From 40e29fa41d86a96877e23cc307a81a3141bff77d Mon Sep 17 00:00:00 2001
From: Rafael Monnerat <rafael@nexedi.com>
Date: Sat, 12 Dec 2020 17:55:48 +0000
Subject: [PATCH] slapos_erp5: Update Security on Organisation and Projects

  Move access into assignment based security
---
 .../Organisation.xml                          |  8 ++++++
 .../PortalTypeRolesTemplateItem/Project.xml   | 11 ++++----
 ...st.erp5.testSlapOSERP5GroupRoleSecurity.py | 26 +++++--------------
 3 files changed, 21 insertions(+), 24 deletions(-)

diff --git a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Organisation.xml b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Organisation.xml
index 821ff80fd..e8975992b 100644
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Organisation.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Organisation.xml
@@ -7,9 +7,17 @@
   </role>
   <role id='Auditor'>
    <property id='title'>Member</property>
+   <property id='description'>User can only see SlapOS company for invoice purposes.</property>
+   <property id='condition'>python: here.getGroup() == "company"</property>
    <multi_property id='category'>role/member</multi_property>
    <multi_property id='base_category'>role</multi_property>
   </role>
+  <role id='Assignee'>
+   <property id='title'>Organisation Member</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromSelf</property>
+   <multi_property id='categories'>local_role_group/organisation</multi_property>
+   <multi_property id='base_category'>destination</multi_property>
+  </role>
   <role id='Assignee'>
    <property id='title'>Person Owner</property>
    <property id='description'>XXXX Review this later</property>
diff --git a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Project.xml b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Project.xml
index 821ff80fd..a31548b56 100644
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Project.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Project.xml
@@ -5,11 +5,6 @@
    <multi_property id='category'>group/company</multi_property>
    <multi_property id='base_category'>group</multi_property>
   </role>
-  <role id='Auditor'>
-   <property id='title'>Member</property>
-   <multi_property id='category'>role/member</multi_property>
-   <multi_property id='base_category'>role</multi_property>
-  </role>
   <role id='Assignee'>
    <property id='title'>Person Owner</property>
    <property id='description'>XXXX Review this later</property>
@@ -23,4 +18,10 @@
    <multi_property id='category'>role/shadow/person</multi_property>
    <multi_property id='base_category'>role</multi_property>
   </role>
+  <role id='Assignee'>
+   <property id='title'>Project Member</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromSelf</property>
+   <multi_property id='categories'>local_role_group/project</multi_property>
+   <multi_property id='base_category'>destination_project</multi_property>
+  </role>
 </type_roles>
\ No newline at end of file
diff --git a/master/bt5/slapos_erp5/TestTemplateItem/portal_components/test.erp5.testSlapOSERP5GroupRoleSecurity.py b/master/bt5/slapos_erp5/TestTemplateItem/portal_components/test.erp5.testSlapOSERP5GroupRoleSecurity.py
index c0452b1b0..77a040efc 100644
--- a/master/bt5/slapos_erp5/TestTemplateItem/portal_components/test.erp5.testSlapOSERP5GroupRoleSecurity.py
+++ b/master/bt5/slapos_erp5/TestTemplateItem/portal_components/test.erp5.testSlapOSERP5GroupRoleSecurity.py
@@ -371,8 +371,6 @@ class TestDrawing(TestSlapOSGroupRoleSecurityMixin):
     self.assertRoles(drawing, 'G-COMPANY', ['Assignor'])
     self.assertRoles(drawing, self.user_id, ['Owner'])
 
-  test_GroupCompany = test_SecurityForShacache
-
 class TestFile(TestSlapOSGroupRoleSecurityMixin):
   def test_SecurityForShacache(self):
     file_ = self.portal.document_module.newContent(portal_type='File')
@@ -387,8 +385,6 @@ class TestFile(TestSlapOSGroupRoleSecurityMixin):
     self.assertRoles(file_, 'G-COMPANY', ['Assignor'])
     self.assertRoles(file_, self.user_id, ['Owner'])
 
-  test_GroupCompany = test_SecurityForShacache
-
 class TestHostingSubscription(TestSlapOSGroupRoleSecurityMixin):
   def test_RelatedSoftwareInstanceGroup(self):
     reference = 'TESTHS-%s' % self.generateNewId()
@@ -445,8 +441,6 @@ class TestImage(TestSlapOSGroupRoleSecurityMixin):
     self.assertRoles(image, 'G-COMPANY', ['Assignor'])
     self.assertRoles(image, self.user_id, ['Owner'])
 
-  test_GroupCompany = test_SecurityForShacache
-
 class TestImageModule(TestSlapOSGroupRoleSecurityMixin):
   def test(self):
     module = self.portal.image_module
@@ -463,11 +457,12 @@ class TestOrganisation(TestSlapOSGroupRoleSecurityMixin):
   def test_GroupCompany(self):
     organisation = self.portal.organisation_module.newContent(
         portal_type='Organisation')
+    organisation.setReference("TESTORG-%s" % self.generateNewId())
     organisation.updateLocalRolesOnSecurityGroups()
     self.assertSecurityGroup(organisation,
-        ['G-COMPANY', self.user_id, 'R-MEMBER', 'R-SHADOW-PERSON'], False)
+        ['G-COMPANY', self.user_id, organisation.getReference(), 'R-SHADOW-PERSON'], False)
     self.assertRoles(organisation, 'G-COMPANY', ['Assignor'])
-    self.assertRoles(organisation, 'R-MEMBER', ['Auditor'])
+    self.assertRoles(organisation, organisation.getReference(), ['Assignee'])
     self.assertRoles(organisation, 'R-SHADOW-PERSON', ['Auditor'])
     self.assertRoles(organisation, self.user_id, ['Owner', 'Assignee'])
 
@@ -498,14 +493,15 @@ class TestProjectModule(TestSlapOSGroupRoleSecurityMixin):
     self.assertRoles(module, self.user_id, ['Owner'])
 
 class TestProject(TestSlapOSGroupRoleSecurityMixin):
-  def test_GroupCompany(self):
+
+  def test(self):
     project = self.portal.project_module.newContent(
         portal_type='Project')
     project.updateLocalRolesOnSecurityGroups()
     self.assertSecurityGroup(project,
-        ['G-COMPANY', self.user_id, 'R-MEMBER', 'R-SHADOW-PERSON'], False)
+        ['G-COMPANY', self.user_id, project.getReference(), 'R-SHADOW-PERSON'], False)
     self.assertRoles(project, 'G-COMPANY', ['Assignor'])
-    self.assertRoles(project, 'R-MEMBER', ['Auditor'])
+    self.assertRoles(project, project.getReference(), ['Assignee'])
     self.assertRoles(project, 'R-SHADOW-PERSON', ['Auditor'])
     self.assertRoles(project, self.user_id, ['Owner', 'Assignee'])
 
@@ -523,8 +519,6 @@ class TestPDF(TestSlapOSGroupRoleSecurityMixin):
     self.assertRoles(pdf, 'G-COMPANY', ['Assignor'])
     self.assertRoles(pdf, self.user_id, ['Owner'])
 
-  test_GroupCompany = test_SecurityForShacache
-
 class TestPerson(TestSlapOSGroupRoleSecurityMixin):
   def test_GroupCompany(self):
     person = self.portal.person_module.newContent(portal_type='Person')
@@ -645,8 +639,6 @@ class TestPresentation(TestSlapOSGroupRoleSecurityMixin):
     self.assertRoles(presentation, 'G-COMPANY', ['Assignor'])
     self.assertRoles(presentation, self.user_id, ['Owner'])
 
-  test_GroupCompany = test_SecurityForShacache
-
 class TestSlaveInstance(TestSlapOSGroupRoleSecurityMixin):
   def test_GroupCompany(self):
     instance = self.portal.software_instance_module.newContent(
@@ -898,8 +890,6 @@ class TestSpreadsheet(TestSlapOSGroupRoleSecurityMixin):
     self.assertRoles(spreadsheet, 'G-COMPANY', ['Assignor'])
     self.assertRoles(spreadsheet, self.user_id, ['Owner'])
 
-  test_GroupCompany = test_SecurityForShacache
-
 class TestText(TestSlapOSGroupRoleSecurityMixin):
   def test_SecurityForShacache(self):
     text = self.portal.document_module.newContent(
@@ -915,8 +905,6 @@ class TestText(TestSlapOSGroupRoleSecurityMixin):
     self.assertRoles(text, 'G-COMPANY', ['Assignor'])
     self.assertRoles(text, self.user_id, ['Owner'])
 
-  test_GroupCompany = test_SecurityForShacache
-
 class TestContributionTool(TestSlapOSGroupRoleSecurityMixin):
   def test(self):
     module = self.portal.portal_contributions
-- 
2.30.9