Prevent calling HostingSubscription_requestUpdateOpenSaleOrder in URL.

master/bt5/slapos_accounting/SkinTemplateItem/portal_skins/slapos_accounting/HostingSubscription_requestUpdateOpenSaleOrder.xml

@@ -50,7 +50,11 @@
         </item>
         <item>
             <key> <string>_body</string> </key>
-            <value> <string>if context.getCausalityState() != \'diverged\':\n
+            <value> <string>from zExceptions import Unauthorized\n
+if REQUEST is not None:\n
+  raise Unauthorized\n
+\n
+if context.getCausalityState() != \'diverged\':\n
   return\n
 person = context.getDestinationSectionValue()\n
 if person is not None:\n
@@ -60,7 +64,7 @@ context.converge()\n
         </item>
         <item>
             <key> <string>_params</string> </key>
-            <value> <string></string> </value>
+            <value> <string>REQUEST=None</string> </value>
         </item>
         <item>
             <key> <string>id</string> </key>

master/bt5/slapos_accounting/TestTemplateItem/testSlapOSAccountingAlarm.py

@@ -14,6 +14,7 @@ import os
 import tempfile
 from DateTime import DateTime
 from Products.ERP5Type.DateUtils import addToDate
+from zExceptions import Unauthorized
 
 class Simulator:
   def __init__(self, outfile, method, to_return=None):
@@ -748,6 +749,14 @@ class TestOpenSaleOrderAlarm(testSlapOSMixin):
         subscription.workflow_history['edit_workflow'][-1]['comment'])
 
 class TestHostingSubscription_requestUpdateOpenSaleOrder(testSlapOSMixin):
+  def test_REQUEST_disallowed(self):
+    subscription = self.portal.hosting_subscription_module\
+        .template_hosting_subscription.Base_createCloneDocument(batch_mode=1)
+    self.assertRaises(
+      Unauthorized,
+      subscription.HostingSubscription_requestUpdateOpenSaleOrder,
+      REQUEST={})
+
   def test_empty_HostingSubscription(self):
     person = self.portal.person_module.template_member\
         .Base_createCloneDocument(batch_mode=1)

master/bt5/slapos_accounting/bt/revision

-205
+206
\ No newline at end of file