Commit 6ab2ddf7 authored by Jérome Perrin's avatar Jérome Perrin

Don't skip portal_components code in testSecurity

See merge request nexedi/erp5!1693
parents aebfb199 8be39d34
......@@ -45,7 +45,7 @@ class InternetMessagePost(Item, MailMessageMixin):
def _getMessage(self):
return email.message_from_string(self.getData())
security.declareProtected(Permissions.AccessContentsInformation, 'stripMessageId')
def stripMessageId(self, message_id):
"""
In rfc5322 headers, message-ids may follow the syntax "<msg-id>" in
......@@ -59,11 +59,10 @@ class InternetMessagePost(Item, MailMessageMixin):
message_id = message_id[:-1]
return message_id
security.declareProtected(Permissions.AccessContentsInformation, 'getReference')
def getReference(self):
return self.stripMessageId(self.getSourceReference())
def _setReference(self, value):
"""
Raise if given value is different from current value,
......
......@@ -62,6 +62,7 @@ class OpenOrderLine(SupplyLine):
, PropertySheet.Comment
)
security.declareProtected(Permissions.AccessContentsInformation, 'getTotalQuantity')
def getTotalQuantity(self, default=0):
"""Returns the total quantity for this open order line.
If the order line contains cells, the total quantity of cells are
......@@ -72,6 +73,7 @@ class OpenOrderLine(SupplyLine):
self.getCellValueList(base_id='path')])
return self.getQuantity(default)
security.declareProtected(Permissions.AccessContentsInformation, 'getTotalPrice')
def getTotalPrice(self):
"""Returns the total price for this open order line.
If the order line contains cells, the total price of cells are
......
......@@ -66,6 +66,7 @@ class FTPConnector(XMLObject):
# XXX Must manage in the future ftp and ftps protocol
raise NotImplementedError("Protocol %s is not yet implemented" %(self.getUrlProtocol(),))
security.declareProtected(Permissions.AccessContentsInformation, 'renameFile')
def renameFile(self, old_path, new_path):
""" Move a file """
conn = self.getConnection()
......@@ -74,6 +75,7 @@ class FTPConnector(XMLObject):
finally:
conn.logout()
security.declareProtected(Permissions.AccessContentsInformation, 'removeFile')
def removeFile(self, filepath):
"""Delete the file"""
conn = self.getConnection()
......@@ -82,6 +84,7 @@ class FTPConnector(XMLObject):
finally:
conn.logout()
security.declareProtected(Permissions.AccessContentsInformation, 'listFiles')
def listFiles(self, path=".", sort_on=None):
""" List file of a directory """
conn = self.getConnection()
......@@ -90,6 +93,7 @@ class FTPConnector(XMLObject):
finally:
conn.logout()
security.declareProtected(Permissions.AccessContentsInformation, 'getFile')
def getFile(self, filepath, binary=True):
""" Try to get a file on the remote server """
conn = self.getConnection()
......@@ -101,6 +105,7 @@ class FTPConnector(XMLObject):
finally:
conn.logout()
security.declareProtected(Permissions.AccessContentsInformation, 'putFile')
def putFile(self, filename, data, remotepath='.', confirm=True):
""" Send file to the remote server """
conn = self.getConnection()
......@@ -125,6 +130,7 @@ class FTPConnector(XMLObject):
finally:
conn.logout()
security.declareProtected(Permissions.AccessContentsInformation, 'createDirectory')
def createDirectory(self, path, mode=0o777):
"""Create a directory `path`, with file mode `mode`.
......@@ -136,6 +142,7 @@ class FTPConnector(XMLObject):
finally:
conn.logout()
security.declareProtected(Permissions.AccessContentsInformation, 'removeDirectory')
def removeDirectory(self, path):
"""Create a directory `path`, with file mode `mode`.
......
......@@ -72,21 +72,19 @@ class TestSecurityMixin(ERP5TypeTestCase):
i.e. those who have a docstring but have no security declaration.
"""
self._prepareDocumentList()
white_method_id_list = ['om_icons',]
allowed_method_id_list = ['om_icons',]
app = self.portal.aq_parent
meta_type_dict = {}
error_dict = {}
for idx, obj in app.ZopeFind(app, search_sub=1):
meta_type_set = set([None])
error_set = set()
for _, obj in app.ZopeFind(app, search_sub=1):
meta_type = getattr(obj, 'meta_type', None)
if meta_type is None:
if meta_type in meta_type_set:
continue
if meta_type in meta_type_dict:
continue
meta_type_dict[meta_type] = True
meta_type_set.add(meta_type)
if '__roles__' in obj.__class__.__dict__:
continue
for method_id in dir(obj):
if method_id.startswith('_') or method_id in white_method_id_list or not callable(getattr(obj, method_id, None)):
if method_id.startswith('_') or method_id in allowed_method_id_list or not callable(getattr(obj, method_id, None)):
continue
method = getattr(obj, method_id)
if isinstance(method, MethodType) and \
......@@ -96,16 +94,19 @@ class TestSecurityMixin(ERP5TypeTestCase):
method.__module__:
if method.__module__ == 'Products.ERP5Type.Accessor.WorkflowState' and method.func_code.co_name == 'serialize':
continue
func_code = method.func_code
error_dict[(func_code.co_filename, func_code.co_firstlineno, method_id)] = True
error_list = error_dict.keys()
if os.environ.get('erp5_debug_mode', None):
pass
func_code = method.__code__
error_set.add((func_code.co_filename, func_code.co_firstlineno, method_id))
error_list = []
for filename, lineno, method_id in sorted(error_set):
# ignore security problems with non ERP5 documents, unless running in debug mode.
if os.environ.get('erp5_debug_mode') or '/erp5/' in filename or '<portal_components' in filename:
error_list.append('%s:%s %s' % (filename, lineno, method_id))
else:
error_list = filter(lambda x:'/erp5/' in x[0], error_list)
print('Ignoring missing security definition for %s in %s:%s ' % (method_id, filename, lineno))
if error_list:
message = '\nThe following %s methods have a docstring but have no security assertions.\n\t%s' \
% (len(error_list), '\n\t'.join(['%s:%s %s' % x for x in sorted(error_list)]))
% (len(error_list), '\n\t'.join(error_list))
self.fail(message)
def test_workflow_transition_protection(self):
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment