slapos_erp5: fixup Payment Transaction security

master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Payment%20Transaction.xml

 <type_roles>
   <role id='Assignee'>
    <property id='title'>Person Shadow</property>
-   <property id='condition'>python: here.getDestinationSection('', portal_type='Person') == ""</property>
+   <property id='condition'>python: (here.getDestinationSection('', portal_type='Person') == "") and (here.getLedger("") == "automated")</property>
    <multi_property id='categories'>local_role_group/shadow</multi_property>
    <multi_property id='category'>role/shadow/person</multi_property>
    <multi_property id='base_category'>role</multi_property>
@@ -10,12 +10,12 @@
    <property id='title'>ReadOnly for Accountant</property>
    <property id='condition'>python: context.getLedger("") == "automated"</property>
    <multi_property id='categories'>local_role_group/function</multi_property>
-   <multi_property id='category'>function/accounting</multi_property>
+   <multi_property id='category'>function/accounting*</multi_property>
    <multi_property id='base_category'>function</multi_property>
   </role>
   <role id='Auditor'>
    <property id='title'>Shadow User</property>
-   <property id='condition'>python: here.getDestinationSection('', portal_type='Person') != ''</property>
+   <property id='condition'>python: (here.getDestinationSection('', portal_type='Person') != "") and (here.getLedger("") == "automated")</property>
    <property id='base_category_script'>PaymentTransaction_getSecurityCategoryFromUser</property>
    <multi_property id='categories'>local_role_group/shadow</multi_property>
    <multi_property id='base_category'>aggregate</multi_property>
@@ -27,11 +27,18 @@
    <multi_property id='categories'>local_role_group/user</multi_property>
    <multi_property id='base_category'>destination_section</multi_property>
   </role>
+  <role id='Assignee'>
+   <property id='title'>Writable for Accountant Agent</property>
+   <property id='condition'>python: context.getLedger("") != "automated"</property>
+   <multi_property id='categories'>local_role_group/function</multi_property>
+   <multi_property id='category'>function/accounting/agent</multi_property>
+   <multi_property id='base_category'>function</multi_property>
+  </role>
   <role id='Assignor'>
-   <property id='title'>Writable for Accountant</property>
+   <property id='title'>Writable for Accountant Manager</property>
    <property id='condition'>python: context.getLedger("") != "automated"</property>
    <multi_property id='categories'>local_role_group/function</multi_property>
-   <multi_property id='category'>function/accounting</multi_property>
+   <multi_property id='category'>function/accounting/manager</multi_property>
    <multi_property id='base_category'>function</multi_property>
   </role>
 </type_roles>
\ No newline at end of file

master/bt5/slapos_erp5/TestTemplateItem/portal_components/test.erp5.testSlapOSERP5GroupRoleSecurity.py

@@ -1336,16 +1336,28 @@ class TestBalanceTransaction(TestSlapOSGroupRoleSecurityMixin):
     self.assertRoles(product, self.user_id, ['Owner'])
 
 class TestPaymentTransaction(TestSlapOSGroupRoleSecurityMixin):
-  def test_GroupCompany(self):
+  def test_AccountingFunction_LedgerNotAutomated(self):
     product = self.portal.accounting_module.newContent(
         portal_type='Payment Transaction')
     product.updateLocalRolesOnSecurityGroups()
     self.assertSecurityGroup(product,
-        ['G-COMPANY', self.user_id, 'R-SHADOW-PERSON'], False)
-    self.assertRoles(product, 'G-COMPANY', ['Assignor'])
+        ['F-ACCMAN', 'F-ACCAGT', self.user_id], False)
+    self.assertRoles(product, 'F-ACCMAN', ['Assignor'])
+    self.assertRoles(product, 'F-ACCAGT', ['Assignee'])
     self.assertRoles(product, self.user_id, ['Owner'])
 
-  def test_ShadowUser(self):
+  def test_AccountingFunction_LedgerAutomated(self):
+    product = self.portal.accounting_module.newContent(
+        portal_type='Payment Transaction')
+    product.edit(ledger='automated')
+    product.updateLocalRolesOnSecurityGroups()
+    self.assertSecurityGroup(product,
+        ['F-ACCOUNTING*', 'R-SHADOW-PERSON', self.user_id], False)
+    self.assertRoles(product, 'F-ACCOUNTING*', ['Auditor'])
+    self.assertRoles(product, 'R-SHADOW-PERSON', ['Assignee'])
+    self.assertRoles(product, self.user_id, ['Owner'])
+
+  def test_UserWithoutLedger(self):
     reference = 'TESTPERSON-%s' % self.generateNewId()
     person = self.portal.person_module.newContent(portal_type='Person',
         reference=reference)
@@ -1355,15 +1367,13 @@ class TestPaymentTransaction(TestSlapOSGroupRoleSecurityMixin):
         destination_section_value=person,
         )
     product.updateLocalRolesOnSecurityGroups()
-    shadow_user_id = 'SHADOW-%s' % person.getUserId()
     self.assertSecurityGroup(product,
-        ['F-IS*', self.user_id, person.getUserId(), shadow_user_id], False)
-    self.assertRoles(product, 'F-IS*', ['Assignor'])
-    self.assertRoles(product, shadow_user_id, ['Auditor'])
-    self.assertRoles(product, person.getUserId(), ['Auditor'])
+        ['F-ACCMAN', 'F-ACCAGT', self.user_id], False)
+    self.assertRoles(product, 'F-ACCMAN', ['Assignor'])
+    self.assertRoles(product, 'F-ACCAGT', ['Assignee'])
     self.assertRoles(product, self.user_id, ['Owner'])
 
-  def test_User(self):
+  def test_UserLedger(self):
     reference = 'TESTPERSON-%s' % self.generateNewId()
     person = self.portal.person_module.newContent(portal_type='Person',
         reference=reference)
@@ -1371,25 +1381,18 @@ class TestPaymentTransaction(TestSlapOSGroupRoleSecurityMixin):
         portal_type='Payment Transaction')
     product.edit(
         destination_section_value=person,
+        ledger='automated'
         )
     product.updateLocalRolesOnSecurityGroups()
     shadow_user_id = 'SHADOW-%s' % person.getUserId()
     self.assertSecurityGroup(product,
-        ['G-COMPANY', self.user_id, person.getUserId(),
+        ['F-ACCOUNTING*', self.user_id, person.getUserId(),
          shadow_user_id], False)
-    self.assertRoles(product, 'G-COMPANY', ['Assignor'])
+    self.assertRoles(product, 'F-ACCOUNTING*', ['Auditor'])
     self.assertRoles(product, shadow_user_id, ['Auditor'])
     self.assertRoles(product, person.getUserId(), ['Auditor'])
     self.assertRoles(product, self.user_id, ['Owner'])
 
-  def test_User_without_destination_section(self):
-    product = self.portal.accounting_module.newContent(
-        portal_type='Payment Transaction')
-    product.updateLocalRolesOnSecurityGroups()
-    self.assertSecurityGroup(product,
-        ['G-COMPANY', self.user_id, 'R-SHADOW-PERSON'], False)
-    self.assertRoles(product, 'G-COMPANY', ['Assignor'])
-    self.assertRoles(product, self.user_id, ['Owner'])
 
 class TestPurchaseInvoiceTransaction(TestSlapOSGroupRoleSecurityMixin):
   def test_AccountingFunction_LedgerNotAutomated(self):