Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
erp5_fork
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Eteri
erp5_fork
Commits
6ab2ddf7
Commit
6ab2ddf7
authored
Nov 17, 2022
by
Jérome Perrin
Browse files
Options
Browse Files
Download
Plain Diff
Don't skip portal_components code in testSecurity
See merge request
nexedi/erp5!1693
parents
aebfb199
8be39d34
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
29 additions
and
20 deletions
+29
-20
bt5/erp5_interface_post/DocumentTemplateItem/portal_components/document.erp5.InternetMessagePost.py
...em/portal_components/document.erp5.InternetMessagePost.py
+2
-3
bt5/erp5_open_trade/DocumentTemplateItem/portal_components/document.erp5.OpenOrderLine.py
...lateItem/portal_components/document.erp5.OpenOrderLine.py
+2
-0
bt5/erp5_web_service/DocumentTemplateItem/portal_components/document.erp5.FTPConnector.py
...plateItem/portal_components/document.erp5.FTPConnector.py
+7
-0
product/ERP5/tests/testSecurity.py
product/ERP5/tests/testSecurity.py
+18
-17
No files found.
bt5/erp5_interface_post/DocumentTemplateItem/portal_components/document.erp5.InternetMessagePost.py
View file @
6ab2ddf7
...
...
@@ -45,7 +45,7 @@ class InternetMessagePost(Item, MailMessageMixin):
def
_getMessage
(
self
):
return
email
.
message_from_string
(
self
.
getData
())
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'stripMessageId'
)
def
stripMessageId
(
self
,
message_id
):
"""
In rfc5322 headers, message-ids may follow the syntax "<msg-id>" in
...
...
@@ -59,11 +59,10 @@ class InternetMessagePost(Item, MailMessageMixin):
message_id
=
message_id
[:
-
1
]
return
message_id
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'getReference'
)
def
getReference
(
self
):
return
self
.
stripMessageId
(
self
.
getSourceReference
())
def
_setReference
(
self
,
value
):
"""
Raise if given value is different from current value,
...
...
bt5/erp5_open_trade/DocumentTemplateItem/portal_components/document.erp5.OpenOrderLine.py
View file @
6ab2ddf7
...
...
@@ -62,6 +62,7 @@ class OpenOrderLine(SupplyLine):
,
PropertySheet
.
Comment
)
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'getTotalQuantity'
)
def
getTotalQuantity
(
self
,
default
=
0
):
"""Returns the total quantity for this open order line.
If the order line contains cells, the total quantity of cells are
...
...
@@ -72,6 +73,7 @@ class OpenOrderLine(SupplyLine):
self
.
getCellValueList
(
base_id
=
'path'
)])
return
self
.
getQuantity
(
default
)
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'getTotalPrice'
)
def
getTotalPrice
(
self
):
"""Returns the total price for this open order line.
If the order line contains cells, the total price of cells are
...
...
bt5/erp5_web_service/DocumentTemplateItem/portal_components/document.erp5.FTPConnector.py
View file @
6ab2ddf7
...
...
@@ -66,6 +66,7 @@ class FTPConnector(XMLObject):
# XXX Must manage in the future ftp and ftps protocol
raise
NotImplementedError
(
"Protocol %s is not yet implemented"
%
(
self
.
getUrlProtocol
(),))
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'renameFile'
)
def
renameFile
(
self
,
old_path
,
new_path
):
""" Move a file """
conn
=
self
.
getConnection
()
...
...
@@ -74,6 +75,7 @@ class FTPConnector(XMLObject):
finally
:
conn
.
logout
()
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'removeFile'
)
def
removeFile
(
self
,
filepath
):
"""Delete the file"""
conn
=
self
.
getConnection
()
...
...
@@ -82,6 +84,7 @@ class FTPConnector(XMLObject):
finally
:
conn
.
logout
()
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'listFiles'
)
def
listFiles
(
self
,
path
=
"."
,
sort_on
=
None
):
""" List file of a directory """
conn
=
self
.
getConnection
()
...
...
@@ -90,6 +93,7 @@ class FTPConnector(XMLObject):
finally
:
conn
.
logout
()
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'getFile'
)
def
getFile
(
self
,
filepath
,
binary
=
True
):
""" Try to get a file on the remote server """
conn
=
self
.
getConnection
()
...
...
@@ -101,6 +105,7 @@ class FTPConnector(XMLObject):
finally
:
conn
.
logout
()
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'putFile'
)
def
putFile
(
self
,
filename
,
data
,
remotepath
=
'.'
,
confirm
=
True
):
""" Send file to the remote server """
conn
=
self
.
getConnection
()
...
...
@@ -125,6 +130,7 @@ class FTPConnector(XMLObject):
finally
:
conn
.
logout
()
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'createDirectory'
)
def
createDirectory
(
self
,
path
,
mode
=
0o777
):
"""Create a directory `path`, with file mode `mode`.
...
...
@@ -136,6 +142,7 @@ class FTPConnector(XMLObject):
finally
:
conn
.
logout
()
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'removeDirectory'
)
def
removeDirectory
(
self
,
path
):
"""Create a directory `path`, with file mode `mode`.
...
...
product/ERP5/tests/testSecurity.py
View file @
6ab2ddf7
...
...
@@ -72,21 +72,19 @@ class TestSecurityMixin(ERP5TypeTestCase):
i.e. those who have a docstring but have no security declaration.
"""
self
.
_prepareDocumentList
()
white
_method_id_list
=
[
'om_icons'
,]
allowed
_method_id_list
=
[
'om_icons'
,]
app
=
self
.
portal
.
aq_parent
meta_type_
dict
=
{}
error_
dict
=
{}
for
idx
,
obj
in
app
.
ZopeFind
(
app
,
search_sub
=
1
):
meta_type_
set
=
set
([
None
])
error_
set
=
set
()
for
_
,
obj
in
app
.
ZopeFind
(
app
,
search_sub
=
1
):
meta_type
=
getattr
(
obj
,
'meta_type'
,
None
)
if
meta_type
i
s
None
:
if
meta_type
i
n
meta_type_set
:
continue
if
meta_type
in
meta_type_dict
:
continue
meta_type_dict
[
meta_type
]
=
True
meta_type_set
.
add
(
meta_type
)
if
'__roles__'
in
obj
.
__class__
.
__dict__
:
continue
for
method_id
in
dir
(
obj
):
if
method_id
.
startswith
(
'_'
)
or
method_id
in
white
_method_id_list
or
not
callable
(
getattr
(
obj
,
method_id
,
None
)):
if
method_id
.
startswith
(
'_'
)
or
method_id
in
allowed
_method_id_list
or
not
callable
(
getattr
(
obj
,
method_id
,
None
)):
continue
method
=
getattr
(
obj
,
method_id
)
if
isinstance
(
method
,
MethodType
)
and
\
...
...
@@ -96,16 +94,19 @@ class TestSecurityMixin(ERP5TypeTestCase):
method
.
__module__
:
if
method
.
__module__
==
'Products.ERP5Type.Accessor.WorkflowState'
and
method
.
func_code
.
co_name
==
'serialize'
:
continue
func_code
=
method
.
func_code
error_dict
[(
func_code
.
co_filename
,
func_code
.
co_firstlineno
,
method_id
)]
=
True
error_list
=
error_dict
.
keys
()
if
os
.
environ
.
get
(
'erp5_debug_mode'
,
None
):
pass
else
:
error_list
=
filter
(
lambda
x
:
'/erp5/'
in
x
[
0
],
error_list
)
func_code
=
method
.
__code__
error_set
.
add
((
func_code
.
co_filename
,
func_code
.
co_firstlineno
,
method_id
))
error_list
=
[]
for
filename
,
lineno
,
method_id
in
sorted
(
error_set
):
# ignore security problems with non ERP5 documents, unless running in debug mode.
if
os
.
environ
.
get
(
'erp5_debug_mode'
)
or
'/erp5/'
in
filename
or
'<portal_components'
in
filename
:
error_list
.
append
(
'%s:%s %s'
%
(
filename
,
lineno
,
method_id
))
else
:
print
(
'Ignoring missing security definition for %s in %s:%s '
%
(
method_id
,
filename
,
lineno
))
if
error_list
:
message
=
'
\
n
The following %s methods have a docstring but have no security assertions.
\
n
\
t
%s'
\
%
(
len
(
error_list
),
'
\
n
\
t
'
.
join
(
[
'%s:%s %s'
%
x
for
x
in
sorted
(
error_list
)]
))
%
(
len
(
error_list
),
'
\
n
\
t
'
.
join
(
error_list
))
self
.
fail
(
message
)
def
test_workflow_transition_protection
(
self
):
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment