Don't skip portal_components code in testSecurity

See merge request nexedi/erp5!1693

bt5/erp5_interface_post/DocumentTemplateItem/portal_components/document.erp5.InternetMessagePost.py

@@ -45,7 +45,7 @@ class InternetMessagePost(Item, MailMessageMixin):
   def _getMessage(self):
     return email.message_from_string(self.getData())
 
-
+  security.declareProtected(Permissions.AccessContentsInformation, 'stripMessageId')
   def stripMessageId(self, message_id):
     """
     In rfc5322 headers, message-ids may follow the syntax "<msg-id>" in
@@ -59,11 +59,10 @@ class InternetMessagePost(Item, MailMessageMixin):
         message_id = message_id[:-1]
     return message_id
 
-
+  security.declareProtected(Permissions.AccessContentsInformation, 'getReference')
   def getReference(self):
     return self.stripMessageId(self.getSourceReference())
 
-
   def _setReference(self, value):
     """
     Raise if given value is different from current value,

bt5/erp5_open_trade/DocumentTemplateItem/portal_components/document.erp5.OpenOrderLine.py

@@ -62,6 +62,7 @@ class OpenOrderLine(SupplyLine):
                     , PropertySheet.Comment
                     )
 
+  security.declareProtected(Permissions.AccessContentsInformation, 'getTotalQuantity')
   def getTotalQuantity(self, default=0):
     """Returns the total quantity for this open order line.
     If the order line contains cells, the total quantity of cells are
@@ -72,6 +73,7 @@ class OpenOrderLine(SupplyLine):
                     self.getCellValueList(base_id='path')])
     return self.getQuantity(default)
 
+  security.declareProtected(Permissions.AccessContentsInformation, 'getTotalPrice')
   def getTotalPrice(self):
     """Returns the total price for this open order line.
     If the order line contains cells, the total price of cells are

bt5/erp5_web_service/DocumentTemplateItem/portal_components/document.erp5.FTPConnector.py

@@ -66,6 +66,7 @@ class FTPConnector(XMLObject):
       # XXX Must manage in the future ftp and ftps protocol
       raise NotImplementedError("Protocol %s is not yet implemented" %(self.getUrlProtocol(),))
 
+  security.declareProtected(Permissions.AccessContentsInformation, 'renameFile')
   def renameFile(self, old_path, new_path):
     """ Move a file """
     conn = self.getConnection()
@@ -74,6 +75,7 @@ class FTPConnector(XMLObject):
     finally:
       conn.logout()
 
+  security.declareProtected(Permissions.AccessContentsInformation, 'removeFile')
   def removeFile(self, filepath):
     """Delete the file"""
     conn = self.getConnection()
@@ -82,6 +84,7 @@ class FTPConnector(XMLObject):
     finally:
       conn.logout()
 
+  security.declareProtected(Permissions.AccessContentsInformation, 'listFiles')
   def listFiles(self, path=".", sort_on=None):
     """ List file of a directory """
     conn = self.getConnection()
@@ -90,6 +93,7 @@ class FTPConnector(XMLObject):
     finally:
       conn.logout()
 
+  security.declareProtected(Permissions.AccessContentsInformation, 'getFile')
   def getFile(self, filepath, binary=True):
     """ Try to get a file on the remote server """
     conn = self.getConnection()
@@ -101,6 +105,7 @@ class FTPConnector(XMLObject):
     finally:
       conn.logout()
 
+  security.declareProtected(Permissions.AccessContentsInformation, 'putFile')
   def putFile(self, filename, data, remotepath='.', confirm=True):
     """ Send file to the remote server """
     conn = self.getConnection()
@@ -125,6 +130,7 @@ class FTPConnector(XMLObject):
     finally:
       conn.logout()
 
+  security.declareProtected(Permissions.AccessContentsInformation, 'createDirectory')
   def createDirectory(self, path, mode=0o777):
     """Create a directory `path`, with file mode `mode`.
 
@@ -136,6 +142,7 @@ class FTPConnector(XMLObject):
     finally:
       conn.logout()
 
+  security.declareProtected(Permissions.AccessContentsInformation, 'removeDirectory')
   def removeDirectory(self, path):
     """Create a directory `path`, with file mode `mode`.
 

product/ERP5/tests/testSecurity.py

@@ -72,21 +72,19 @@ class TestSecurityMixin(ERP5TypeTestCase):
     i.e. those who have a docstring but have no security declaration.
     """
     self._prepareDocumentList()
-    white_method_id_list = ['om_icons',]
+    allowed_method_id_list = ['om_icons',]
     app = self.portal.aq_parent
-    meta_type_dict = {}
-    error_dict = {}
-    for idx, obj in app.ZopeFind(app, search_sub=1):
+    meta_type_set = set([None])
+    error_set = set()
+    for _, obj in app.ZopeFind(app, search_sub=1):
       meta_type = getattr(obj, 'meta_type', None)
-      if meta_type is None:
+      if meta_type in meta_type_set:
         continue
-      if meta_type in meta_type_dict:
-        continue
-      meta_type_dict[meta_type] = True
+      meta_type_set.add(meta_type)
       if '__roles__' in obj.__class__.__dict__:
         continue
       for method_id in dir(obj):
-        if method_id.startswith('_') or method_id in white_method_id_list or not callable(getattr(obj, method_id, None)):
+        if method_id.startswith('_') or method_id in allowed_method_id_list or not callable(getattr(obj, method_id, None)):
           continue
         method = getattr(obj, method_id)
         if isinstance(method, MethodType) and \
@@ -96,16 +94,19 @@ class TestSecurityMixin(ERP5TypeTestCase):
           method.__module__:
           if method.__module__ == 'Products.ERP5Type.Accessor.WorkflowState' and method.func_code.co_name == 'serialize':
             continue
-          func_code = method.func_code
-          error_dict[(func_code.co_filename, func_code.co_firstlineno, method_id)] = True
-    error_list = error_dict.keys()
-    if os.environ.get('erp5_debug_mode', None):
-      pass
-    else:
-      error_list = filter(lambda x:'/erp5/' in x[0], error_list)
+          func_code = method.__code__
+          error_set.add((func_code.co_filename, func_code.co_firstlineno, method_id))
+
+    error_list = []
+    for filename, lineno, method_id in sorted(error_set):
+      # ignore security problems with non ERP5 documents, unless running in debug mode.
+      if os.environ.get('erp5_debug_mode') or '/erp5/' in filename or '<portal_components' in filename:
+        error_list.append('%s:%s %s' % (filename, lineno, method_id))
+      else:
+        print('Ignoring missing security definition for %s in %s:%s ' % (method_id, filename, lineno))
     if error_list:
       message = '\nThe following %s methods have a docstring but have no security assertions.\n\t%s' \
-                    % (len(error_list), '\n\t'.join(['%s:%s %s' % x for x in sorted(error_list)]))
+                    % (len(error_list), '\n\t'.join(error_list))
       self.fail(message)
 
   def test_workflow_transition_protection(self):