Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
erp5
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Labels
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Commits
Open sidebar
Romain Courteaud
erp5
Commits
6ab2ddf7
Commit
6ab2ddf7
authored
Nov 17, 2022
by
Jérome Perrin
Browse files
Options
Browse Files
Download
Plain Diff
Don't skip portal_components code in testSecurity
See merge request
nexedi/erp5!1693
parents
aebfb199
8be39d34
Changes
4
Show whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
29 additions
and
20 deletions
+29
-20
bt5/erp5_interface_post/DocumentTemplateItem/portal_components/document.erp5.InternetMessagePost.py
...em/portal_components/document.erp5.InternetMessagePost.py
+2
-3
bt5/erp5_open_trade/DocumentTemplateItem/portal_components/document.erp5.OpenOrderLine.py
...lateItem/portal_components/document.erp5.OpenOrderLine.py
+2
-0
bt5/erp5_web_service/DocumentTemplateItem/portal_components/document.erp5.FTPConnector.py
...plateItem/portal_components/document.erp5.FTPConnector.py
+7
-0
product/ERP5/tests/testSecurity.py
product/ERP5/tests/testSecurity.py
+18
-17
No files found.
bt5/erp5_interface_post/DocumentTemplateItem/portal_components/document.erp5.InternetMessagePost.py
View file @
6ab2ddf7
...
@@ -45,7 +45,7 @@ class InternetMessagePost(Item, MailMessageMixin):
...
@@ -45,7 +45,7 @@ class InternetMessagePost(Item, MailMessageMixin):
def
_getMessage
(
self
):
def
_getMessage
(
self
):
return
email
.
message_from_string
(
self
.
getData
())
return
email
.
message_from_string
(
self
.
getData
())
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'stripMessageId'
)
def
stripMessageId
(
self
,
message_id
):
def
stripMessageId
(
self
,
message_id
):
"""
"""
In rfc5322 headers, message-ids may follow the syntax "<msg-id>" in
In rfc5322 headers, message-ids may follow the syntax "<msg-id>" in
...
@@ -59,11 +59,10 @@ class InternetMessagePost(Item, MailMessageMixin):
...
@@ -59,11 +59,10 @@ class InternetMessagePost(Item, MailMessageMixin):
message_id
=
message_id
[:
-
1
]
message_id
=
message_id
[:
-
1
]
return
message_id
return
message_id
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'getReference'
)
def
getReference
(
self
):
def
getReference
(
self
):
return
self
.
stripMessageId
(
self
.
getSourceReference
())
return
self
.
stripMessageId
(
self
.
getSourceReference
())
def
_setReference
(
self
,
value
):
def
_setReference
(
self
,
value
):
"""
"""
Raise if given value is different from current value,
Raise if given value is different from current value,
...
...
bt5/erp5_open_trade/DocumentTemplateItem/portal_components/document.erp5.OpenOrderLine.py
View file @
6ab2ddf7
...
@@ -62,6 +62,7 @@ class OpenOrderLine(SupplyLine):
...
@@ -62,6 +62,7 @@ class OpenOrderLine(SupplyLine):
,
PropertySheet
.
Comment
,
PropertySheet
.
Comment
)
)
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'getTotalQuantity'
)
def
getTotalQuantity
(
self
,
default
=
0
):
def
getTotalQuantity
(
self
,
default
=
0
):
"""Returns the total quantity for this open order line.
"""Returns the total quantity for this open order line.
If the order line contains cells, the total quantity of cells are
If the order line contains cells, the total quantity of cells are
...
@@ -72,6 +73,7 @@ class OpenOrderLine(SupplyLine):
...
@@ -72,6 +73,7 @@ class OpenOrderLine(SupplyLine):
self
.
getCellValueList
(
base_id
=
'path'
)])
self
.
getCellValueList
(
base_id
=
'path'
)])
return
self
.
getQuantity
(
default
)
return
self
.
getQuantity
(
default
)
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'getTotalPrice'
)
def
getTotalPrice
(
self
):
def
getTotalPrice
(
self
):
"""Returns the total price for this open order line.
"""Returns the total price for this open order line.
If the order line contains cells, the total price of cells are
If the order line contains cells, the total price of cells are
...
...
bt5/erp5_web_service/DocumentTemplateItem/portal_components/document.erp5.FTPConnector.py
View file @
6ab2ddf7
...
@@ -66,6 +66,7 @@ class FTPConnector(XMLObject):
...
@@ -66,6 +66,7 @@ class FTPConnector(XMLObject):
# XXX Must manage in the future ftp and ftps protocol
# XXX Must manage in the future ftp and ftps protocol
raise
NotImplementedError
(
"Protocol %s is not yet implemented"
%
(
self
.
getUrlProtocol
(),))
raise
NotImplementedError
(
"Protocol %s is not yet implemented"
%
(
self
.
getUrlProtocol
(),))
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'renameFile'
)
def
renameFile
(
self
,
old_path
,
new_path
):
def
renameFile
(
self
,
old_path
,
new_path
):
""" Move a file """
""" Move a file """
conn
=
self
.
getConnection
()
conn
=
self
.
getConnection
()
...
@@ -74,6 +75,7 @@ class FTPConnector(XMLObject):
...
@@ -74,6 +75,7 @@ class FTPConnector(XMLObject):
finally
:
finally
:
conn
.
logout
()
conn
.
logout
()
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'removeFile'
)
def
removeFile
(
self
,
filepath
):
def
removeFile
(
self
,
filepath
):
"""Delete the file"""
"""Delete the file"""
conn
=
self
.
getConnection
()
conn
=
self
.
getConnection
()
...
@@ -82,6 +84,7 @@ class FTPConnector(XMLObject):
...
@@ -82,6 +84,7 @@ class FTPConnector(XMLObject):
finally
:
finally
:
conn
.
logout
()
conn
.
logout
()
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'listFiles'
)
def
listFiles
(
self
,
path
=
"."
,
sort_on
=
None
):
def
listFiles
(
self
,
path
=
"."
,
sort_on
=
None
):
""" List file of a directory """
""" List file of a directory """
conn
=
self
.
getConnection
()
conn
=
self
.
getConnection
()
...
@@ -90,6 +93,7 @@ class FTPConnector(XMLObject):
...
@@ -90,6 +93,7 @@ class FTPConnector(XMLObject):
finally
:
finally
:
conn
.
logout
()
conn
.
logout
()
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'getFile'
)
def
getFile
(
self
,
filepath
,
binary
=
True
):
def
getFile
(
self
,
filepath
,
binary
=
True
):
""" Try to get a file on the remote server """
""" Try to get a file on the remote server """
conn
=
self
.
getConnection
()
conn
=
self
.
getConnection
()
...
@@ -101,6 +105,7 @@ class FTPConnector(XMLObject):
...
@@ -101,6 +105,7 @@ class FTPConnector(XMLObject):
finally
:
finally
:
conn
.
logout
()
conn
.
logout
()
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'putFile'
)
def
putFile
(
self
,
filename
,
data
,
remotepath
=
'.'
,
confirm
=
True
):
def
putFile
(
self
,
filename
,
data
,
remotepath
=
'.'
,
confirm
=
True
):
""" Send file to the remote server """
""" Send file to the remote server """
conn
=
self
.
getConnection
()
conn
=
self
.
getConnection
()
...
@@ -125,6 +130,7 @@ class FTPConnector(XMLObject):
...
@@ -125,6 +130,7 @@ class FTPConnector(XMLObject):
finally
:
finally
:
conn
.
logout
()
conn
.
logout
()
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'createDirectory'
)
def
createDirectory
(
self
,
path
,
mode
=
0o777
):
def
createDirectory
(
self
,
path
,
mode
=
0o777
):
"""Create a directory `path`, with file mode `mode`.
"""Create a directory `path`, with file mode `mode`.
...
@@ -136,6 +142,7 @@ class FTPConnector(XMLObject):
...
@@ -136,6 +142,7 @@ class FTPConnector(XMLObject):
finally
:
finally
:
conn
.
logout
()
conn
.
logout
()
security
.
declareProtected
(
Permissions
.
AccessContentsInformation
,
'removeDirectory'
)
def
removeDirectory
(
self
,
path
):
def
removeDirectory
(
self
,
path
):
"""Create a directory `path`, with file mode `mode`.
"""Create a directory `path`, with file mode `mode`.
...
...
product/ERP5/tests/testSecurity.py
View file @
6ab2ddf7
...
@@ -72,21 +72,19 @@ class TestSecurityMixin(ERP5TypeTestCase):
...
@@ -72,21 +72,19 @@ class TestSecurityMixin(ERP5TypeTestCase):
i.e. those who have a docstring but have no security declaration.
i.e. those who have a docstring but have no security declaration.
"""
"""
self
.
_prepareDocumentList
()
self
.
_prepareDocumentList
()
white
_method_id_list
=
[
'om_icons'
,]
allowed
_method_id_list
=
[
'om_icons'
,]
app
=
self
.
portal
.
aq_parent
app
=
self
.
portal
.
aq_parent
meta_type_
dict
=
{}
meta_type_
set
=
set
([
None
])
error_
dict
=
{}
error_
set
=
set
()
for
idx
,
obj
in
app
.
ZopeFind
(
app
,
search_sub
=
1
):
for
_
,
obj
in
app
.
ZopeFind
(
app
,
search_sub
=
1
):
meta_type
=
getattr
(
obj
,
'meta_type'
,
None
)
meta_type
=
getattr
(
obj
,
'meta_type'
,
None
)
if
meta_type
i
s
None
:
if
meta_type
i
n
meta_type_set
:
continue
continue
if
meta_type
in
meta_type_dict
:
meta_type_set
.
add
(
meta_type
)
continue
meta_type_dict
[
meta_type
]
=
True
if
'__roles__'
in
obj
.
__class__
.
__dict__
:
if
'__roles__'
in
obj
.
__class__
.
__dict__
:
continue
continue
for
method_id
in
dir
(
obj
):
for
method_id
in
dir
(
obj
):
if
method_id
.
startswith
(
'_'
)
or
method_id
in
white
_method_id_list
or
not
callable
(
getattr
(
obj
,
method_id
,
None
)):
if
method_id
.
startswith
(
'_'
)
or
method_id
in
allowed
_method_id_list
or
not
callable
(
getattr
(
obj
,
method_id
,
None
)):
continue
continue
method
=
getattr
(
obj
,
method_id
)
method
=
getattr
(
obj
,
method_id
)
if
isinstance
(
method
,
MethodType
)
and
\
if
isinstance
(
method
,
MethodType
)
and
\
...
@@ -96,16 +94,19 @@ class TestSecurityMixin(ERP5TypeTestCase):
...
@@ -96,16 +94,19 @@ class TestSecurityMixin(ERP5TypeTestCase):
method
.
__module__
:
method
.
__module__
:
if
method
.
__module__
==
'Products.ERP5Type.Accessor.WorkflowState'
and
method
.
func_code
.
co_name
==
'serialize'
:
if
method
.
__module__
==
'Products.ERP5Type.Accessor.WorkflowState'
and
method
.
func_code
.
co_name
==
'serialize'
:
continue
continue
func_code
=
method
.
func_code
func_code
=
method
.
__code__
error_dict
[(
func_code
.
co_filename
,
func_code
.
co_firstlineno
,
method_id
)]
=
True
error_set
.
add
((
func_code
.
co_filename
,
func_code
.
co_firstlineno
,
method_id
))
error_list
=
error_dict
.
keys
()
if
os
.
environ
.
get
(
'erp5_debug_mode'
,
None
):
error_list
=
[]
pass
for
filename
,
lineno
,
method_id
in
sorted
(
error_set
):
# ignore security problems with non ERP5 documents, unless running in debug mode.
if
os
.
environ
.
get
(
'erp5_debug_mode'
)
or
'/erp5/'
in
filename
or
'<portal_components'
in
filename
:
error_list
.
append
(
'%s:%s %s'
%
(
filename
,
lineno
,
method_id
))
else
:
else
:
error_list
=
filter
(
lambda
x
:
'/erp5/'
in
x
[
0
],
error_list
)
print
(
'Ignoring missing security definition for %s in %s:%s '
%
(
method_id
,
filename
,
lineno
)
)
if
error_list
:
if
error_list
:
message
=
'
\
n
The following %s methods have a docstring but have no security assertions.
\
n
\
t
%s'
\
message
=
'
\
n
The following %s methods have a docstring but have no security assertions.
\
n
\
t
%s'
\
%
(
len
(
error_list
),
'
\
n
\
t
'
.
join
(
[
'%s:%s %s'
%
x
for
x
in
sorted
(
error_list
)]
))
%
(
len
(
error_list
),
'
\
n
\
t
'
.
join
(
error_list
))
self
.
fail
(
message
)
self
.
fail
(
message
)
def
test_workflow_transition_protection
(
self
):
def
test_workflow_transition_protection
(
self
):
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment