Commit f1c21aca authored by Rafael Monnerat's avatar Rafael Monnerat

slapos_accounting: Use dedicated script with proxy role to start payment

   Since the accounting workflow introduced Guard on start transition, it is required
   assignee or assignor to change the state (before Modify Portal content was enough).

   The script is invoke as Shadow user, and since destination section is set, the User
   automatically become Auditor (rather them Assignee) so it would imply a deeper
   change to relax security for the shadow user (not shadow person) just to invoke start.
   Not to mention HUGE security update to be done.

   Use Manager proxy role is not ideal, but it doesn't introduce a security issue while
   solve the problem until a deeper review on the roles for Shadow users takes place.
parent 66be53cd
...@@ -31,10 +31,10 @@ current_payment = portal.accounting_module.newContent( ...@@ -31,10 +31,10 @@ current_payment = portal.accounting_module.newContent(
portal_type="Payment Transaction", portal_type="Payment Transaction",
causality=current_invoice.getRelativeUrl(), causality=current_invoice.getRelativeUrl(),
source_section=current_invoice.getSourceSection(), source_section=current_invoice.getSourceSection(),
destination_section=current_invoice.getDestinationSection(),
resource=current_invoice.getResource(), resource=current_invoice.getResource(),
price_currency=current_invoice.getResource(), price_currency=current_invoice.getResource(),
specialise=current_invoice.getSpecialise(), specialise=current_invoice.getSpecialise(),
destination_section=current_invoice.getDestinationSection(),
payment_mode=current_invoice.getPaymentMode(), payment_mode=current_invoice.getPaymentMode(),
start_date=current_invoice.getStartDate(), start_date=current_invoice.getStartDate(),
stop_date=current_invoice.getStopDate(), stop_date=current_invoice.getStopDate(),
...@@ -66,12 +66,8 @@ comment = translateString("Initialised by Entity_createPaymentTransaction.") ...@@ -66,12 +66,8 @@ comment = translateString("Initialised by Entity_createPaymentTransaction.")
payment_tag ="sale_invoice_transaction_create_payment_%s" % current_invoice.getUid() payment_tag ="sale_invoice_transaction_create_payment_%s" % current_invoice.getUid()
current_payment.activate(tag=payment_tag).immediateReindexObject() current_payment.activate(tag=payment_tag).immediateReindexObject()
# Call script rather them call confirm(), since it would set security and fail whenever
# start is called.
current_payment.AccountingTransaction_setReference()
comment = translateString("Initialised by Entity_createPaymentTransaction.") comment = translateString("Initialised by Entity_createPaymentTransaction.")
current_payment.start(comment=comment) current_payment.PaymentTransaction_start(comment=comment)
# Set a flag on the request for prevent 2 calls on the same transaction # Set a flag on the request for prevent 2 calls on the same transaction
context.REQUEST.set(payment_tag, 1) context.REQUEST.set(payment_tag, 1)
......
from zExceptions import Unauthorized
if REQUEST is not None:
raise Unauthorized
if context.getPortalType() != "Payment Transaction":
raise Unauthorized
context.confirm(comment=comment)
context.start(comment=comment)
<?xml version="1.0"?>
<ZopeData>
<record id="1" aka="AAAAAAAAAAE=">
<pickle>
<global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>Script_magic</string> </key>
<value> <int>3</int> </value>
</item>
<item>
<key> <string>_bind_names</string> </key>
<value>
<object>
<klass>
<global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
</klass>
<tuple/>
<state>
<dictionary>
<item>
<key> <string>_asgns</string> </key>
<value>
<dictionary>
<item>
<key> <string>name_container</string> </key>
<value> <string>container</string> </value>
</item>
<item>
<key> <string>name_context</string> </key>
<value> <string>context</string> </value>
</item>
<item>
<key> <string>name_m_self</string> </key>
<value> <string>script</string> </value>
</item>
<item>
<key> <string>name_subpath</string> </key>
<value> <string>traverse_subpath</string> </value>
</item>
</dictionary>
</value>
</item>
</dictionary>
</state>
</object>
</value>
</item>
<item>
<key> <string>_params</string> </key>
<value> <string>comment="", REQUEST=None</string> </value>
</item>
<item>
<key> <string>_proxy_roles</string> </key>
<value>
<tuple>
<string>Manager</string>
</tuple>
</value>
</item>
<item>
<key> <string>id</string> </key>
<value> <string>PaymentTransaction_start</string> </value>
</item>
</dictionary>
</pickle>
</record>
</ZopeData>
...@@ -816,3 +816,32 @@ class TestSlapOSAccounting(SlapOSTestCaseMixin): ...@@ -816,3 +816,32 @@ class TestSlapOSAccounting(SlapOSTestCaseMixin):
self.assertIn('account_module/receivable', self.assertIn('account_module/receivable',
[i.getRelativeUrl() for i in account_list]) [i.getRelativeUrl() for i in account_list])
def test_PaymentTransaction_start(self):
sale_invoice_transaction = self.portal.accounting_module.newContent(
portal_type="Sale Invoice Transaction",
start_date=DateTime()
)
payment_transaction = self.portal.accounting_module.newContent(
portal_type="Payment Transaction",
start_date=DateTime()
)
self.assertRaises(Unauthorized,
payment_transaction.PaymentTransaction_start,
REQUEST=self.portal.REQUEST)
self.assertRaises(Unauthorized,
sale_invoice_transaction.PaymentTransaction_start,
REQUEST=self.portal.REQUEST)
self.assertRaises(Unauthorized,
sale_invoice_transaction.PaymentTransaction_start,
REQUEST=None)
payment_transaction.PaymentTransaction_start()
self.assertEqual("started",
payment_transaction.getSimulationState())
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment