Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
erp5
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Labels
Merge Requests
7
Merge Requests
7
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Jobs
Commits
Open sidebar
Jérome Perrin
erp5
Commits
6ab2ddf7
Commit
6ab2ddf7
authored
Nov 17, 2022
by
Jérome Perrin
Browse files
Options
Browse Files
Download
Plain Diff
Don't skip portal_components code in testSecurity
See merge request
nexedi/erp5!1693
parents
aebfb199
8be39d34
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
29 additions
and
20 deletions
+29
-20
bt5/erp5_interface_post/DocumentTemplateItem/portal_components/document.erp5.InternetMessagePost.py
...em/portal_components/document.erp5.InternetMessagePost.py
+2
-3
bt5/erp5_open_trade/DocumentTemplateItem/portal_components/document.erp5.OpenOrderLine.py
...lateItem/portal_components/document.erp5.OpenOrderLine.py
+2
-0
bt5/erp5_web_service/DocumentTemplateItem/portal_components/document.erp5.FTPConnector.py
...plateItem/portal_components/document.erp5.FTPConnector.py
+7
-0
product/ERP5/tests/testSecurity.py
product/ERP5/tests/testSecurity.py
+18
-17
No files found.
bt5/erp5_interface_post/DocumentTemplateItem/portal_components/document.erp5.InternetMessagePost.py
View file @
6ab2ddf7
...
...
@@ -45,7 +45,7 @@ class InternetMessagePost(Item, MailMessageMixin):
def
_getMessage
(
self
):
return
email
.
message_from_string
(
self
.
getData
())
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'stripMessageId'
)
def
stripMessageId
(
self
,
message_id
):
"""
In rfc5322 headers, message-ids may follow the syntax "<msg-id>" in
...
...
@@ -59,11 +59,10 @@ class InternetMessagePost(Item, MailMessageMixin):
message_id
=
message_id
[:
-
1
]
return
message_id
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'getReference'
)
def
getReference
(
self
):
return
self
.
stripMessageId
(
self
.
getSourceReference
())
def
_setReference
(
self
,
value
):
"""
Raise if given value is different from current value,
...
...
bt5/erp5_open_trade/DocumentTemplateItem/portal_components/document.erp5.OpenOrderLine.py
View file @
6ab2ddf7
...
...
@@ -62,6 +62,7 @@ class OpenOrderLine(SupplyLine):
,
PropertySheet
.
Comment
)
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'getTotalQuantity'
)
def
getTotalQuantity
(
self
,
default
=
0
):
"""Returns the total quantity for this open order line.
If the order line contains cells, the total quantity of cells are
...
...
@@ -72,6 +73,7 @@ class OpenOrderLine(SupplyLine):
self
.
getCellValueList
(
base_id
=
'path'
)])
return
self
.
getQuantity
(
default
)
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'getTotalPrice'
)
def
getTotalPrice
(
self
):
"""Returns the total price for this open order line.
If the order line contains cells, the total price of cells are
...
...
bt5/erp5_web_service/DocumentTemplateItem/portal_components/document.erp5.FTPConnector.py
View file @
6ab2ddf7
...
...
@@ -66,6 +66,7 @@ class FTPConnector(XMLObject):
# XXX Must manage in the future ftp and ftps protocol
raise
NotImplementedError
(
"Protocol %s is not yet implemented"
%
(
self
.
getUrlProtocol
(),))
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'renameFile'
)
def
renameFile
(
self
,
old_path
,
new_path
):
""" Move a file """
conn
=
self
.
getConnection
()
...
...
@@ -74,6 +75,7 @@ class FTPConnector(XMLObject):
finally
:
conn
.
logout
()
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'removeFile'
)
def
removeFile
(
self
,
filepath
):
"""Delete the file"""
conn
=
self
.
getConnection
()
...
...
@@ -82,6 +84,7 @@ class FTPConnector(XMLObject):
finally
:
conn
.
logout
()
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'listFiles'
)
def
listFiles
(
self
,
path
=
"."
,
sort_on
=
None
):
""" List file of a directory """
conn
=
self
.
getConnection
()
...
...
@@ -90,6 +93,7 @@ class FTPConnector(XMLObject):
finally
:
conn
.
logout
()
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'getFile'
)
def
getFile
(
self
,
filepath
,
binary
=
True
):
""" Try to get a file on the remote server """
conn
=
self
.
getConnection
()
...
...
@@ -101,6 +105,7 @@ class FTPConnector(XMLObject):
finally
:
conn
.
logout
()
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'putFile'
)
def
putFile
(
self
,
filename
,
data
,
remotepath
=
'.'
,
confirm
=
True
):
""" Send file to the remote server """
conn
=
self
.
getConnection
()
...
...
@@ -125,6 +130,7 @@ class FTPConnector(XMLObject):
finally
:
conn
.
logout
()
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'createDirectory'
)
def
createDirectory
(
self
,
path
,
mode
=
0o777
):
"""Create a directory `path`, with file mode `mode`.
...
...
@@ -136,6 +142,7 @@ class FTPConnector(XMLObject):
finally
:
conn
.
logout
()
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'removeDirectory'
)
def
removeDirectory
(
self
,
path
):
"""Create a directory `path`, with file mode `mode`.
...
...
product/ERP5/tests/testSecurity.py
View file @
6ab2ddf7
...
...
@@ -72,21 +72,19 @@ class TestSecurityMixin(ERP5TypeTestCase):
i.e. those who have a docstring but have no security declaration.
"""
self
.
_prepareDocumentList
()
white
_method_id_list
=
[
'om_icons'
,]
allowed
_method_id_list
=
[
'om_icons'
,]
app
=
self
.
portal
.
aq_parent
meta_type_
dict
=
{}
error_
dict
=
{}
for
idx
,
obj
in
app
.
ZopeFind
(
app
,
search_sub
=
1
):
meta_type_
set
=
set
([
None
])
error_
set
=
set
()
for
_
,
obj
in
app
.
ZopeFind
(
app
,
search_sub
=
1
):
meta_type
=
getattr
(
obj
,
'meta_type'
,
None
)
if
meta_type
i
s
None
:
if
meta_type
i
n
meta_type_set
:
continue
if
meta_type
in
meta_type_dict
:
continue
meta_type_dict
[
meta_type
]
=
True
meta_type_set
.
add
(
meta_type
)
if
'__roles__'
in
obj
.
__class__
.
__dict__
:
continue
for
method_id
in
dir
(
obj
):
if
method_id
.
startswith
(
'_'
)
or
method_id
in
white
_method_id_list
or
not
callable
(
getattr
(
obj
,
method_id
,
None
)):
if
method_id
.
startswith
(
'_'
)
or
method_id
in
allowed
_method_id_list
or
not
callable
(
getattr
(
obj
,
method_id
,
None
)):
continue
method
=
getattr
(
obj
,
method_id
)
if
isinstance
(
method
,
MethodType
)
and
\
...
...
@@ -96,16 +94,19 @@ class TestSecurityMixin(ERP5TypeTestCase):
method
.
__module__
:
if
method
.
__module__
==
'Products.ERP5Type.Accessor.WorkflowState'
and
method
.
func_code
.
co_name
==
'serialize'
:
continue
func_code
=
method
.
func_code
error_dict
[(
func_code
.
co_filename
,
func_code
.
co_firstlineno
,
method_id
)]
=
True
error_list
=
error_dict
.
keys
()
if
os
.
environ
.
get
(
'erp5_debug_mode'
,
None
):
pass
else
:
error_list
=
filter
(
lambda
x
:
'/erp5/'
in
x
[
0
],
error_list
)
func_code
=
method
.
__code__
error_set
.
add
((
func_code
.
co_filename
,
func_code
.
co_firstlineno
,
method_id
))
error_list
=
[]
for
filename
,
lineno
,
method_id
in
sorted
(
error_set
):
# ignore security problems with non ERP5 documents, unless running in debug mode.
if
os
.
environ
.
get
(
'erp5_debug_mode'
)
or
'/erp5/'
in
filename
or
'<portal_components'
in
filename
:
error_list
.
append
(
'%s:%s %s'
%
(
filename
,
lineno
,
method_id
))
else
:
print
(
'Ignoring missing security definition for %s in %s:%s '
%
(
method_id
,
filename
,
lineno
))
if
error_list
:
message
=
'
\
n
The following %s methods have a docstring but have no security assertions.
\
n
\
t
%s'
\
%
(
len
(
error_list
),
'
\
n
\
t
'
.
join
(
[
'%s:%s %s'
%
x
for
x
in
sorted
(
error_list
)]
))
%
(
len
(
error_list
),
'
\
n
\
t
'
.
join
(
error_list
))
self
.
fail
(
message
)
def
test_workflow_transition_protection
(
self
):
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment