slapos_erp5: Fix user security for Software/Slave Instance/Installation on shared context

Once the Computer/Hosting Subscription is transferred using Internal Packing List, the associated installation and instance should acquire security from the respective context.

master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Slave%20Instance.xml

@@ -23,6 +23,18 @@
    <multi_property id='categories'>local_role_group/subscription</multi_property>
    <multi_property id='base_category'>specialise</multi_property>
   </role>
+  <role id='Assignee'>
+   <property id='title'>Organisation Member</property>
+   <property id='base_category_script'>Instance_getSecurityCategoryFromMovementSpecialiseDestination</property>
+   <multi_property id='categories'>local_role_group/organisation</multi_property>
+   <multi_property id='base_category'>destination</multi_property>
+  </role>
+  <role id='Assignee'>
+   <property id='title'>Project Member</property>
+   <property id='base_category_script'>Instance_getSecurityCategoryFromMovementSpecialiseDestinationProject</property>
+   <multi_property id='categories'>local_role_group/project</multi_property>
+   <multi_property id='base_category'>destination_project</multi_property>
+  </role>
   <role id='Assignor'>
    <property id='title'>Software Instance which provides this Slave Instance</property>
    <property id='base_category_script'>SlaveInstanceType_getSecurityCategoryFromSoftwareInstance</property>

master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Software%20Instance.xml

@@ -23,4 +23,16 @@
    <multi_property id='categories'>local_role_group/subscription</multi_property>
    <multi_property id='base_category'>specialise</multi_property>
   </role>
+  <role id='Assignee'>
+   <property id='title'>Organisation Member</property>
+   <property id='base_category_script'>Instance_getSecurityCategoryFromMovementSpecialiseDestination</property>
+   <multi_property id='categories'>local_role_group/organisation</multi_property>
+   <multi_property id='base_category'>destination</multi_property>
+  </role>
+  <role id='Assignee'>
+   <property id='title'>Project Member</property>
+   <property id='base_category_script'>Instance_getSecurityCategoryFromMovementSpecialiseDestinationProject</property>
+   <multi_property id='categories'>local_role_group/project</multi_property>
+   <multi_property id='base_category'>destination_project</multi_property>
+  </role>
 </type_roles>
\ No newline at end of file

master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Instance_getSecurityCategoryFromMovementSpecialiseDestination.py

+"""
+This script returns a list of dictionaries which represent
+the security groups which a person is member of. It extracts
+the categories from the current content. It is useful in the
+following cases:
+
+- calculate a security group based on a given
+  category of the current object (ex. group). This
+  is used for example in ERP5 DMS to calculate
+  document security.
+
+- assign local roles to a document based on
+  the person which the object related to through
+  a given base category (ex. destination). This
+  is used for example in ERP5 Project to calculate
+  Task / Task Report security.
+
+The parameters are
+
+  base_category_list -- list of category values we need to retrieve
+  user_name          -- string obtained from getSecurityManager().getUser().getId()
+  object             -- object which we want to assign roles to
+  portal_type        -- portal type of object
+
+NOTE: for now, this script requires proxy manager
+"""
+
+category_list = []
+
+if obj is None:
+  return []
+
+
+specialise_value = obj.getSpecialiseValue()
+if specialise_value is None:
+  return []
+
+# Object on this case can be Hosting Subscription, Computer, or Computer Network
+organisation = specialise_value.Item_getCurrentOwnerValue()
+if organisation is not None and \
+  organisation.getPortalType() == "Organisation":
+  category_list.append({'destination': [organisation.getRelativeUrl()]})
+
+return category_list

master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Instance_getSecurityCategoryFromMovementSpecialiseDestination.xml

+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>Script_magic</string> </key>
+            <value> <int>3</int> </value>
+        </item>
+        <item>
+            <key> <string>_bind_names</string> </key>
+            <value>
+              <object>
+                <klass>
+                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
+                </klass>
+                <tuple/>
+                <state>
+                  <dictionary>
+                    <item>
+                        <key> <string>_asgns</string> </key>
+                        <value>
+                          <dictionary>
+                            <item>
+                                <key> <string>name_container</string> </key>
+                                <value> <string>container</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_context</string> </key>
+                                <value> <string>context</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_m_self</string> </key>
+                                <value> <string>script</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_subpath</string> </key>
+                                <value> <string>traverse_subpath</string> </value>
+                            </item>
+                          </dictionary>
+                        </value>
+                    </item>
+                  </dictionary>
+                </state>
+              </object>
+            </value>
+        </item>
+        <item>
+            <key> <string>_params</string> </key>
+            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
+        </item>
+        <item>
+            <key> <string>_proxy_roles</string> </key>
+            <value>
+              <tuple>
+                <string>Manager</string>
+              </tuple>
+            </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>Instance_getSecurityCategoryFromMovementSpecialiseDestination</string> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>

master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Instance_getSecurityCategoryFromMovementSpecialiseDestinationProject.py

+"""
+This script returns a list of dictionaries which represent
+the security groups which a person is member of. It extracts
+the categories from the current content. It is useful in the
+following cases:
+
+- calculate a security group based on a given
+  category of the current object (ex. group). This
+  is used for example in ERP5 DMS to calculate
+  document security.
+
+- assign local roles to a document based on
+  the person which the object related to through
+  a given base category (ex. destination). This
+  is used for example in ERP5 Project to calculate
+  Task / Task Report security.
+
+The parameters are
+
+  base_category_list -- list of category values we need to retrieve
+  user_name          -- string obtained from getSecurityManager().getUser().getId()
+  object             -- object which we want to assign roles to
+  portal_type        -- portal type of object
+
+NOTE: for now, this script requires proxy manager
+"""
+
+category_list = []
+
+if obj is None:
+  return []
+
+specialise_value = obj.getSpecialiseValue()
+if specialise_value is None:
+  return []
+
+# Object on this case can be Hosting Subscription, Computer, or Computer Network
+project = specialise_value.Item_getCurrentProjectValue()
+if project is not None:
+  category_list.append({'destination_project': [project.getRelativeUrl()]})
+
+return category_list

master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/Instance_getSecurityCategoryFromMovementSpecialiseDestinationProject.xml

+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>Script_magic</string> </key>
+            <value> <int>3</int> </value>
+        </item>
+        <item>
+            <key> <string>_bind_names</string> </key>
+            <value>
+              <object>
+                <klass>
+                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
+                </klass>
+                <tuple/>
+                <state>
+                  <dictionary>
+                    <item>
+                        <key> <string>_asgns</string> </key>
+                        <value>
+                          <dictionary>
+                            <item>
+                                <key> <string>name_container</string> </key>
+                                <value> <string>container</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_context</string> </key>
+                                <value> <string>context</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_m_self</string> </key>
+                                <value> <string>script</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_subpath</string> </key>
+                                <value> <string>traverse_subpath</string> </value>
+                            </item>
+                          </dictionary>
+                        </value>
+                    </item>
+                  </dictionary>
+                </state>
+              </object>
+            </value>
+        </item>
+        <item>
+            <key> <string>_params</string> </key>
+            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
+        </item>
+        <item>
+            <key> <string>_proxy_roles</string> </key>
+            <value>
+              <tuple>
+                <string>Manager</string>
+              </tuple>
+            </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>Instance_getSecurityCategoryFromMovementSpecialiseDestinationProject</string> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>

master/bt5/slapos_erp5/TestTemplateItem/portal_components/test.erp5.testSlapOSERP5LocalPermissionSlapOSInteractionWorkflow.py

-# Copyright (c) 2002-2012 Nexedi SA and Contributors. All Rights Reserved.
+# -*- coding: utf-8 -*-
+##############################################################################
+#
+# Copyright (c) 2012 Nexedi SA and Contributors. All Rights Reserved.
+#
+# This program is Free Software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+#
+##############################################################################
 from erp5.component.test.testSlapOSERP5GroupRoleSecurity import TestSlapOSGroupRoleSecurityMixin
+from DateTime import DateTime
 
 class TestSlapOSLocalPermissionSlapOSInteractionWorkflow(
     TestSlapOSGroupRoleSecurityMixin):
@@ -295,17 +315,33 @@ class TestSlapOSLocalPermissionSlapOSInteractionWorkflow(
 
   def test_PayzenEvent_setDestinationSection(self):
     self._makePerson()
-    payment_transaction = self.portal.system_event_module.newContent(
+    event = self.portal.system_event_module.newContent(
         portal_type='Payzen Event')
-    self.assertSecurityGroup(payment_transaction, [self.user_id,
+    self.assertSecurityGroup(event, [self.user_id,
         'G-COMPANY'],
         False)
 
-    payment_transaction.edit(
+    event.edit(
         destination_section=self.person_user.getRelativeUrl())
     self.commit()
 
-    self.assertSecurityGroup(payment_transaction, [self.user_id,
+    self.assertSecurityGroup(event, [self.user_id,
+        'G-COMPANY', 'SHADOW-%s' % self.person_user.getUserId()],
+        False)
+
+  def test_WechatEvent_setDestinationSection(self):
+    self._makePerson()
+    event = self.portal.system_event_module.newContent(
+        portal_type='Payzen Event')
+    self.assertSecurityGroup(event, [self.user_id,
+        'G-COMPANY'],
+        False)
+
+    event.edit(
+        destination_section=self.person_user.getRelativeUrl())
+    self.commit()
+
+    self.assertSecurityGroup(event, [self.user_id,
         'G-COMPANY', 'SHADOW-%s' % self.person_user.getUserId()],
         False)
 
@@ -641,3 +677,165 @@ class TestSlapOSLocalPermissionSlapOSInteractionWorkflow(
 
     self.assertSecurityGroup(sale_packing_list, ['G-COMPANY', self.user_id,
         self.person_user_id], False)
+
+
+  def test_RestrictedAccessToken_setAgent(self):
+    self._makePerson()
+    token = self.portal.access_token_module.newContent(
+        portal_type='Restricted Access Token')
+
+    self.assertSecurityGroup(token, [self.user_id,
+        'G-COMPANY'],
+        False)
+
+    token.edit(
+        agent=self.person_user.getRelativeUrl())
+    self.commit()
+
+    self.assertSecurityGroup(token, [self.user_id,
+        'G-COMPANY', self.person_user.getUserId()],
+        False)
+
+
+  def test_InternalPackingListLine_setAggregate_hosting_subscription(self):
+    self._makePerson()
+    
+    project = self.portal.project_module.newContent(
+      portal_type="Project",
+    )
+
+    hosting_subscription = self.portal.hosting_subscription_module.newContent(
+        portal_type='Hosting Subscription',
+        reference='TESTHS-%s' % self.generateNewId())
+    
+    internal_packing_list = self.portal.internal_packing_list_module.newContent(
+        portal_type='Internal Packing List')
+
+    internal_packing_list_line = internal_packing_list.newContent(
+        portal_type='Internal Packing List Line')
+
+    internal_packing_list.edit(source_value=self.person_user,
+                               source_section_value=self.person_user,
+                             source_project_value=project,
+                             destination=self.person_user.getRelativeUrl(),
+                             destination_section=self.person_user.getRelativeUrl(),
+                             source_decision=self.person_user.getRelativeUrl(),
+                             destination_decision=self.person_user.getRelativeUrl(),
+                             destination_project_value=project,
+                             start_date=DateTime()-1,
+                             stop_date=DateTime()-1)
+
+    internal_packing_list.confirm()
+    internal_packing_list.stop()
+    internal_packing_list.deliver()
+
+    software_instance = self.portal.software_instance_module.newContent(
+        portal_type='Software Instance')
+    software_instance.edit(specialise=hosting_subscription.getRelativeUrl())
+
+    slave_instance = self.portal.software_instance_module.newContent(
+        portal_type='Slave Instance')
+    slave_instance.edit(specialise=hosting_subscription.getRelativeUrl())
+    self.tic()
+
+    self.assertSecurityGroup(internal_packing_list, [self.user_id,],
+        False)
+
+    self.assertSecurityGroup(hosting_subscription, [self.user_id, 'G-COMPANY', 
+        hosting_subscription.getReference()],
+        False)
+
+    self.assertSecurityGroup(software_instance, [self.user_id, 'G-COMPANY',
+        hosting_subscription.getReference()], False)
+
+    self.assertSecurityGroup(slave_instance, [self.user_id, 'G-COMPANY',
+        hosting_subscription.getReference()], False)
+
+    internal_packing_list_line.edit(
+        #quantity_unit="unit",
+        resource_value=self.portal.product_module.computer,
+        price=0.0,
+        quantity=1.0,
+        aggregate_value=hosting_subscription)
+    self.tic()
+
+    self.assertSecurityGroup(internal_packing_list, [self.user_id,],
+        False)
+
+    self.assertSecurityGroup(hosting_subscription, [self.user_id, 'G-COMPANY', 
+        project.getReference(),
+        hosting_subscription.getReference()],
+        False)
+
+    self.assertSecurityGroup(software_instance, [self.user_id, 'G-COMPANY',
+        project.getReference(),
+        hosting_subscription.getReference()], False)
+
+    self.assertSecurityGroup(slave_instance, [self.user_id, 'G-COMPANY',
+        project.getReference(),
+        hosting_subscription.getReference()], False)
+
+  def test_InternalPackingListLine_setAggregate_computer(self):
+    self._makePerson()
+    
+    project = self.portal.project_module.newContent(
+      portal_type="Project",
+    )
+    
+    computer = self.portal.computer_module.newContent(
+        portal_type='Computer',
+        reference='TESTCOMP-%s' % self.generateNewId())
+    
+    internal_packing_list = self.portal.internal_packing_list_module.newContent(
+        portal_type='Internal Packing List')
+
+    internal_packing_list_line = internal_packing_list.newContent(
+        portal_type='Internal Packing List Line')
+
+    internal_packing_list.edit(source_value=self.person_user,
+                               source_section_value=self.person_user,
+                             source_project_value=project,
+                             destination=self.person_user.getRelativeUrl(),
+                             destination_section=self.person_user.getRelativeUrl(),
+                             source_decision=self.person_user.getRelativeUrl(),
+                             destination_decision=self.person_user.getRelativeUrl(),
+                             destination_project_value=project,
+                             start_date=DateTime()-1,
+                             stop_date=DateTime()-1)
+
+    internal_packing_list.confirm()
+    internal_packing_list.stop()
+    internal_packing_list.deliver()
+
+    installation = self.portal.software_installation_module.newContent(
+        portal_type='Software Installation')
+    installation.edit(aggregate=computer.getRelativeUrl())
+    self.tic()
+
+    self.assertSecurityGroup(internal_packing_list, [self.user_id,],
+        False)
+
+    self.assertSecurityGroup(computer, [self.user_id, 'G-COMPANY',
+        computer.getUserId()],
+        False)
+    
+    self.assertSecurityGroup(installation, [self.user_id, 'G-COMPANY',
+        computer.getUserId()], False)
+
+    internal_packing_list_line.edit(
+        #quantity_unit="unit",
+        resource_value=self.portal.product_module.computer,
+        price=0.0,
+        quantity=1.0,
+        aggregate_value=computer)
+    self.tic()
+
+    self.assertSecurityGroup(internal_packing_list, [self.user_id,],
+        False)
+
+    self.assertSecurityGroup(computer, [self.user_id, 'G-COMPANY',
+        project.getReference(), computer.getUserId()],
+        False)
+
+    self.assertSecurityGroup(installation, [self.user_id, 'G-COMPANY',
+        project.getReference(), computer.getUserId()], False)

master/bt5/slapos_erp5/TestTemplateItem/portal_components/test.erp5.testSlapOSERP5LocalPermissionSlapOSInteractionWorkflow.xml

@@ -117,6 +117,7 @@
             </item>
           </dictionary>
         </list>
+        <none/>
       </tuple>
     </pickle>
   </record>

master/bt5/slapos_erp5/WorkflowTemplateItem/portal_workflow/local_permission_slapos_interaction_workflow/scripts/InternalPackingListLine_updateAggregateLocalRoles.py

 portal_type_list = ['Computer', 'Computer Network', 'Hosting Subscription']
 internal_packing_list_line = state_change['object']
 after_tag = (internal_packing_list_line.getPath(), ('immediateReindexObject', 'recursiveImmediateReindexObject'))
+internal_packing_list_line.getParentValue().reindexObject()
 for object_ in internal_packing_list_line.getAggregateValueList(portal_type=portal_type_list):
   object_.activate(after_path_and_method_id=after_tag).updateLocalRolesOnSecurityGroups()
+  if object_.getPortalType() == "Computer":
+    for software_installation in object_.getAggregateRelatedValueList(portal_type="Software Installation"):
+      software_installation.activate(after_path_and_method_id=after_tag).updateLocalRolesOnSecurityGroups()
+    
+  elif object_.getPortalType() == "Hosting Subscription":
+    for instance in object_.getSpecialiseRelatedValueList(portal_type=["Software instance", "Slave Instance"]):
+      instance.activate(after_path_and_method_id=after_tag).updateLocalRolesOnSecurityGroups()