slapos_accounting: Use dedicated script with proxy role to start payment

Since the accounting workflow introduced Guard on start transition, it is required assignee or assignor to change the state (before Modify Portal content was enough). The script is invoke as Shadow user, and since destination section is set, the User automatically become Auditor (rather them Assignee) so it would imply a deeper change to relax security for the shadow user (not shadow person) just to invoke start. Not to mention HUGE security update to be done. Use Manager proxy role is not ideal, but it doesn't introduce a security issue while solve the problem until a deeper review on the roles for Shadow users takes place.

slapos_accounting: Use dedicated script with proxy role to start payment
Since the accounting workflow introduced Guard on start transition, it is required assignee or assignor to change the state (before Modify Portal content was enough). The script is invoke as Shadow user, and since destination section is set, the User automatically become Auditor (rather them Assignee) so it would imply a deeper change to relax security for the shadow user (not shadow person) just to invoke start. Not to mention HUGE security update to be done. Use Manager proxy role is not ideal, but it doesn't introduce a security issue while solve the problem until a deeper review on the roles for Shadow users takes place.
f1c21aca · Rafael Monnerat · 66be53cd · f1c21aca · f1c21aca · f1c21aca
Commit f1c21aca authored Jan 31, 2023 by Rafael Monnerat
4 changed files
--- a/master/bt5/slapos_accounting/SkinTemplateItem/portal_skins/slapos_accounting/Entity_createPaymentTransaction.py
+++ b/master/bt5/slapos_accounting/SkinTemplateItem/portal_skins/slapos_accounting/Entity_createPaymentTransaction.py
@@ -31,10 +31,10 @@ current_payment = portal.accounting_module.newContent(
  portal_type="Payment Transaction",
  causality=current_invoice.getRelativeUrl(),
  source_section=current_invoice.getSourceSection(),
-  destination_section=current_invoice.getDestinationSection(),
  resource=current_invoice.getResource(),
  price_currency=current_invoice.getResource(),
  specialise=current_invoice.getSpecialise(),
+  destination_section=current_invoice.getDestinationSection(),
  payment_mode=current_invoice.getPaymentMode(),
  start_date=current_invoice.getStartDate(),
  stop_date=current_invoice.getStopDate(),
@@ -66,12 +66,8 @@ comment = translateString("Initialised by Entity_createPaymentTransaction.")
 payment_tag ="sale_invoice_transaction_create_payment_%s" % current_invoice.getUid()
 current_payment.activate(tag=payment_tag).immediateReindexObject()
-# Call script rather them call confirm(), since it would set security and fail whenever
-# start is called.
-current_payment.AccountingTransaction_setReference()
 comment = translateString("Initialised by Entity_createPaymentTransaction.")
-current_payment.start(comment=comment)
+current_payment.PaymentTransaction_start(comment=comment)
 # Set a flag on the request for prevent 2 calls on the same transaction
 context.REQUEST.set(payment_tag, 1)

--- a/master/bt5/slapos_accounting/SkinTemplateItem/portal_skins/slapos_accounting/PaymentTransaction_start.py
+++ b/master/bt5/slapos_accounting/SkinTemplateItem/portal_skins/slapos_accounting/PaymentTransaction_start.py
+from zExceptions import Unauthorized
+if REQUEST is not None:
+  raise Unauthorized
+if context.getPortalType() != "Payment Transaction":
+  raise Unauthorized
+context.confirm(comment=comment)
+context.start(comment=comment)
--- a/master/bt5/slapos_accounting/SkinTemplateItem/portal_skins/slapos_accounting/PaymentTransaction_start.xml
+++ b/master/bt5/slapos_accounting/SkinTemplateItem/portal_skins/slapos_accounting/PaymentTransaction_start.xml
+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>Script_magic</string> </key>
+            <value> <int>3</int> </value>
+        </item>
+        <item>
+            <key> <string>_bind_names</string> </key>
+            <value>
+              <object>
+                <klass>
+                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
+                </klass>
+                <tuple/>
+                <state>
+                  <dictionary>
+                    <item>
+                        <key> <string>_asgns</string> </key>
+                        <value>
+                          <dictionary>
+                            <item>
+                                <key> <string>name_container</string> </key>
+                                <value> <string>container</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_context</string> </key>
+                                <value> <string>context</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_m_self</string> </key>
+                                <value> <string>script</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_subpath</string> </key>
+                                <value> <string>traverse_subpath</string> </value>
+                            </item>
+                          </dictionary>
+                        </value>
+                    </item>
+                  </dictionary>
+                </state>
+              </object>
+            </value>
+        </item>
+        <item>
+            <key> <string>_params</string> </key>
+            <value> <string>comment="", REQUEST=None</string> </value>
+        </item>
+        <item>
+            <key> <string>_proxy_roles</string> </key>
+            <value>
+              <tuple>
+                <string>Manager</string>
+              </tuple>
+            </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>PaymentTransaction_start</string> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>
--- a/master/bt5/slapos_accounting/TestTemplateItem/portal_components/test.erp5.testSlapOSAccountingSkins.py
+++ b/master/bt5/slapos_accounting/TestTemplateItem/portal_components/test.erp5.testSlapOSAccountingSkins.py
@@ -816,3 +816,32 @@ class TestSlapOSAccounting(SlapOSTestCaseMixin):
    self.assertIn('account_module/receivable',
      [i.getRelativeUrl() for i in account_list])
+  def test_PaymentTransaction_start(self):
+    sale_invoice_transaction = self.portal.accounting_module.newContent(
+      portal_type="Sale Invoice Transaction",
+      start_date=DateTime()
+    )
+    payment_transaction = self.portal.accounting_module.newContent(
+      portal_type="Payment Transaction",
+      start_date=DateTime()
+    )
+    self.assertRaises(Unauthorized,
+      payment_transaction.PaymentTransaction_start,
+      REQUEST=self.portal.REQUEST)
+    self.assertRaises(Unauthorized,
+      sale_invoice_transaction.PaymentTransaction_start,
+      REQUEST=self.portal.REQUEST)
+    self.assertRaises(Unauthorized,
+      sale_invoice_transaction.PaymentTransaction_start,
+      REQUEST=None)
+    payment_transaction.PaymentTransaction_start()
+    self.assertEqual("started",
+      payment_transaction.getSimulationState())