Commit c4e5b100 authored by Jérome Perrin's avatar Jérome Perrin

*: restrict send API usage

parent c503f318
if REQUEST is not None:
from zExceptions import Unauthorized
raise Unauthorized
from email.utils import formataddr from email.utils import formataddr
portal = context.getPortalObject() portal = context.getPortalObject()
event = portal.restrictedTraverse(event_relative_url) event = portal.restrictedTraverse(event_relative_url)
......
...@@ -50,7 +50,7 @@ ...@@ -50,7 +50,7 @@
</item> </item>
<item> <item>
<key> <string>_params</string> </key> <key> <string>_params</string> </key>
<value> <string>event_relative_url, **kw</string> </value> <value> <string>event_relative_url, REQUEST=None, **kw</string> </value>
</item> </item>
<item> <item>
<key> <string>_proxy_roles</string> </key> <key> <string>_proxy_roles</string> </key>
......
...@@ -2,6 +2,9 @@ ...@@ -2,6 +2,9 @@
This script is also used by notification tool, that's why it is in erp5_base. This script is also used by notification tool, that's why it is in erp5_base.
""" """
if REQUEST is not None:
from zExceptions import Unauthorized
raise Unauthorized
from email.utils import formataddr from email.utils import formataddr
portal = context.getPortalObject() portal = context.getPortalObject()
......
...@@ -50,7 +50,7 @@ ...@@ -50,7 +50,7 @@
</item> </item>
<item> <item>
<key> <string>_params</string> </key> <key> <string>_params</string> </key>
<value> <string>from_url=None, to_url=None, reply_url=None, subject=None, body=None, attachment_format=None, attachment_list=None, download=None, extra_header_dict=None, **kw</string> </value> <value> <string>from_url=None, to_url=None, reply_url=None, subject=None, body=None, attachment_format=None, attachment_list=None, download=None, extra_header_dict=None, REQUEST=None, **kw</string> </value>
</item> </item>
<item> <item>
<key> <string>_proxy_roles</string> </key> <key> <string>_proxy_roles</string> </key>
......
...@@ -2069,6 +2069,28 @@ class TestCRMMailSend(BaseTestCRM): ...@@ -2069,6 +2069,28 @@ class TestCRMMailSend(BaseTestCRM):
message = message_from_string(last_message) message = message_from_string(last_message)
self.assertEqual("test", message.get("X-test-header")) self.assertEqual("test", message.get("X-test-header"))
def test_MailMessage_send_security(self):
mail_message = self.portal.event_module.newContent(
portal_type="Mail Message",
source='person_module/me',
destination='person_module/recipient')
self.assertGreater(
self.publish(
mail_message.getPath() + '/send',
user='ERP5TypeTestCase').getStatus(),
300)
self.assertGreater(
self.publish(
mail_message.getPath() + '/MailMessage_send',
user='ERP5TypeTestCase').getStatus(),
300)
self.assertGreater(
self.publish(
self.portal.MailHost.getPath() + '/send',
user='ERP5TypeTestCase').getStatus(),
300)
self.assertFalse(self.portal.MailHost.getMessageList())
def test_suite(): def test_suite():
suite = unittest.TestSuite() suite = unittest.TestSuite()
......
if REQUEST is not None:
from zExceptions import Unauthorized
raise Unauthorized
if body is None: if body is None:
body = context.getTextContent() #XXX This does not support structured text format. body = context.getTextContent() #XXX This does not support structured text format.
......
...@@ -50,7 +50,7 @@ ...@@ -50,7 +50,7 @@
</item> </item>
<item> <item>
<key> <string>_params</string> </key> <key> <string>_params</string> </key>
<value> <string>from_url=None, to_url=None, reply_url=None, subject=None, body=None, attachment_format=None, attachment_list=None, download=None, **kw</string> </value> <value> <string>from_url=None, to_url=None, reply_url=None, subject=None, body=None, attachment_format=None, attachment_list=None, download=None, REQUEST=None, **kw</string> </value>
</item> </item>
<item> <item>
<key> <string>id</string> </key> <key> <string>id</string> </key>
......
