From 51ac7d55c3b4263b16ac253e8b0f7e95a3c7841a Mon Sep 17 00:00:00 2001 From: Pierre Verkest Date: Thu, 18 Mar 2021 23:48:52 +0100 Subject: [PATCH 01/10] [14.0] group_backend: new module and rename group_backend to base_group_backend As a developer we have to keep in mind using this module and grant a user with 's group is equivalent to grant 's group everywhere has been used. Co-authored-by: Jean-Charles Drubay --- base_group_backend/README.rst | 154 ++++++ base_group_backend/__init__.py | 2 + base_group_backend/__manifest__.py | 23 + base_group_backend/data/res-groups.xml | 18 + base_group_backend/demo/__init__.py | 5 + .../demo/backend_dummy_model.py | 11 + .../demo/backend_dummy_model.xml | 43 ++ base_group_backend/demo/ir.model.access.csv | 3 + base_group_backend/demo/test-model.xml | 8 + base_group_backend/models/__init__.py | 2 + base_group_backend/models/res_users.py | 42 ++ base_group_backend/readme/CONFIGURE.rst | 8 + base_group_backend/readme/CONTRIBUTORS.rst | 4 + base_group_backend/readme/DESCRIPTION.rst | 45 ++ base_group_backend/readme/USAGE.rst | 7 + .../security/ir.model.access.csv | 13 + .../static/description/index.html | 481 ++++++++++++++++++ base_group_backend/tests/__init__.py | 1 + base_group_backend/tests/test_module.py | 19 + 19 files changed, 889 insertions(+) create mode 100644 base_group_backend/README.rst create mode 100644 base_group_backend/__init__.py create mode 100644 base_group_backend/__manifest__.py create mode 100644 base_group_backend/data/res-groups.xml create mode 100644 base_group_backend/demo/__init__.py create mode 100644 base_group_backend/demo/backend_dummy_model.py create mode 100644 base_group_backend/demo/backend_dummy_model.xml create mode 100644 base_group_backend/demo/ir.model.access.csv create mode 100644 base_group_backend/demo/test-model.xml create mode 100644 base_group_backend/models/__init__.py create mode 100644 base_group_backend/models/res_users.py create mode 100644 base_group_backend/readme/CONFIGURE.rst create mode 100644 base_group_backend/readme/CONTRIBUTORS.rst create mode 100644 base_group_backend/readme/DESCRIPTION.rst create mode 100644 base_group_backend/readme/USAGE.rst create mode 100644 base_group_backend/security/ir.model.access.csv create mode 100644 base_group_backend/static/description/index.html create mode 100644 base_group_backend/tests/__init__.py create mode 100644 base_group_backend/tests/test_module.py diff --git a/base_group_backend/README.rst b/base_group_backend/README.rst new file mode 100644 index 000000000..a00d2b3bd --- /dev/null +++ b/base_group_backend/README.rst @@ -0,0 +1,154 @@ +============= +Group backend +============= + +.. + !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + !! This file is generated by oca-gen-addon-readme !! + !! changes will be overwritten. !! + !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + !! source digest: sha256:6aed3105c0a4c58cc34c910e88d34a68e14d38a8d549160bbc5b8f276320cda4 + !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + +.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png + :target: https://odoo-community.org/page/development-status + :alt: Beta +.. |badge2| image:: https://img.shields.io/badge/licence-LGPL--3-blue.png + :target: http://www.gnu.org/licenses/lgpl-3.0-standalone.html + :alt: License: LGPL-3 +.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--backend-lightgray.png?logo=github + :target: https://github.com/OCA/server-backend/tree/16.0/base_group_backend + :alt: OCA/server-backend +.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png + :target: https://translation.odoo-community.org/projects/server-backend-16-0/server-backend-16-0-base_group_backend + :alt: Translate me on Weblate +.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png + :target: https://runboat.odoo-community.org/builds?repo=OCA/server-backend&target_branch=16.0 + :alt: Try me on Runboat + +|badge1| |badge2| |badge3| |badge4| |badge5| + +This module was written to extend the standard functionality regarding users +and groups management by adding a new `Backend user` group that only gives access +to odoo backend (`/web`): + +* minimal default access: + * users and partners (this is necessary to access your own data) + * mail activity, notification and channel + * presence +* minimal default menu + * notification + * activities +* minimal default access rules + +The problem with the `Internal user` is when you want to gives access to the +backend to a really thin part of your business to some users, it's quite hard +to properly maintain those roles over the project life, a lot of models use +that group (`base.group_user`) by default which makes hard to maintains. + +So that helps creating well-defined user groups with more controls. + +This modules does 3 things: +* It hijack the has_group method of res.users by returning True for group_backend users when the requested group is group_user (The need for this needs to be investigated) +* It sets the res_users.share to False for group_backend users. This allows those users to access the backend. +* It sets the bare minimum permission in the ir.model.access.csv to display the backend + +We suggest to use this module with its compagnon `base_user_role` + + +Limitations +~~~~~~~~~~~ + +At the time of writing, Odoo uses `res.users.share == False` to give the +backend access. +However to be able to access the backend without any errors some basic rights are necessary. +This module change the way `res.users.share` is computed to allow `group_backend users` to use the backend. + +This avoids to write a lot of overwrite in different controllers from +different modules ('portal', 'web', 'base', 'website') with hard coded statements +that check if user is part of the `base.group_user` or `share == False` group. + +.. warning:: + + Using this module and grant a user with `group_backend`'s group is + equivalent to grant `group_user`'s group everywhere `has_group` + has been used. + +**Table of contents** + +.. contents:: + :local: + +Configuration +============= + +To allow `group_backend` to interact with a model you can either add access rules to the group +or you can add `implied_ids` to `group_backend`. + +.. note:: + + Be aware users can only belong to one group from the user type category + (`base.module_category_user_type`). So your other groups can't inherit both + internal users and backend users. + +Usage +===== + +To use this module, you need to: + +#. Go to Configuration / Users / Users, choose a user and set the user type. + +You get a users that is only able to access to the Odoo backend which you +can attach other groups that not implies other kind of users (`portal`, +`internal users`) + +Bug Tracker +=========== + +Bugs are tracked on `GitHub Issues `_. +In case of trouble, please check there if your issue has already been reported. +If you spotted it first, help us to smash it by providing a detailed and welcomed +`feedback `_. + +Do not contact contributors directly about support or help with technical issues. + +Credits +======= + +Authors +~~~~~~~ + +* Pierre Verkest + +Contributors +~~~~~~~~~~~~ + +* Pierre Verkest +* François Poizat + +Do not contact contributors directly about support or help with technical issues. + +Maintainers +~~~~~~~~~~~ + +This module is maintained by the OCA. + +.. image:: https://odoo-community.org/logo.png + :alt: Odoo Community Association + :target: https://odoo-community.org + +OCA, or the Odoo Community Association, is a nonprofit organization whose +mission is to support the collaborative development of Odoo features and +promote its widespread use. + +.. |maintainer-oca| image:: https://github.com/oca.png?size=40px + :target: https://github.com/oca + :alt: oca + +Current `maintainer `__: + +|maintainer-oca| + +This module is part of the `OCA/server-backend `_ project on GitHub. + +You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute. diff --git a/base_group_backend/__init__.py b/base_group_backend/__init__.py new file mode 100644 index 000000000..fc95f8e72 --- /dev/null +++ b/base_group_backend/__init__.py @@ -0,0 +1,2 @@ +from . import models +from . import demo diff --git a/base_group_backend/__manifest__.py b/base_group_backend/__manifest__.py new file mode 100644 index 000000000..26b4c5847 --- /dev/null +++ b/base_group_backend/__manifest__.py @@ -0,0 +1,23 @@ +# Copyright 2021 Pierre Verkest +# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html). +{ + "name": "Group backend", + "version": "16.0.1.0.0", + "category": "Tools", + "author": "Pierre Verkest, Odoo Community Association (OCA)", + "license": "LGPL-3", + "maintainers": ["oca"], + "website": "https://github.com/OCA/server-backend", + "depends": ["base", "mail"], + "demo": [ + "demo/test-model.xml", + "demo/ir.model.access.csv", + "demo/backend_dummy_model.xml", + ], + "data": [ + "data/res-groups.xml", + "security/ir.model.access.csv", + ], + "installable": True, + "application": True +} diff --git a/base_group_backend/data/res-groups.xml b/base_group_backend/data/res-groups.xml new file mode 100644 index 000000000..eb3291e9b --- /dev/null +++ b/base_group_backend/data/res-groups.xml @@ -0,0 +1,18 @@ + + + Backend user + + + This group is used to gives user backend access. + + While users in `base.group_user` gets a lot of default access + which makes hard to define properly records/rules/menu access. + + So for maintainability you shouldn't linked any access right, rules, + menu, and so on to this group directly. + + The only intent of this groups is to be able to get a session + to Odoo backend (`/web`). + + + diff --git a/base_group_backend/demo/__init__.py b/base_group_backend/demo/__init__.py new file mode 100644 index 000000000..0c1800555 --- /dev/null +++ b/base_group_backend/demo/__init__.py @@ -0,0 +1,5 @@ +from odoo.tools import config + +if not config['without_demo']: + from . import backend_dummy_model + diff --git a/base_group_backend/demo/backend_dummy_model.py b/base_group_backend/demo/backend_dummy_model.py new file mode 100644 index 000000000..49fd4b120 --- /dev/null +++ b/base_group_backend/demo/backend_dummy_model.py @@ -0,0 +1,11 @@ +from odoo import fields, models + +class BackendDummyModel(models.Model): + _name = "backend.dummy.model" + _inherit = ["mail.activity.mixin"] + _description = 'Nothing to see here' + + my_value = fields.Char(name="Value", required=True) + my_other_value = fields.Char(name="Other value", required=True) + date_start = fields.Datetime(name="Date start", required=True, default=fields.Datetime.now) + date_stop = fields.Datetime(name="Date stop", required=True, default=fields.Datetime.now) diff --git a/base_group_backend/demo/backend_dummy_model.xml b/base_group_backend/demo/backend_dummy_model.xml new file mode 100644 index 000000000..927f9bca0 --- /dev/null +++ b/base_group_backend/demo/backend_dummy_model.xml @@ -0,0 +1,43 @@ + + + + + Backend dummy tree view + backend.dummy.model + + + + + + + + + Dummies + ir.actions.act_window + backend.dummy.model + tree,form,kanban,calendar,pivot,graph,activity + + + + + + + diff --git a/base_group_backend/demo/ir.model.access.csv b/base_group_backend/demo/ir.model.access.csv new file mode 100644 index 000000000..fb5cf5869 --- /dev/null +++ b/base_group_backend/demo/ir.model.access.csv @@ -0,0 +1,3 @@ +"id","name","model_id:id","group_id:id","perm_read","perm_write","perm_create","perm_unlink" +"access_backend_dummy_models","backend_dummy_model all","base_group_backend.model_backend_dummy_model",group_backend,1,0,0,0 +"access_backend_dummy_models_all","backend_dummy_model all","base_group_backend.model_backend_dummy_model",base.group_user,1,0,0,0 diff --git a/base_group_backend/demo/test-model.xml b/base_group_backend/demo/test-model.xml new file mode 100644 index 000000000..70db20802 --- /dev/null +++ b/base_group_backend/demo/test-model.xml @@ -0,0 +1,8 @@ + + + + hello + hello + + + diff --git a/base_group_backend/models/__init__.py b/base_group_backend/models/__init__.py new file mode 100644 index 000000000..beafab2fa --- /dev/null +++ b/base_group_backend/models/__init__.py @@ -0,0 +1,2 @@ +from odoo.tools import config +from . import res_users diff --git a/base_group_backend/models/res_users.py b/base_group_backend/models/res_users.py new file mode 100644 index 000000000..51c51b8f0 --- /dev/null +++ b/base_group_backend/models/res_users.py @@ -0,0 +1,42 @@ +import logging + +from odoo import api, models + +_logger = logging.getLogger(__name__) + + +class Users(models.Model): + _inherit = "res.users" + + + # TODO: (franz) make it clear why we test with "." group and why the share = True + @api.model + def has_group(self, group_ext_id): + """While ensuring a user is part of `base.group_user` this code will + try if user is in the `base_group_backend.group_backend` group to let access + to the odoo backend. + + This code avoid to overwrite a lot of places in controllers from + different modules ('portal', 'web', 'base') with hardcoded statement + that check if user is part of `base.group_user` group. + + As far `base.group_user` have a lot of default permission this + makes hard to maintain proper access right according your business. + """ + res = super().has_group(group_ext_id) + if not res and (group_ext_id == "base.group_user"): + has_base_group_backend = super().has_group( + "base_group_backend.group_backend" + ) + if has_base_group_backend: + _logger.warning("Forcing has_group to return True for group_backend") + return has_base_group_backend + return res + + @api.depends('groups_id') + def _compute_share(self): + user_group_id = self.env['ir.model.data']._xmlid_to_res_id('base.group_user') + backend_user_group_id = self.env['ir.model.data']._xmlid_to_res_id('base_group_backend.group_backend') + internal_users = self.filtered_domain([('groups_id', 'in', [user_group_id, backend_user_group_id])]) + internal_users.share = False + (self - internal_users).share = True diff --git a/base_group_backend/readme/CONFIGURE.rst b/base_group_backend/readme/CONFIGURE.rst new file mode 100644 index 000000000..e480b4f2c --- /dev/null +++ b/base_group_backend/readme/CONFIGURE.rst @@ -0,0 +1,8 @@ +To allow `group_backend` to interact with a model you can either add access rules to the group +or you can add `implied_ids` to `group_backend`. + +.. note:: + + Be aware users can only belong to one group from the user type category + (`base.module_category_user_type`). So your other groups can't inherit both + internal users and backend users. diff --git a/base_group_backend/readme/CONTRIBUTORS.rst b/base_group_backend/readme/CONTRIBUTORS.rst new file mode 100644 index 000000000..f8032a3b4 --- /dev/null +++ b/base_group_backend/readme/CONTRIBUTORS.rst @@ -0,0 +1,4 @@ +* Pierre Verkest +* François Poizat + +Do not contact contributors directly about support or help with technical issues. diff --git a/base_group_backend/readme/DESCRIPTION.rst b/base_group_backend/readme/DESCRIPTION.rst new file mode 100644 index 000000000..c640e2e53 --- /dev/null +++ b/base_group_backend/readme/DESCRIPTION.rst @@ -0,0 +1,45 @@ +This module was written to extend the standard functionality regarding users +and groups management by adding a new `Backend user` group that only gives access +to odoo backend (`/web`): + +* minimal default access: + * users and partners (this is necessary to access your own data) + * mail activity, notification and channel + * presence +* minimal default menu + * notification + * activities +* minimal default access rules + +The problem with the `Internal user` is when you want to gives access to the +backend to a really thin part of your business to some users, it's quite hard +to properly maintain those roles over the project life, a lot of models use +that group (`base.group_user`) by default which makes hard to maintains. + +So that helps creating well-defined user groups with more controls. + +This modules does 3 things: +* It hijack the has_group method of res.users by returning True for group_backend users when the requested group is group_user (The need for this needs to be investigated) +* It sets the res_users.share to False for group_backend users. This allows those users to access the backend. +* It sets the bare minimum permission in the ir.model.access.csv to display the backend + +We suggest to use this module with its compagnon `base_user_role` + + +Limitations +~~~~~~~~~~~ + +At the time of writing, Odoo uses `res.users.share == False` to give the +backend access. +However to be able to access the backend without any errors some basic rights are necessary. +This module change the way `res.users.share` is computed to allow `group_backend users` to use the backend. + +This avoids to write a lot of overwrite in different controllers from +different modules ('portal', 'web', 'base', 'website') with hard coded statements +that check if user is part of the `base.group_user` or `share == False` group. + +.. warning:: + + Using this module and grant a user with `group_backend`'s group is + equivalent to grant `group_user`'s group everywhere `has_group` + has been used. diff --git a/base_group_backend/readme/USAGE.rst b/base_group_backend/readme/USAGE.rst new file mode 100644 index 000000000..b921656c2 --- /dev/null +++ b/base_group_backend/readme/USAGE.rst @@ -0,0 +1,7 @@ +To use this module, you need to: + +#. Go to Configuration / Users / Users, choose a user and set the user type. + +You get a users that is only able to access to the Odoo backend which you +can attach other groups that not implies other kind of users (`portal`, +`internal users`) diff --git a/base_group_backend/security/ir.model.access.csv b/base_group_backend/security/ir.model.access.csv new file mode 100644 index 000000000..26e0c9f0f --- /dev/null +++ b/base_group_backend/security/ir.model.access.csv @@ -0,0 +1,13 @@ +id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink +access_res_users_all,res_users all,model_res_users,group_backend,1,0,0,0 +access_res_partners_all,res_partners all,base.model_res_partner,group_backend,1,0,0,0 +access_ir_ui_menu_group_user,ir_ui_menu group_user,base.model_ir_ui_menu,group_backend,1,0,0,0 +access_ir_filter_user,ir_filters all,base.model_ir_filters,group_backend,1,1,1,1 +access_bus_presence,bus.presence,bus.model_bus_presence,group_backend,1,1,1,1 +access_mail_channel_member_user,mail.channel.member.user,mail.model_mail_channel_member,group_backend,1,1,1,0 +access_mail_channel_user,mail.group.user,mail.model_mail_channel,group_backend,1,1,1,0 +access_mail_notification_user,mail.notification.user,mail.model_mail_notification,group_backend,1,1,1,0 +access_mail_activity_user,mail.activity.user,mail.model_mail_activity,group_backend,1,1,1,1 +access_mail_activity_type_user,mail.activity.type.user,mail.model_mail_activity_type,group_backend,1,0,0,0 +access_ir_attachment_group_user,ir_attachment group_user,base.model_ir_attachment,group_backend,1,0,0,0 +access_mail_followers_user,mail.followers.user,mail.model_mail_followers,group_backend,1,0,0,0 diff --git a/base_group_backend/static/description/index.html b/base_group_backend/static/description/index.html new file mode 100644 index 000000000..34383a765 --- /dev/null +++ b/base_group_backend/static/description/index.html @@ -0,0 +1,481 @@ + + + + + + +Group backend + + + +
+

