User do not have access to portal_secure_payment.

Only handle relative_url to do get unauthorized.

master/bt5/slapos_payzen/SkinTemplateItem/portal_skins/slapos_payzen/Base_getPayzenServiceRelativeUrl.xml

+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>Script_magic</string> </key>
+            <value> <int>3</int> </value>
+        </item>
+        <item>
+            <key> <string>_bind_names</string> </key>
+            <value>
+              <object>
+                <klass>
+                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
+                </klass>
+                <tuple/>
+                <state>
+                  <dictionary>
+                    <item>
+                        <key> <string>_asgns</string> </key>
+                        <value>
+                          <dictionary>
+                            <item>
+                                <key> <string>name_container</string> </key>
+                                <value> <string>container</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_context</string> </key>
+                                <value> <string>context</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_m_self</string> </key>
+                                <value> <string>script</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_subpath</string> </key>
+                                <value> <string>traverse_subpath</string> </value>
+                            </item>
+                          </dictionary>
+                        </value>
+                    </item>
+                  </dictionary>
+                </state>
+              </object>
+            </value>
+        </item>
+        <item>
+            <key> <string>_body</string> </key>
+            <value> <string>from zExceptions import Unauthorized\n
+if REQUEST is not None:\n
+  raise Unauthorized\n
+\n
+portal = context.getPortalObject()\n
+payment_service = portal.portal_secure_payments.find(\n
+  service_reference=portal.portal_preferences.getPreferredPayzenPaymentServiceReference())\n
+\n
+return payment_service.getRelativeUrl()\n
+</string> </value>
+        </item>
+        <item>
+            <key> <string>_params</string> </key>
+            <value> <string>REQUEST=None, **kw</string> </value>
+        </item>
+        <item>
+            <key> <string>_proxy_roles</string> </key>
+            <value>
+              <tuple>
+                <string>Manager</string>
+              </tuple>
+            </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>Base_getPayzenServiceRelativeUrl</string> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>

master/bt5/slapos_payzen/SkinTemplateItem/portal_skins/slapos_payzen/PaymentTransaction_createPayzenEvent.xml

@@ -55,12 +55,10 @@ if REQUEST is not None:\n
   raise Unauthorized\n
 \n
 portal = context.getPortalObject()\n
-payment_service = portal.portal_secure_payments.find(\n
-  service_reference=portal.portal_preferences.getPreferredPayzenPaymentServiceReference())\n
 \n
 kw.update({\n
   \'portal_type\': \'Payzen Event\',\n
-  \'source_value\': payment_service,\n
+  \'source\': portal.Base_getPayzenServiceRelativeUrl(),\n
   \'destination_value\': context,\n
 })\n
 \n

master/bt5/slapos_payzen/TestTemplateItem/testSlapOSPayzenSkins.py

@@ -573,3 +573,17 @@ class TestSlapOSPayzenEvent_processUpdate(testSlapOSMixin):
         event.workflow_history['system_event_workflow'][-1]['comment'])
 
 
+class TestSlapOSPayzenBase_getPayzenServiceRelativeUrl(testSlapOSMixin):
+
+  def beforeTearDown(self):
+    transaction.abort()
+
+  def test_getPayzenServiceRelativeUrl_REQUEST_disallowed(self):
+    self.assertRaises(
+      Unauthorized,
+      self.portal.Base_getPayzenServiceRelativeUrl,
+      REQUEST={})
+
+  def test_getPayzenServiceRelativeUrl_REQUEST_disallowed(self):
+    result = self.portal.Base_getPayzenServiceRelativeUrl()
+    self.assertEquals(result, 'portal_secure_payments/slapos_payzen_test')

master/bt5/slapos_payzen/bt/revision

-95
\ No newline at end of file
+96
\ No newline at end of file