*: restrict send API usage

bt5/erp5_base/SkinTemplateItem/portal_skins/erp5_base/Entity_sendEmail.py

+if REQUEST is not None:
+  from zExceptions import Unauthorized
+  raise Unauthorized
+
 from email.utils import formataddr
 portal = context.getPortalObject()
 event = portal.restrictedTraverse(event_relative_url)

bt5/erp5_base/SkinTemplateItem/portal_skins/erp5_base/Entity_sendEmail.xml

@@ -50,7 +50,7 @@
         </item>
         <item>
             <key> <string>_params</string> </key>
-            <value> <string>event_relative_url, **kw</string> </value>
+            <value> <string>event_relative_url, REQUEST=None, **kw</string> </value>
         </item>
         <item>
             <key> <string>_proxy_roles</string> </key>

bt5/erp5_base/SkinTemplateItem/portal_skins/erp5_base/MailMessage_send.py

@@ -2,6 +2,9 @@
 
 This script is also used by notification tool, that's why it is in erp5_base.
 """
+if REQUEST is not None:
+  from zExceptions import Unauthorized
+  raise Unauthorized
 
 from email.utils import formataddr
 portal = context.getPortalObject()

bt5/erp5_base/SkinTemplateItem/portal_skins/erp5_base/MailMessage_send.xml

@@ -50,7 +50,7 @@
         </item>
         <item>
             <key> <string>_params</string> </key>
-            <value> <string>from_url=None, to_url=None, reply_url=None, subject=None, body=None, attachment_format=None, attachment_list=None, download=None, extra_header_dict=None, **kw</string> </value>
+            <value> <string>from_url=None, to_url=None, reply_url=None, subject=None, body=None, attachment_format=None, attachment_list=None, download=None, extra_header_dict=None, REQUEST=None, **kw</string> </value>
         </item>
         <item>
             <key> <string>_proxy_roles</string> </key>

bt5/erp5_crm/TestTemplateItem/portal_components/test.erp5.testCRM.py

@@ -2069,6 +2069,28 @@ class TestCRMMailSend(BaseTestCRM):
     message = message_from_string(last_message)
     self.assertEqual("test", message.get("X-test-header"))
 
+  def test_MailMessage_send_security(self):
+    mail_message = self.portal.event_module.newContent(
+        portal_type="Mail Message",
+        source='person_module/me',
+        destination='person_module/recipient')
+    self.assertGreater(
+      self.publish(
+        mail_message.getPath() + '/send',
+        user='ERP5TypeTestCase').getStatus(),
+        300)
+    self.assertGreater(
+      self.publish(
+        mail_message.getPath() + '/MailMessage_send',
+        user='ERP5TypeTestCase').getStatus(),
+        300)
+    self.assertGreater(
+      self.publish(
+        self.portal.MailHost.getPath() + '/send',
+        user='ERP5TypeTestCase').getStatus(),
+        300)
+    self.assertFalse(self.portal.MailHost.getMessageList())
+
 
 def test_suite():
   suite = unittest.TestSuite()

bt5/erp5_forge/SkinTemplateItem/portal_skins/erp5_forge/BugLine_send.py

+if REQUEST is not None:
+  from zExceptions import Unauthorized
+  raise Unauthorized
+
 if body is None:
   body = context.getTextContent() #XXX This does not support structured text format.
 

bt5/erp5_forge/SkinTemplateItem/portal_skins/erp5_forge/BugLine_send.xml

@@ -50,7 +50,7 @@
         </item>
         <item>
             <key> <string>_params</string> </key>
-            <value> <string>from_url=None, to_url=None, reply_url=None, subject=None, body=None, attachment_format=None, attachment_list=None, download=None, **kw</string> </value>
+            <value> <string>from_url=None, to_url=None, reply_url=None, subject=None, body=None, attachment_format=None, attachment_list=None, download=None, REQUEST=None, **kw</string> </value>
         </item>
         <item>
             <key> <string>id</string> </key>

bt5/erp5_interface_post/SkinTemplateItem/portal_skins/erp5_interface_post/InternetMessagePost_sendMailHostMessage.py

@@ -5,5 +5,8 @@
 # spawned with parameters :
 #     conflict_retry=False,
 #     max_retry=0,
+if REQUEST is not None:
+  from zExceptions import Unauthorized
+  raise Unauthorized
 
 context.getPortalObject().MailHost.send(context.getData())

bt5/erp5_interface_post/SkinTemplateItem/portal_skins/erp5_interface_post/InternetMessagePost_sendMailHostMessage.xml

@@ -50,7 +50,7 @@
         </item>
         <item>
             <key> <string>_params</string> </key>
-            <value> <string></string> </value>
+            <value> <string>REQUEST=None</string> </value>
         </item>
         <item>
             <key> <string>id</string> </key>

bt5/erp5_short_message/SkinTemplateItem/portal_skins/erp5_short_message/ShortMessage_send.py

@@ -2,6 +2,9 @@
   Send the current sms by using a SMS gateway.
   Use default mobile phone of source and destination
 """
+if REQUEST is not None:
+  from zExceptions import Unauthorized
+  raise Unauthorized
 
 #Get recipients
 recipient_phone_list = [

bt5/erp5_short_message/SkinTemplateItem/portal_skins/erp5_short_message/ShortMessage_send.xml

@@ -50,7 +50,7 @@
         </item>
         <item>
             <key> <string>_params</string> </key>
-            <value> <string>from_url=None, from_title=None, to_url=None, reply_url=None, subject=None, body=None, attachment_format=None, attachment_list=None, download=False, **kw</string> </value>
+            <value> <string>from_url=None, from_title=None, to_url=None, reply_url=None, subject=None, body=None, attachment_format=None, attachment_list=None, download=False, REQUEST=None, **kw</string> </value>
         </item>
         <item>
             <key> <string>_proxy_roles</string> </key>

bt5/erp5_short_message/ToolComponentTemplateItem/portal_components/tool.erp5.SMSTool.py

@@ -30,14 +30,13 @@
 from AccessControl import ClassSecurityInfo
 from Products.ERP5Type.Tool.BaseTool import BaseTool
 from Products.ERP5Type.Permissions import ManagePortal
+from Products.ERP5Type.Utils import non_publishable
 
 #from Products.ERP5ShortMessage import _dtmldir
 
 class SMSTool(BaseTool):
   """
-    This tool manages gadgets.
-
-    It is used as a central point to manage gadgets (ERP5 or external ones)...
+    This tool takes care of sending SMS.
   """
   id = 'portal_sms'
   meta_type = 'ERP5 SMS Tool'
@@ -50,6 +49,7 @@ class SMSTool(BaseTool):
   #manage_overview = DTMLFile('explainSMSTool', _dtmldir )
 
   security.declareProtected(ManagePortal, 'send')
+  @non_publishable
   def send(self, text, recipient, sender, gateway_reference='default',
            document_relative_url=None, activate_kw=None):
     """Send the message

product/ERP5/bootstrap/erp5_core/DocumentTemplateItem/portal_components/document.erp5.EmailDocument.py

@@ -32,6 +32,7 @@ from DateTime import DateTime
 from AccessControl import ClassSecurityInfo
 from Products.ERP5Type.Accessor.Constant import PropertyGetter as ConstantGetter
 from Products.ERP5Type import Permissions, PropertySheet
+from Products.ERP5Type.Utils import non_publishable
 from erp5.component.document.TextDocument import TextDocument
 from erp5.component.document.File import File
 from erp5.component.mixin.MailMessageMixin import MailMessageMixin, testCharsetAndConvert
@@ -359,6 +360,7 @@ class EmailDocument(TextDocument, MailMessageMixin):
     return content_information.get('Return-Path', content_information.get('From'))
 
   security.declareProtected(Permissions.UseMailhostServices, 'sendMailHostMessage')
+  @non_publishable
   def sendMailHostMessage(self, message):
     """
       Send one by one

product/ERP5/bootstrap/erp5_core/DocumentTemplateItem/portal_components/document.erp5.Event.py

@@ -32,9 +32,11 @@ from AccessControl import ClassSecurityInfo
 from Products.ERP5Type import Permissions, PropertySheet
 from Products.ERP5Type.Accessor.Constant import PropertyGetter as ConstantGetter
 from Products.ERP5Type.Globals import InitializeClass
+from Products.ERP5Type.Utils import non_publishable
 from erp5.component.document.Movement import Movement
 from erp5.component.document.EmailDocument import EmailDocument
 
+
 class AcknowledgeableMixin:
   """
   Mixin class for all documents that we can acknowledge
@@ -154,6 +156,7 @@ class Event(Movement, EmailDocument, AcknowledgeableMixin):
     return self
 
   security.declareProtected(Permissions.UseMailhostServices, 'send')
+  @non_publishable
   def send(self, from_url=None, to_url=None, reply_url=None, subject=None,
            body=None, attachment_format=None, attachment_list=None,
            download=False, **kw):

product/ERP5Type/patches/MailHost.py

@@ -20,6 +20,7 @@ In ERP5, we have Activity Tool to postpone mail delivery.
 
 from inspect import getargspec, isfunction
 from Products.MailHost.MailHost import MailBase
+from Products.ERP5Type.Utils import non_publishable
 import six
 
 for f in six.itervalues(MailBase.__dict__):
@@ -44,3 +45,5 @@ def _makeMailer(self):
   return smtp_mailer
 
 MailBase._makeMailer = _makeMailer
+
+MailBase.send = non_publishable(MailBase.send)