...@@ -5,5 +5,8 @@ ...@@ -5,5 +5,8 @@
# spawned with parameters : # spawned with parameters :
# conflict_retry=False, # conflict_retry=False,
# max_retry=0, # max_retry=0,
if REQUEST is not None:
from zExceptions import Unauthorized
raise Unauthorized
context.getPortalObject().MailHost.send(context.getData()) context.getPortalObject().MailHost.send(context.getData())
...@@ -50,7 +50,7 @@ ...@@ -50,7 +50,7 @@
</item> </item>
<item> <item>
<key> <string>_params</string> </key> <key> <string>_params</string> </key>
<value> <string></string> </value> <value> <string>REQUEST=None</string> </value>
</item> </item>
<item> <item>
<key> <string>id</string> </key> <key> <string>id</string> </key>
......
...@@ -2,6 +2,9 @@ ...@@ -2,6 +2,9 @@
Send the current sms by using a SMS gateway. Send the current sms by using a SMS gateway.
Use default mobile phone of source and destination Use default mobile phone of source and destination
""" """
if REQUEST is not None:
from zExceptions import Unauthorized
raise Unauthorized
#Get recipients #Get recipients
recipient_phone_list = [ recipient_phone_list = [
......
...@@ -50,7 +50,7 @@ ...@@ -50,7 +50,7 @@
</item> </item>
<item> <item>
<key> <string>_params</string> </key> <key> <string>_params</string> </key>
<value> <string>from_url=None, from_title=None, to_url=None, reply_url=None, subject=None, body=None, attachment_format=None, attachment_list=None, download=False, **kw</string> </value> <value> <string>from_url=None, from_title=None, to_url=None, reply_url=None, subject=None, body=None, attachment_format=None, attachment_list=None, download=False, REQUEST=None, **kw</string> </value>
</item> </item>
<item> <item>
<key> <string>_proxy_roles</string> </key> <key> <string>_proxy_roles</string> </key>
......
...@@ -30,14 +30,13 @@ ...@@ -30,14 +30,13 @@
from AccessControl import ClassSecurityInfo from AccessControl import ClassSecurityInfo
from Products.ERP5Type.Tool.BaseTool import BaseTool from Products.ERP5Type.Tool.BaseTool import BaseTool
from Products.ERP5Type.Permissions import ManagePortal from Products.ERP5Type.Permissions import ManagePortal
from Products.ERP5Type.Utils import non_publishable
#from Products.ERP5ShortMessage import _dtmldir #from Products.ERP5ShortMessage import _dtmldir
class SMSTool(BaseTool): class SMSTool(BaseTool):
""" """
This tool manages gadgets. This tool takes care of sending SMS.
It is used as a central point to manage gadgets (ERP5 or external ones)...
""" """
id = 'portal_sms' id = 'portal_sms'
meta_type = 'ERP5 SMS Tool' meta_type = 'ERP5 SMS Tool'
...@@ -50,6 +49,7 @@ class SMSTool(BaseTool): ...@@ -50,6 +49,7 @@ class SMSTool(BaseTool):
#manage_overview = DTMLFile('explainSMSTool', _dtmldir ) #manage_overview = DTMLFile('explainSMSTool', _dtmldir )
security.declareProtected(ManagePortal, 'send') security.declareProtected(ManagePortal, 'send')
@non_publishable
def send(self, text, recipient, sender, gateway_reference='default', def send(self, text, recipient, sender, gateway_reference='default',
document_relative_url=None, activate_kw=None): document_relative_url=None, activate_kw=None):
"""Send the message """Send the message
......
...@@ -32,6 +32,7 @@ from DateTime import DateTime ...@@ -32,6 +32,7 @@ from DateTime import DateTime
from AccessControl import ClassSecurityInfo from AccessControl import ClassSecurityInfo
from Products.ERP5Type.Accessor.Constant import PropertyGetter as ConstantGetter from Products.ERP5Type.Accessor.Constant import PropertyGetter as ConstantGetter
from Products.ERP5Type import Permissions, PropertySheet from Products.ERP5Type import Permissions, PropertySheet
from Products.ERP5Type.Utils import non_publishable
from erp5.component.document.TextDocument import TextDocument from erp5.component.document.TextDocument import TextDocument
from erp5.component.document.File import File from erp5.component.document.File import File
from erp5.component.mixin.MailMessageMixin import MailMessageMixin, testCharsetAndConvert from erp5.component.mixin.MailMessageMixin import MailMessageMixin, testCharsetAndConvert
...@@ -359,6 +360,7 @@ class EmailDocument(TextDocument, MailMessageMixin): ...@@ -359,6 +360,7 @@ class EmailDocument(TextDocument, MailMessageMixin):
return content_information.get('Return-Path', content_information.get('From')) return content_information.get('Return-Path', content_information.get('From'))
security.declareProtected(Permissions.UseMailhostServices, 'sendMailHostMessage') security.declareProtected(Permissions.UseMailhostServices, 'sendMailHostMessage')
@non_publishable
def sendMailHostMessage(self, message): def sendMailHostMessage(self, message):
""" """
Send one by one Send one by one
......
...@@ -32,9 +32,11 @@ from AccessControl import ClassSecurityInfo ...@@ -32,9 +32,11 @@ from AccessControl import ClassSecurityInfo
from Products.ERP5Type import Permissions, PropertySheet from Products.ERP5Type import Permissions, PropertySheet
from Products.ERP5Type.Accessor.Constant import PropertyGetter as ConstantGetter from Products.ERP5Type.Accessor.Constant import PropertyGetter as ConstantGetter
from Products.ERP5Type.Globals import InitializeClass from Products.ERP5Type.Globals import InitializeClass
from Products.ERP5Type.Utils import non_publishable
from erp5.component.document.Movement import Movement from erp5.component.document.Movement import Movement
from erp5.component.document.EmailDocument import EmailDocument from erp5.component.document.EmailDocument import EmailDocument
class AcknowledgeableMixin: class AcknowledgeableMixin:
""" """
Mixin class for all documents that we can acknowledge Mixin class for all documents that we can acknowledge
...@@ -154,6 +156,7 @@ class Event(Movement, EmailDocument, AcknowledgeableMixin): ...@@ -154,6 +156,7 @@ class Event(Movement, EmailDocument, AcknowledgeableMixin):
return self return self
security.declareProtected(Permissions.UseMailhostServices, 'send') security.declareProtected(Permissions.UseMailhostServices, 'send')
@non_publishable
def send(self, from_url=None, to_url=None, reply_url=None, subject=None, def send(self, from_url=None, to_url=None, reply_url=None, subject=None,
body=None, attachment_format=None, attachment_list=None, body=None, attachment_format=None, attachment_list=None,
download=False, **kw): download=False, **kw):
......
...@@ -20,6 +20,7 @@ In ERP5, we have Activity Tool to postpone mail delivery. ...@@ -20,6 +20,7 @@ In ERP5, we have Activity Tool to postpone mail delivery.
from inspect import getargspec, isfunction from inspect import getargspec, isfunction
from Products.MailHost.MailHost import MailBase from Products.MailHost.MailHost import MailBase
from Products.ERP5Type.Utils import non_publishable
import six import six
for f in six.itervalues(MailBase.__dict__): for f in six.itervalues(MailBase.__dict__):
...@@ -44,3 +45,5 @@ def _makeMailer(self): ...@@ -44,3 +45,5 @@ def _makeMailer(self):
return smtp_mailer return smtp_mailer
MailBase._makeMailer = _makeMailer MailBase._makeMailer = _makeMailer
MailBase.send = non_publishable(MailBase.send)
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment