissions.AccessContentsInformation, 'getFile')
  def getFile(self, filepath, binary=True):
    """ Try to get a file on the remote server """
    conn = self.getConnection()
@@ -101,6 +105,7 @@ class FTPConnector(XMLObject):
    finally:
      conn.logout()

+  security.declareProtected(Permissions.AccessContentsInformation, 'putFile')
  def putFile(self, filename, data, remotepath='.', confirm=True):
    """ Send file to the remote server """
    conn = self.getConnection()
@@ -125,6 +130,7 @@ class FTPConnector(XMLObject):
    finally:
      conn.logout()

+  security.declareProtected(Permissions.AccessContentsInformation, 'createDirectory')
  def createDirectory(self, path, mode=0o777):
    """Create a directory `path`, with file mode `mode`.

@@ -136,6 +142,7 @@ class FTPConnector(XMLObject):
    finally:
      conn.logout()

+  security.declareProtected(Permissions.AccessContentsInformation, 'removeDirectory')
  def removeDirectory(self, path):
    """Create a directory `path`, with file mode `mode`.


--- a/product/ERP5/tests/testSecurity.py
+++ b/product/ERP5/tests/testSecurity.py
@@ -72,21 +72,19 @@ class TestSecurityMixin(ERP5TypeTestCase):
    i.e. those who have a docstring but have no security declaration.
    """
    self._prepareDocumentList()
-    white_method_id_list = ['om_icons',]
+    allowed_method_id_list = ['om_icons',]
    app = self.portal.aq_parent
-    meta_type_dict = {}
-    error_dict = {}
-    for idx, obj in app.ZopeFind(app, search_sub=1):
+    meta_type_set = set([None])
+    error_set = set()
+    for _, obj in app.ZopeFind(app, search_sub=1):
      meta_type = getattr(obj, 'meta_type', None)
-      if meta_type is None:
+      if meta_type in meta_type_set:
        continue
-      if meta_type in meta_type_dict:
-        continue
-      meta_type_dict[meta_type] = True
+      meta_type_set.add(meta_type)
      if '__roles__' in obj.__class__.__dict__:
        continue
      for method_id in dir(obj):
-        if method_id.startswith('_') or method_id in white_method_id_list or not callable(getattr(obj, method_id, None)):
+        if method_id.startswith('_') or method_id in allowed_method_id_list or not callable(getattr(obj, method_id, None)):
          continue
        method = getattr(obj, method_id)
        if isinstance(method, MethodType) and \
@@ -96,16 +94,19 @@ class TestSecurityMixin(ERP5TypeTestCase):
          method.__module__:
          if method.__module__ == 'Products.ERP5Type.Accessor.WorkflowState' and method.func_code.co_name == 'serialize':
            continue
-          func_code = method.func_code
-          error_dict[(func_code.co_filename, func_code.co_firstlineno, method_id)] = True
-    error_list = error_dict.keys()
-    if os.environ.get('erp5_debug_mode', None):
-      pass
-    else:
-      error_list = filter(lambda x:'/erp5/' in x[0], error_list)
+          func_code = method.__code__
+          error_set.add((func_code.co_filename, func_code.co_firstlineno, method_id))
+
+    error_list = []
+    for filename, lineno, method_id in sorted(error_set):
+      # ignore security problems with non ERP5 documents, unless running in debug mode.
+      if os.environ.get('erp5_debug_mode') or '/erp5/' in filename or '<portal_components' in filename:
+        error_list.append('%s:%s %s' % (filename, lineno, method_id))
+      else:
+        print('Ignoring missing security definition for %s in %s:%s ' % (method_id, filename, lineno))
    if error_list:
      message = '\nThe following %s methods have a docstring but have no security assertions.\n\t%s' \
-                    % (len(error_list), '\n\t'.join(['%s:%s %s' % x for x in sorted(error_list)]))
+                    % (len(error_list), '\n\t'.join(error_list))
      self.fail(message)

  def test_workflow_transition_protection(self):