Group backend

+ + +

Beta License: LGPL-3 OCA/server-backend Translate me on Weblate Try me on Runboat

+

This module was written to extend the standard functionality regarding users +and groups management by adding a new Backend user group that only gives access +to odoo backend (/web):

+
    +
  • minimal default access: +* users and partners (this is necessary to access your own data) +* mail activity, notification and channel +* presence
    • +
  • minimal default menu +* notification +* activities
    • +
  • minimal default access rules
    • +
+

The problem with the Internal user is when you want to gives access to the +backend to a really thin part of your business to some users, it’s quite hard +to properly maintain those roles over the project life, a lot of models use +that group (base.group_user) by default which makes hard to maintains.

+

So that helps creating well-defined user groups with more controls.

+

This modules does 3 things: +* It hijack the has_group method of res.users by returning True for group_backend users when the requested group is group_user (The need for this needs to be investigated) +* It sets the res_users.share to False for group_backend users. This allows those users to access the backend. +* It sets the bare minimum permission in the ir.model.access.csv to display the backend

+

We suggest to use this module with its compagnon base_user_role

+
+

Limitations

+

At the time of writing, Odoo uses res.users.share == False to give the +backend access. +However to be able to access the backend without any errors some basic rights are necessary. +This module change the way res.users.share is computed to allow group_backend users to use the backend.

+

This avoids to write a lot of overwrite in different controllers from +different modules (‘portal’, ‘web’, ‘base’, ‘website’) with hard coded statements +that check if user is part of the base.group_user or share == False group.

+
+

Warning

+

Using this module and grant a user with group_backend’s group is +equivalent to grant group_user’s group everywhere has_group +has been used.

+
+

Table of contents

+ +
+

Configuration

+

To allow group_backend to interact with a model you can either add access rules to the group +or you can add implied_ids to group_backend.

+
+

Note

+

Be aware users can only belong to one group from the user type category +(base.module_category_user_type). So your other groups can’t inherit both +internal users and backend users.

+
+
+
+

Usage

+

To use this module, you need to:

+
    +
  1. Go to Configuration / Users / Users, choose a user and set the user type.
    2. +
+

You get a users that is only able to access to the Odoo backend which you +can attach other groups that not implies other kind of users (portal, +internal users)

+
+
+

Bug Tracker

+

Bugs are tracked on GitHub Issues. +In case of trouble, please check there if your issue has already been reported. +If you spotted it first, help us to smash it by providing a detailed and welcomed +feedback.

+

Do not contact contributors directly about support or help with technical issues.

+
+ +
+
+

Authors

+
    +
  • Pierre Verkest
    • +
+
+
+

Contributors

+ +

Do not contact contributors directly about support or help with technical issues.

+
+
+

Maintainers

+

This module is maintained by the OCA.

+Odoo Community Association +

OCA, or the Odoo Community Association, is a nonprofit organization whose +mission is to support the collaborative development of Odoo features and +promote its widespread use.

+

Current maintainer:

+

oca

+

This module is part of the OCA/server-backend project on GitHub.

+

You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.

+
+
+ + diff --git a/base_group_backend/tests/__init__.py b/base_group_backend/tests/__init__.py new file mode 100644 index 000000000..d9b96c4fa --- /dev/null +++ b/base_group_backend/tests/__init__.py @@ -0,0 +1 @@ +from . import test_module diff --git a/base_group_backend/tests/test_module.py b/base_group_backend/tests/test_module.py new file mode 100644 index 000000000..a674b244f --- /dev/null +++ b/base_group_backend/tests/test_module.py @@ -0,0 +1,19 @@ +from odoo import Command +from odoo.tests.common import TransactionCase + + +class TestResUsers(TransactionCase): + @classmethod + def setUpClass(cls): + super().setUpClass() + cls.base_group_backend = cls.env.ref("base_group_backend.group_backend") + cls.internal_user = cls.env.ref("base.user_demo") + cls.portal_user = cls.env.ref("base.demo_user0") + + def test_has_groups(self): + self.assertFalse(self.portal_user.has_group("base.group_user")) + self.assertTrue(self.internal_user.has_group("base.group_user")) + self.portal_user.write( + {"groups_id": [Command.set([self.base_group_backend.id])]} + ) + self.assertTrue(self.portal_user.has_group("base.group_user")) From 9abb05da9cead724bd807c68a0c0c1f9608f78a5 Mon Sep 17 00:00:00 2001 From: David Beal Date: Mon, 7 Aug 2023 17:38:47 +0200 Subject: [PATCH 02/10] FIX base_grp_backend: precommit and better names in ir.model.access --- base_group_backend/__manifest__.py | 1 - base_group_backend/demo/__init__.py | 3 +- .../demo/backend_dummy_model.py | 11 ++- .../demo/backend_dummy_model.xml | 84 ++++++++++--------- base_group_backend/demo/ir.model.access.csv | 4 +- base_group_backend/demo/test-model.xml | 12 +-- base_group_backend/models/res_users.py | 13 +-- .../security/ir.model.access.csv | 24 +++--- 8 files changed, 80 insertions(+), 72 deletions(-) diff --git a/base_group_backend/__manifest__.py b/base_group_backend/__manifest__.py index 26b4c5847..cd445f0c8 100644 --- a/base_group_backend/__manifest__.py +++ b/base_group_backend/__manifest__.py @@ -19,5 +19,4 @@ "security/ir.model.access.csv", ], "installable": True, - "application": True } diff --git a/base_group_backend/demo/__init__.py b/base_group_backend/demo/__init__.py index 0c1800555..87682b5ef 100644 --- a/base_group_backend/demo/__init__.py +++ b/base_group_backend/demo/__init__.py @@ -1,5 +1,4 @@ from odoo.tools import config -if not config['without_demo']: +if not config["without_demo"]: from . import backend_dummy_model - diff --git a/base_group_backend/demo/backend_dummy_model.py b/base_group_backend/demo/backend_dummy_model.py index 49fd4b120..561ef8119 100644 --- a/base_group_backend/demo/backend_dummy_model.py +++ b/base_group_backend/demo/backend_dummy_model.py @@ -1,11 +1,16 @@ from odoo import fields, models + class BackendDummyModel(models.Model): _name = "backend.dummy.model" _inherit = ["mail.activity.mixin"] - _description = 'Nothing to see here' + _description = "Backend Dummy Model demo" my_value = fields.Char(name="Value", required=True) my_other_value = fields.Char(name="Other value", required=True) - date_start = fields.Datetime(name="Date start", required=True, default=fields.Datetime.now) - date_stop = fields.Datetime(name="Date stop", required=True, default=fields.Datetime.now) + date_start = fields.Datetime( + name="Date start", required=True, default=fields.Datetime.now + ) + date_stop = fields.Datetime( + name="Date stop", required=True, default=fields.Datetime.now + ) diff --git a/base_group_backend/demo/backend_dummy_model.xml b/base_group_backend/demo/backend_dummy_model.xml index 927f9bca0..3af728dd1 100644 --- a/base_group_backend/demo/backend_dummy_model.xml +++ b/base_group_backend/demo/backend_dummy_model.xml @@ -1,43 +1,45 @@ - + - - - Backend dummy tree view - backend.dummy.model - - - - - - - - - Dummies - ir.actions.act_window - backend.dummy.model - tree,form,kanban,calendar,pivot,graph,activity - - - - - - + + + Backend dummy tree view + backend.dummy.model + + + + + + + + + + Dummies + ir.actions.act_window + backend.dummy.model + tree,form,kanban,calendar,pivot,graph,activity + + + + + + + diff --git a/base_group_backend/demo/ir.model.access.csv b/base_group_backend/demo/ir.model.access.csv index fb5cf5869..95d560f98 100644 --- a/base_group_backend/demo/ir.model.access.csv +++ b/base_group_backend/demo/ir.model.access.csv @@ -1,3 +1,3 @@ "id","name","model_id:id","group_id:id","perm_read","perm_write","perm_create","perm_unlink" -"access_backend_dummy_models","backend_dummy_model all","base_group_backend.model_backend_dummy_model",group_backend,1,0,0,0 -"access_backend_dummy_models_all","backend_dummy_model all","base_group_backend.model_backend_dummy_model",base.group_user,1,0,0,0 +"backend_dummy_models","backend dummy.model","model_backend_dummy_model",group_backend,1,0,0,0 +"backend_dummy_models_user_grp","backend dummy.model user grp","model_backend_dummy_model",base.group_user,1,0,0,0 diff --git a/base_group_backend/demo/test-model.xml b/base_group_backend/demo/test-model.xml index 70db20802..42caa5cc7 100644 --- a/base_group_backend/demo/test-model.xml +++ b/base_group_backend/demo/test-model.xml @@ -1,8 +1,8 @@ - - - hello - hello - - + + + hello + hello + + diff --git a/base_group_backend/models/res_users.py b/base_group_backend/models/res_users.py index 51c51b8f0..8c456e5e6 100644 --- a/base_group_backend/models/res_users.py +++ b/base_group_backend/models/res_users.py @@ -8,7 +8,6 @@ class Users(models.Model): _inherit = "res.users" - # TODO: (franz) make it clear why we test with "." group and why the share = True @api.model def has_group(self, group_ext_id): @@ -33,10 +32,14 @@ def has_group(self, group_ext_id): return has_base_group_backend return res - @api.depends('groups_id') + @api.depends("groups_id") def _compute_share(self): - user_group_id = self.env['ir.model.data']._xmlid_to_res_id('base.group_user') - backend_user_group_id = self.env['ir.model.data']._xmlid_to_res_id('base_group_backend.group_backend') - internal_users = self.filtered_domain([('groups_id', 'in', [user_group_id, backend_user_group_id])]) + user_group_id = self.env["ir.model.data"]._xmlid_to_res_id("base.group_user") + backend_user_group_id = self.env["ir.model.data"]._xmlid_to_res_id( + "base_group_backend.group_backend" + ) + internal_users = self.filtered_domain( + [("groups_id", "in", [user_group_id, backend_user_group_id])] + ) internal_users.share = False (self - internal_users).share = True diff --git a/base_group_backend/security/ir.model.access.csv b/base_group_backend/security/ir.model.access.csv index 26e0c9f0f..c5b504a1d 100644 --- a/base_group_backend/security/ir.model.access.csv +++ b/base_group_backend/security/ir.model.access.csv @@ -1,13 +1,13 @@ id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink -access_res_users_all,res_users all,model_res_users,group_backend,1,0,0,0 -access_res_partners_all,res_partners all,base.model_res_partner,group_backend,1,0,0,0 -access_ir_ui_menu_group_user,ir_ui_menu group_user,base.model_ir_ui_menu,group_backend,1,0,0,0 -access_ir_filter_user,ir_filters all,base.model_ir_filters,group_backend,1,1,1,1 -access_bus_presence,bus.presence,bus.model_bus_presence,group_backend,1,1,1,1 -access_mail_channel_member_user,mail.channel.member.user,mail.model_mail_channel_member,group_backend,1,1,1,0 -access_mail_channel_user,mail.group.user,mail.model_mail_channel,group_backend,1,1,1,0 -access_mail_notification_user,mail.notification.user,mail.model_mail_notification,group_backend,1,1,1,0 -access_mail_activity_user,mail.activity.user,mail.model_mail_activity,group_backend,1,1,1,1 -access_mail_activity_type_user,mail.activity.type.user,mail.model_mail_activity_type,group_backend,1,0,0,0 -access_ir_attachment_group_user,ir_attachment group_user,base.model_ir_attachment,group_backend,1,0,0,0 -access_mail_followers_user,mail.followers.user,mail.model_mail_followers,group_backend,1,0,0,0 +res_users_backend,backend user res.users,base.model_res_users,group_backend,1,0,0,0 +res_partner_backend,backend user res.partner,base.model_res_partner,group_backend,1,0,0,0 +ir_ui_menu_backend,backend user ir.ui.menu,base.model_ir_ui_menu,group_backend,1,0,0,0 +ir_filter_backend,backend user ir.filters,base.model_ir_filters,group_backend,1,1,1,1 +bus_presence_backend,backend user bus.presence,bus.model_bus_presence,group_backend,1,1,1,1 +mail_channel_member_backend,backend user mail.channel.member,mail.model_mail_channel_member,group_backend,1,1,1,0 +mail_channel_backend,backend user mail.group,mail.model_mail_channel,group_backend,1,1,1,0 +mail_notification_backend,backend user mail.notification,mail.model_mail_notification,group_backend,1,1,1,0 +mail_activity_backend,backend user mail.activity,mail.model_mail_activity,group_backend,1,1,1,1 +mail_activity_type_backend,backend user mail.activity.type,mail.model_mail_activity_type,group_backend,1,0,0,0 +ir_attachment_group_backend,backend user ir.attachment,base.model_ir_attachment,group_backend,1,0,0,0 +mail_followers_backend,backend user mail.followers,mail.model_mail_followers,group_backend,1,0,0,0 From 59583a4d1348f9588181c78d62d5ba82fc20d7bb Mon Sep 17 00:00:00 2001 From: Francois Poizat Date: Thu, 17 Aug 2023 14:38:52 +0200 Subject: [PATCH 03/10] IMPL calls super in group_backend res_users compute_share FIX applies pre-commit IMPL adds test for share of backend user FIX pre-commit pass IMPL removes mail.activity.mixin from dummy model because it is not needed for the test IMPL renames and divide the base_group_backend into 2 groups one that provide the basic rights and another that allow login in the app IMPL changes backend ui users to a user type FIX pre-commit pass FIX removes useless imports FIX adds share to group_backend_ui_users IMPL adds mail_channel to access rights FIX tests now working FIX pre-commit pass --- base_group_backend/README.rst | 2 +- base_group_backend/__manifest__.py | 11 ++++- base_group_backend/data/ir_ui_menu.xml | 8 ++++ base_group_backend/data/res-groups.xml | 18 -------- base_group_backend/data/res_groups.xml | 43 ++++++++++++++++++ .../demo/backend_dummy_model.py | 1 - .../demo/backend_dummy_model.xml | 11 +++-- base_group_backend/demo/ir.model.access.csv | 2 +- base_group_backend/demo/res_partners.xml | 12 +++++ base_group_backend/demo/res_users.xml | 21 +++++++++ base_group_backend/demo/test-model.xml | 5 +-- base_group_backend/models/__init__.py | 1 - base_group_backend/models/res_users.py | 21 +++++---- base_group_backend/readme/ROADMAP.rst | 5 +++ .../security/ir.model.access.csv | 44 ++++++++++++++----- .../static/description/index.html | 30 ++++++------- base_group_backend/tests/test_module.py | 18 ++++++-- 17 files changed, 182 insertions(+), 71 deletions(-) create mode 100644 base_group_backend/data/ir_ui_menu.xml delete mode 100644 base_group_backend/data/res-groups.xml create mode 100644 base_group_backend/data/res_groups.xml create mode 100644 base_group_backend/demo/res_partners.xml create mode 100644 base_group_backend/demo/res_users.xml create mode 100644 base_group_backend/readme/ROADMAP.rst diff --git a/base_group_backend/README.rst b/base_group_backend/README.rst index a00d2b3bd..c77b5aeb4 100644 --- a/base_group_backend/README.rst +++ b/base_group_backend/README.rst @@ -7,7 +7,7 @@ Group backend !! This file is generated by oca-gen-addon-readme !! !! changes will be overwritten. !! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! - !! source digest: sha256:6aed3105c0a4c58cc34c910e88d34a68e14d38a8d549160bbc5b8f276320cda4 + !! source digest: sha256:c7397d2b2e542e6918527090ab259d68f9d3b6a25386feccdc38002e51be4e31 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! .. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png diff --git a/base_group_backend/__manifest__.py b/base_group_backend/__manifest__.py index cd445f0c8..cf03013e6 100644 --- a/base_group_backend/__manifest__.py +++ b/base_group_backend/__manifest__.py @@ -8,14 +8,21 @@ "license": "LGPL-3", "maintainers": ["oca"], "website": "https://github.com/OCA/server-backend", - "depends": ["base", "mail"], + "depends": [ + "base", + "base_install_request", # weird module, we need to survive with it + "mail", + ], "demo": [ "demo/test-model.xml", "demo/ir.model.access.csv", "demo/backend_dummy_model.xml", + "demo/res_partners.xml", + "demo/res_users.xml", ], "data": [ - "data/res-groups.xml", + "data/res_groups.xml", + "data/ir_ui_menu.xml", "security/ir.model.access.csv", ], "installable": True, diff --git a/base_group_backend/data/ir_ui_menu.xml b/base_group_backend/data/ir_ui_menu.xml new file mode 100644 index 000000000..a8a80e106 --- /dev/null +++ b/base_group_backend/data/ir_ui_menu.xml @@ -0,0 +1,8 @@ + + + + + + + + diff --git a/base_group_backend/data/res-groups.xml b/base_group_backend/data/res-groups.xml deleted file mode 100644 index eb3291e9b..000000000 --- a/base_group_backend/data/res-groups.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - Backend user - - - This group is used to gives user backend access. - - While users in `base.group_user` gets a lot of default access - which makes hard to define properly records/rules/menu access. - - So for maintainability you shouldn't linked any access right, rules, - menu, and so on to this group directly. - - The only intent of this groups is to be able to get a session - to Odoo backend (`/web`). - - - diff --git a/base_group_backend/data/res_groups.xml b/base_group_backend/data/res_groups.xml new file mode 100644 index 000000000..db3df0068 --- /dev/null +++ b/base_group_backend/data/res_groups.xml @@ -0,0 +1,43 @@ + + + + Backend user + + + This group is used to gives user backend access. + + While users in `base.group_user` gets a lot of default access + which makes hard to define properly records/rules/menu access. + + So for maintainability you shouldn't linked any access right, rules, + menu, and so on to this group directly. + + The only intent of this groups is to be able to get a session + to Odoo backend (`/web`). + + + + + Backend UI user + + + This group is used to gives user basic ui access. + + + + + diff --git a/base_group_backend/demo/backend_dummy_model.py b/base_group_backend/demo/backend_dummy_model.py index 561ef8119..649f22418 100644 --- a/base_group_backend/demo/backend_dummy_model.py +++ b/base_group_backend/demo/backend_dummy_model.py @@ -3,7 +3,6 @@ class BackendDummyModel(models.Model): _name = "backend.dummy.model" - _inherit = ["mail.activity.mixin"] _description = "Backend Dummy Model demo" my_value = fields.Char(name="Value", required=True) diff --git a/base_group_backend/demo/backend_dummy_model.xml b/base_group_backend/demo/backend_dummy_model.xml index 3af728dd1..ade0d44c0 100644 --- a/base_group_backend/demo/backend_dummy_model.xml +++ b/base_group_backend/demo/backend_dummy_model.xml @@ -1,13 +1,12 @@ - - + Backend dummy tree view backend.dummy.model - + @@ -24,20 +23,20 @@ id="menu_dummy_root" name="Dummy" sequence="100" - groups="group_backend,base.group_user" + groups="group_backend_ui_users,base.group_user" /> diff --git a/base_group_backend/demo/ir.model.access.csv b/base_group_backend/demo/ir.model.access.csv index 95d560f98..6c353bcb6 100644 --- a/base_group_backend/demo/ir.model.access.csv +++ b/base_group_backend/demo/ir.model.access.csv @@ -1,3 +1,3 @@ "id","name","model_id:id","group_id:id","perm_read","perm_write","perm_create","perm_unlink" -"backend_dummy_models","backend dummy.model","model_backend_dummy_model",group_backend,1,0,0,0 +"backend_dummy_models","backend dummy.model","model_backend_dummy_model",group_backend_ui_users,1,0,0,0 "backend_dummy_models_user_grp","backend dummy.model user grp","model_backend_dummy_model",base.group_user,1,0,0,0 diff --git a/base_group_backend/demo/res_partners.xml b/base_group_backend/demo/res_partners.xml new file mode 100644 index 000000000..32b455809 --- /dev/null +++ b/base_group_backend/demo/res_partners.xml @@ -0,0 +1,12 @@ + + + + Demo partner backend + + + Demo partner backend 1 + + + Demo partner backend 2 + + diff --git a/base_group_backend/demo/res_users.xml b/base_group_backend/demo/res_users.xml new file mode 100644 index 000000000..37baa44a6 --- /dev/null +++ b/base_group_backend/demo/res_users.xml @@ -0,0 +1,21 @@ + + + + demo backend user + + + + + demo backend user 1 + + + + + demo backend user 2 + + + + diff --git a/base_group_backend/demo/test-model.xml b/base_group_backend/demo/test-model.xml index 42caa5cc7..3ced409a7 100644 --- a/base_group_backend/demo/test-model.xml +++ b/base_group_backend/demo/test-model.xml @@ -1,8 +1,7 @@ - - + + hello hello - diff --git a/base_group_backend/models/__init__.py b/base_group_backend/models/__init__.py index beafab2fa..883516533 100644 --- a/base_group_backend/models/__init__.py +++ b/base_group_backend/models/__init__.py @@ -1,2 +1 @@ -from odoo.tools import config from . import res_users diff --git a/base_group_backend/models/res_users.py b/base_group_backend/models/res_users.py index 8c456e5e6..87a6c2484 100644 --- a/base_group_backend/models/res_users.py +++ b/base_group_backend/models/res_users.py @@ -8,7 +8,6 @@ class Users(models.Model): _inherit = "res.users" - # TODO: (franz) make it clear why we test with "." group and why the share = True @api.model def has_group(self, group_ext_id): """While ensuring a user is part of `base.group_user` this code will @@ -25,21 +24,27 @@ def has_group(self, group_ext_id): res = super().has_group(group_ext_id) if not res and (group_ext_id == "base.group_user"): has_base_group_backend = super().has_group( - "base_group_backend.group_backend" - ) + "base_group_backend.base_group_backend" + ) or super().has_group("base_group_backend.group_backend_ui_users") if has_base_group_backend: - _logger.warning("Forcing has_group to return True for group_backend") + _logger.warning( + "Forcing has_group to return True" + + " for group_backend and base_group_backend_ui_users" + ) return has_base_group_backend return res @api.depends("groups_id") def _compute_share(self): - user_group_id = self.env["ir.model.data"]._xmlid_to_res_id("base.group_user") + res = super()._compute_share() backend_user_group_id = self.env["ir.model.data"]._xmlid_to_res_id( - "base_group_backend.group_backend" + "base_group_backend.base_group_backend" + ) + backend_ui_user_group_id = self.env["ir.model.data"]._xmlid_to_res_id( + "base_group_backend.group_backend_ui_users" ) internal_users = self.filtered_domain( - [("groups_id", "in", [user_group_id, backend_user_group_id])] + [("groups_id", "in", [backend_user_group_id, backend_ui_user_group_id])] ) internal_users.share = False - (self - internal_users).share = True + return res diff --git a/base_group_backend/readme/ROADMAP.rst b/base_group_backend/readme/ROADMAP.rst new file mode 100644 index 000000000..5190afe11 --- /dev/null +++ b/base_group_backend/readme/ROADMAP.rst @@ -0,0 +1,5 @@ +Current module depends on `base_install_request` instead of `base`. + +We don't need `base_install_request` auto install module but we must override it to set a security group on `App` menu. + +This dependency should be remove if possible in future versions. diff --git a/base_group_backend/security/ir.model.access.csv b/base_group_backend/security/ir.model.access.csv index c5b504a1d..1746a2398 100644 --- a/base_group_backend/security/ir.model.access.csv +++ b/base_group_backend/security/ir.model.access.csv @@ -1,13 +1,33 @@ id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink -res_users_backend,backend user res.users,base.model_res_users,group_backend,1,0,0,0 -res_partner_backend,backend user res.partner,base.model_res_partner,group_backend,1,0,0,0 -ir_ui_menu_backend,backend user ir.ui.menu,base.model_ir_ui_menu,group_backend,1,0,0,0 -ir_filter_backend,backend user ir.filters,base.model_ir_filters,group_backend,1,1,1,1 -bus_presence_backend,backend user bus.presence,bus.model_bus_presence,group_backend,1,1,1,1 -mail_channel_member_backend,backend user mail.channel.member,mail.model_mail_channel_member,group_backend,1,1,1,0 -mail_channel_backend,backend user mail.group,mail.model_mail_channel,group_backend,1,1,1,0 -mail_notification_backend,backend user mail.notification,mail.model_mail_notification,group_backend,1,1,1,0 -mail_activity_backend,backend user mail.activity,mail.model_mail_activity,group_backend,1,1,1,1 -mail_activity_type_backend,backend user mail.activity.type,mail.model_mail_activity_type,group_backend,1,0,0,0 -ir_attachment_group_backend,backend user ir.attachment,base.model_ir_attachment,group_backend,1,0,0,0 -mail_followers_backend,backend user mail.followers,mail.model_mail_followers,group_backend,1,0,0,0 +backend_ui_users_ir_default,backend_ui_users_ir_default,base.model_ir_default,group_backend_ui_users,1,1,1,1 +backend_ui_users_ir_filters,backend_ui_users_ir_filters,base.model_ir_filters,group_backend_ui_users,1,1,1,1 +backend_ui_users_ir_model,backend_ui_users_ir_model,base.model_ir_model,group_backend_ui_users,1,0,0,0 +backend_ui_users_ir_model_fields,backend_ui_users_ir_model_fields,base.model_ir_model_fields,group_backend_ui_users,1,0,0,0 +backend_ui_users_ir_model_data,backend_ui_users_ir_model_data,base.model_ir_model_data,group_backend_ui_users,1,0,1,0 +backend_ui_users_ir_model_fields_selection,backend_ui_users_ir_model_fields_selection,base.model_ir_model_fields_selection,group_backend_ui_users,1,0,0,0 +backend_ui_users_ir_sequence,backend_ui_users_ir_sequence,base.model_ir_sequence,group_backend_ui_users,1,0,0,0 +backend_ui_users_ir_sequence_date_range,backend_ui_users_ir_sequence_date_range,base.model_ir_sequence_date_range,group_backend_ui_users,1,0,0,0 +backend_ui_users_ir_ui_menu,backend_ui_users_ir_ui_menu,base.model_ir_ui_menu,group_backend_ui_users,1,0,0,0 +backend_ui_users_ir_attachment,backend_ui_users_ir_attachment,base.model_ir_attachment,group_backend_ui_users,1,0,1,0 +backend_ui_users_res_partner,backend_ui_users_res_partner,base.model_res_partner,group_backend_ui_users,1,0,0,0 +backend_ui_users_bus_presence,backend_ui_users_bus_presence,bus.model_bus_presence,group_backend_ui_users,1,1,1,1 +backend_ui_users_mail_channel_member_public,backend_ui_users_mail_channel_member,mail.model_mail_channel_member,group_backend_ui_users,1,1,1,0 +backend_ui_users_mail_channel_public,backend_ui_users_mail_channel_member,mail.model_mail_channel,group_backend_ui_users,1,1,1,0 +backend_ui_users_mail_activity,backend_ui_users_mail_activity,mail.model_mail_activity,group_backend_ui_users,1,1,1,1 +backend_ui_users_mail_activity_type,backend_ui_users_mail_activity_type,mail.model_mail_activity_type,group_backend_ui_users,1,0,0,0 +backend_ui_users_mail_followers,backend_ui_users_mail_followers,mail.model_mail_followers,group_backend_ui_users,1,0,0,0 +backend_ui_users_mail_mail,backend_ui_users_mail_mail,mail.model_mail_mail,group_backend_ui_users,0,0,0,0 +backend_ui_users_mail_compose_message,backend_ui_users_mail_compose_message,mail.model_mail_compose_message,group_backend_ui_users,1,1,1,0 +backend_ui_users_mail_wizard_invite,backend_ui_users_mail_wizard_invite,mail.model_mail_wizard_invite,group_backend_ui_users,1,1,1,0 +backend_ui_users_mail_template,backend_ui_users_mail_template,mail.model_mail_template,group_backend_ui_users,1,0,0,0 +backend_ui_users_mail_template_preview,backend_ui_users_mail_template_preview,mail.model_mail_template_preview,group_backend_ui_users,1,0,0,0 +backend_ui_users_mail_message,backend_ui_users_mail_message,mail.model_mail_message,group_backend_ui_users,1,1,1,0 +backend_ui_users_mail_resend_message,backend_ui_users_mail_resend_message,mail.model_mail_resend_message,group_backend_ui_users,1,1,1,0 +backend_ui_users_mail_notification,backend_ui_users_mail_notification,mail.model_mail_notification,group_backend_ui_users,1,1,1,1 +backend_ui_users_mail_alias,backend_ui_users_mail_alias,mail.model_mail_alias,group_backend_ui_users,1,0,0,0 +backend_ui_users_res_groups,backend_ui_users_res_groups,base.model_res_groups,group_backend_ui_users,1,0,0,0 +backend_ui_users_res_partner_category,backend_ui_users_res_partner_category,base.model_res_partner_category,group_backend_ui_users,1,0,0,0 +backend_ui_users_res_partner_industry,backend_ui_users_res_partner_industry,base.model_res_partner_industry,group_backend_ui_users,1,0,0,0 +backend_ui_users_res_users_identitycheck,backend_ui_users_res_users_identitycheck,base.model_res_users_identitycheck,group_backend_ui_users,1,1,1,0 +backend_ui_users_res_bank,backend_ui_users_res_bank,base.model_res_bank,group_backend_ui_users,1,0,0,0 +backend_ui_users_res_partner_bank,backend_ui_users_res_partner_bank,base.model_res_partner_bank,group_backend_ui_users,1,0,0,0 diff --git a/base_group_backend/static/description/index.html b/base_group_backend/static/description/index.html index 34383a765..ed78c3816 100644 --- a/base_group_backend/static/description/index.html +++ b/base_group_backend/static/description/index.html @@ -1,20 +1,20 @@ - + - + Group backend