Commit acf94945 authored by Rafael Monnerat's avatar Rafael Monnerat

slapos_erp5: Restrict Shadow access on Sale Invoice and Subscription Request

   Limit the access from any SHADOW user to specific SHADOW user linked into the context, same as Payment Transaction and Payzen events.

   Roles (Assignee and Auditor) don't change, just become more restrictive to single shadow user.
parent 6350e391
<type_roles> <type_roles>
<role id='Assignee'>
<property id='title'>Person Shadow</property>
<property id='condition'>python: context.getLedger("") == "automated"</property>
<multi_property id='categories'>local_role_group/shadow</multi_property>
<multi_property id='category'>role/shadow/person</multi_property>
<multi_property id='base_category'>role</multi_property>
</role>
<role id='Auditor'> <role id='Auditor'>
<property id='title'>ReadOnly for Accountant</property> <property id='title'>ReadOnly for Accountant</property>
<property id='condition'>python: context.getLedger("") == "automated"</property> <property id='condition'>python: context.getLedger("") == "automated"</property>
...@@ -13,6 +6,14 @@ ...@@ -13,6 +6,14 @@
<multi_property id='category'>function/accounting*</multi_property> <multi_property id='category'>function/accounting*</multi_property>
<multi_property id='base_category'>function</multi_property> <multi_property id='base_category'>function</multi_property>
</role> </role>
<role id='Assignee'>
<property id='title'>Shadow User</property>
<property id='description'>Destination Section has shadow rights on the document</property>
<property id='condition'>python: (here.getDestination('', portal_type='Person') != "") and (here.getLedger("") == "automated")</property>
<property id='base_category_script'>Base_getSecurityCategoryAsShadowUser</property>
<multi_property id='categories'>local_role_group/shadow</multi_property>
<multi_property id='base_category'>destination</multi_property>
</role>
<role id='Auditor'> <role id='Auditor'>
<property id='title'>User</property> <property id='title'>User</property>
<property id='condition'>python: (here.getDestination('', portal_type='Person') != '') and (context.getLedger("") == "automated")</property> <property id='condition'>python: (here.getDestination('', portal_type='Person') != '') and (context.getLedger("") == "automated")</property>
......
...@@ -7,17 +7,17 @@ ...@@ -7,17 +7,17 @@
<multi_property id='categories'>local_role_group/user</multi_property> <multi_property id='categories'>local_role_group/user</multi_property>
<multi_property id='base_category'>destination_decision</multi_property> <multi_property id='base_category'>destination_decision</multi_property>
</role> </role>
<role id='Auditor'>
<property id='title'>Person Shadow</property>
<property id='condition'>python: context.getLedger("") == "automated"</property>
<multi_property id='categories'>local_role_group/shadow</multi_property>
<multi_property id='category'>role/shadow/person</multi_property>
<multi_property id='base_category'>role</multi_property>
</role>
<role id='Auditor'> <role id='Auditor'>
<property id='title'>Sale Agent</property> <property id='title'>Sale Agent</property>
<multi_property id='categories'>local_role_group/function</multi_property> <multi_property id='categories'>local_role_group/function</multi_property>
<multi_property id='category'>function/sale*</multi_property> <multi_property id='category'>function/sale*</multi_property>
<multi_property id='base_category'>function</multi_property> <multi_property id='base_category'>function</multi_property>
</role> </role>
<role id='Auditor'>
<property id='title'>Shadow User</property>
<property id='condition'>python: (here.getDestinationDecision('', portal_type='Person') != "") and (here.getLedger("") == "automated")</property>
<property id='base_category_script'>Base_getSecurityCategoryAsShadowUser</property>
<multi_property id='categories'>local_role_group/shadow</multi_property>
<multi_property id='base_category'>destination_decision</multi_property>
</role>
</type_roles> </type_roles>
\ No newline at end of file
...@@ -212,7 +212,8 @@ class TestPaymentTransaction(TestSlapOSGroupRoleSecurityMixin): ...@@ -212,7 +212,8 @@ class TestPaymentTransaction(TestSlapOSGroupRoleSecurityMixin):
class TestSaleInvoiceTransaction(TestSlapOSGroupRoleSecurityMixin): class TestSaleInvoiceTransaction(TestSlapOSGroupRoleSecurityMixin):
def test_SaleInvoiceTransaction_AccountingFunction_LedgerNotAutomated(self): def test_SaleInvoiceTransaction_AccountingFunction_LedgerNotAutomated(self):
product = self.portal.accounting_module.newContent( product = self.portal.accounting_module.newContent(
portal_type='Sale Invoice Transaction') portal_type='Sale Invoice Transaction', created_by_builder=1)
self.assertEqual(product.getLedger(), None)
self.assertSecurityGroup(product, self.assertSecurityGroup(product,
['F-ACCMAN', 'F-ACCAGT', self.user_id], False) ['F-ACCMAN', 'F-ACCAGT', self.user_id], False)
self.assertRoles(product, 'F-ACCMAN', ['Assignor']) self.assertRoles(product, 'F-ACCMAN', ['Assignor'])
...@@ -220,13 +221,13 @@ class TestSaleInvoiceTransaction(TestSlapOSGroupRoleSecurityMixin): ...@@ -220,13 +221,13 @@ class TestSaleInvoiceTransaction(TestSlapOSGroupRoleSecurityMixin):
self.assertRoles(product, self.user_id, ['Owner']) self.assertRoles(product, self.user_id, ['Owner'])
def test_SaleInvoiceTransaction_AccountingFunction_LedgerAutomated(self): def test_SaleInvoiceTransaction_AccountingFunction_LedgerAutomated(self):
"""No user, no shadow"""
product = self.portal.accounting_module.newContent( product = self.portal.accounting_module.newContent(
portal_type='Sale Invoice Transaction') portal_type='Sale Invoice Transaction')
product.edit(ledger='automated') product.edit(ledger='automated')
self.assertSecurityGroup(product, self.assertSecurityGroup(product,
['F-ACCOUNTING*', self.user_id, 'R-SHADOW-PERSON'], False) ['F-ACCOUNTING*', self.user_id ], False)
self.assertRoles(product, 'F-ACCOUNTING*', ['Auditor']) self.assertRoles(product, 'F-ACCOUNTING*', ['Auditor'])
self.assertRoles(product, 'R-SHADOW-PERSON', ['Assignee'])
self.assertRoles(product, self.user_id, ['Owner']) self.assertRoles(product, self.user_id, ['Owner'])
def test_SaleInvoiceTransaction_User(self): def test_SaleInvoiceTransaction_User(self):
...@@ -241,10 +242,10 @@ class TestSaleInvoiceTransaction(TestSlapOSGroupRoleSecurityMixin): ...@@ -241,10 +242,10 @@ class TestSaleInvoiceTransaction(TestSlapOSGroupRoleSecurityMixin):
) )
self.assertSecurityGroup(product, self.assertSecurityGroup(product,
['F-ACCOUNTING*', self.user_id, person.getUserId(), ['F-ACCOUNTING*', self.user_id, person.getUserId(),
'R-SHADOW-PERSON'], False) 'SHADOW-%s' % person.getUserId()], False)
self.assertRoles(product, 'F-ACCOUNTING*', ['Auditor']) self.assertRoles(product, 'F-ACCOUNTING*', ['Auditor'])
self.assertRoles(product, person.getUserId(), ['Auditor']) self.assertRoles(product, person.getUserId(), ['Auditor'])
self.assertRoles(product, 'R-SHADOW-PERSON', ['Assignee']) self.assertRoles(product, 'SHADOW-%s' % person.getUserId(), ['Assignee'])
self.assertRoles(product, self.user_id, ['Owner']) self.assertRoles(product, self.user_id, ['Owner'])
...@@ -1620,6 +1621,16 @@ class TestSubscriptionRequest(TestSlapOSGroupRoleSecurityMixin): ...@@ -1620,6 +1621,16 @@ class TestSubscriptionRequest(TestSlapOSGroupRoleSecurityMixin):
self.assertRoles(delivery, self.user_id, ['Owner']) self.assertRoles(delivery, self.user_id, ['Owner'])
self.assertRoles(delivery, 'F-SALE*', ['Auditor']) self.assertRoles(delivery, 'F-SALE*', ['Auditor'])
def test_SubscriptionRequest_automated_ledger(self):
delivery = self.portal.subscription_request_module.newContent(
portal_type='Subscription Request')
delivery.edit(ledger="automated")
self.assertSecurityGroup(delivery,
['F-SALE*', self.user_id], False)
self.assertRoles(delivery, self.user_id, ['Owner'])
self.assertRoles(delivery, 'F-SALE*', ['Auditor'])
def test_SubscriptionRequest_user(self): def test_SubscriptionRequest_user(self):
reference = 'TESTPERSON-%s' % self.generateNewId() reference = 'TESTPERSON-%s' % self.generateNewId()
person = self.portal.person_module.newContent(portal_type='Person', person = self.portal.person_module.newContent(portal_type='Person',
...@@ -1628,12 +1639,12 @@ class TestSubscriptionRequest(TestSlapOSGroupRoleSecurityMixin): ...@@ -1628,12 +1639,12 @@ class TestSubscriptionRequest(TestSlapOSGroupRoleSecurityMixin):
portal_type='Subscription Request') portal_type='Subscription Request')
delivery.edit(destination_decision_value=person, ledger="automated") delivery.edit(destination_decision_value=person, ledger="automated")
self.assertSecurityGroup(delivery, self.assertSecurityGroup(delivery,
['F-SALE*', self.user_id, "R-SHADOW-PERSON", ['F-SALE*', self.user_id, "SHADOW-%s" % person.getUserId(),
person.getUserId()], False) person.getUserId()], False)
self.assertRoles(delivery, self.user_id, ['Owner']) self.assertRoles(delivery, self.user_id, ['Owner'])
self.assertRoles(delivery, 'F-SALE*', ['Auditor']) self.assertRoles(delivery, 'F-SALE*', ['Auditor'])
self.assertRoles(delivery, person.getUserId(), ['Associate']) self.assertRoles(delivery, person.getUserId(), ['Associate'])
self.assertRoles(delivery, 'R-SHADOW-PERSON', ['Auditor']) self.assertRoles(delivery, "SHADOW-%s" % person.getUserId(), ['Auditor'])
class TestOrganisationModule(TestSlapOSGroupRoleSecurityMixin): class TestOrganisationModule(TestSlapOSGroupRoleSecurityMixin):
def test_OrganisationModule(self): def test_OrganisationModule(self):
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment