grap · github-grap-bot · Dec 17, 2024 · Nov 29, 2024 · Dec 16, 2024 · Dec 16, 2024
diff --git a/setup/user_limited_access_settings/odoo/addons/user_limited_access_settings b/setup/user_limited_access_settings/odoo/addons/user_limited_access_settings
@@ -0,0 +1 @@
+../../../../user_limited_access_settings
diff --git a/setup/user_limited_access_settings/setup.py b/setup/user_limited_access_settings/setup.py
@@ -0,0 +1,6 @@
+import setuptools
+
+setuptools.setup(
+    setup_requires=['setuptools-odoo'],
+    odoo_addon=True,
+)
diff --git a/user_limited_access_settings/README.rst b/user_limited_access_settings/README.rst
@@ -0,0 +1,5 @@
+============================
+User Limited Access Settings
+============================
+
+Create a new Administration group with limited access to create only users and companies
diff --git a/user_limited_access_settings/__init__.py b/user_limited_access_settings/__init__.py
@@ -0,0 +1 @@
+from . import models
diff --git a/user_limited_access_settings/__manifest__.py b/user_limited_access_settings/__manifest__.py
@@ -0,0 +1,30 @@
+# Copyright 2024 GRAP
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+
+{
+    "name": "User Limited Access Settings",
+    "summary": """Create a new Administration group with
+    limited access to create only users and companies""",
+    "version": "16.0.1.0.0",
+    "license": "AGPL-3",
+    "author": "GRAP",
+    "website": "https://github.com/grap/grap-odoo-incubator",
+    "depends": [
+        # Odoo
+        "base_setup",
+        "auth_signup",
+        # OCA
+        "base_user_role",
+        "res_company_category",
+    ],
+    "data": [
+        "security/res_groups.xml",
+        "security/ir_rule.xml",
+        "security/ir.model.access.csv",
+        "views/menu.xml",
+    ],
+    "demo": [
+        "demo/res_partner.xml",
+        "demo/res_users.xml",
+    ],
+}
diff --git a/user_limited_access_settings/demo/res_partner.xml b/user_limited_access_settings/demo/res_partner.xml
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright 2024 Sylvain LE GAL - GRAP
+     License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl). -->
+
+<odoo>
+
+    <record id="partner_demo" model="res.partner">
+        <field name="name">Limited Access</field>
+        <field name="company_id" ref="base.main_company"/>
+        <field name="country_id" ref="base.us"/>
+        <field name="tz">Europe/Brussels</field>
+        <field name="email">[email protected]</field>
+    </record>
+
+</odoo>
diff --git a/user_limited_access_settings/demo/res_users.xml b/user_limited_access_settings/demo/res_users.xml
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright 2024 Sylvain LE GAL - GRAP
+     License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl). -->
+
+<odoo>
+
+    <record id="user_demo" model="res.users">
+        <field name="partner_id" ref="partner_demo"/>
+        <field name="login">limited</field>
+        <field name="password">limited</field>
+        <field name="signature" type="html"><span>-- <br/>+Mr Limited Access</span></field>
+        <field name="company_id" ref="base.main_company"/>
+        <field name="groups_id" eval="[Command.set([
+            ref('user_limited_access_settings.group_limited_settings'),
+            ref('base.group_partner_manager'),
+            ])]"/>
+    </record>
+
+</odoo>
diff --git a/user_limited_access_settings/models/__init__.py b/user_limited_access_settings/models/__init__.py
@@ -0,0 +1,2 @@
+from . import res_users
+from . import res_partner
diff --git a/user_limited_access_settings/models/res_partner.py b/user_limited_access_settings/models/res_partner.py
@@ -0,0 +1,23 @@
+# Copyright 2024 Sylvain LE GAL - GRAP
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+
+from odoo import fields, models
+
+
+class ResPartner(models.Model):
+    _inherit = "res.partner"
+
+    signup_expiration = fields.Datetime(
+        groups="base.group_erp_manager,"
+        "user_limited_access_settings.group_limited_settings"
+    )
+
+    signup_token = fields.Char(
+        groups="base.group_erp_manager,"
+        "user_limited_access_settings.group_limited_settings"
+    )
+
+    signup_type = fields.Char(
+        groups="base.group_erp_manager,"
+        "user_limited_access_settings.group_limited_settings"
+    )
diff --git a/user_limited_access_settings/models/res_users.py b/user_limited_access_settings/models/res_users.py
@@ -0,0 +1,43 @@
+# Copyright 2024 Sylvain LE GAL - GRAP
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+
+from odoo import _, api, fields, models
+from odoo.exceptions import ValidationError
+
+
+class ResUsers(models.Model):
+    _inherit = "res.users"
+
+    role_line_ids = fields.One2many(
+        groups="base.group_erp_manager,user_limited_access_settings.group_limited_settings",
+    )
+
+    role_ids = fields.One2many(
+        groups="base.group_erp_manager,user_limited_access_settings.group_limited_settings",
+    )
+
+    @api.constrains("groups_id")
+    def _check_escalation(self):
+        if self.env.user._is_admin():
+            return
+        missing_groups = self.env["res.groups"]
+        allowed_groups = (
+            self.env.user.groups_id
+            | self.env.ref("base.group_user")
+            | self.env.ref("base.group_portal")
+            | self.env.ref("base.group_public")
+        )
+        for group in self.groups_id:
+            if group not in allowed_groups:
+                missing_groups |= group
+
+            if missing_groups:
+                raise ValidationError(
+                    _(
+                        "You can set the group '%(group_names)s'"
+                        " to users, because you are not member of those groups.",
+                        group_names=" , ".join(
+                            [x.display_name for x in missing_groups]
+                        ),
+                    )
+                )
diff --git a/user_limited_access_settings/readme/DESCRIPTION.rst b/user_limited_access_settings/readme/DESCRIPTION.rst
@@ -0,0 +1,8 @@
+This module adds a new basic Administration group named, "Limited Settings".
+
+Members of this group can only create users and companies, and see User Roles.
+
+**Note:**
+
+We prevent right escalation, by preventing user to give access to
+groups if he is not member of the group himself.
diff --git a/user_limited_access_settings/security/ir.model.access.csv b/user_limited_access_settings/security/ir.model.access.csv
@@ -0,0 +1,12 @@
+id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
+access_change_password_user,access.change.password.user,base.model_change_password_user,group_limited_settings,1,1,1,0
+access_change_password_wizard,access.change.password.wizard,base.model_change_password_wizard,group_limited_settings,1,1,1,0
+access_res_company_group_erp_manager,res_company group_erp_manager,base.model_res_company,group_limited_settings,1,1,1,1
+access_res_users_group_erp_manager,res_users group_erp_manager,base.model_res_users,group_limited_settings,1,1,1,1
+access_ir_module_category_group_user,ir_module_category group_user,base.model_ir_module_category,group_limited_settings,1,0,0,0
+access_res_users_role_limited,access_res_users_role_limited,base_user_role.model_res_users_role,group_limited_settings,1,0,0,0
+access_res_users_role_line_limited,access_res_users_role_line_limited,base_user_role.model_res_users_role_line,group_limited_settings,1,1,1,1
+access_res_company_category_limited,access_res_company_category_limited,res_company_category.model_res_company_category,group_limited_settings,1,1,1,1
+access_ir_model_access_limited,access_ir_model_access_limited,base.model_ir_model_access,group_limited_settings,1,0,0,0
+access_ir_rule_limited,access_ir_rule_limited,base.model_ir_rule,group_limited_settings,1,0,0,0
+access_ir_model_fields_limited,access_ir_model_fields_limited,base.model_ir_model_fields,group_limited_settings,1,0,0,0
diff --git a/user_limited_access_settings/security/ir_rule.xml b/user_limited_access_settings/security/ir_rule.xml
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright 2024 Sylvain LE GAL - GRAP
+     License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl). -->
+
+<odoo>
+
+    <record id="res_company_rule_group_limited_settings" model="ir.rule">
+        <field name="name">company rule limited settings</field>
+        <field name="model_id" ref="base.model_res_company"/>
+        <field eval="False" name="global"/>
+        <field name="groups" eval="[Command.set([ref('user_limited_access_settings.group_limited_settings')])]"/>
+        <field name="domain_force">[(1,'=',1)]</field>
+    </record>
+
+</odoo>
diff --git a/user_limited_access_settings/security/res_groups.xml b/user_limited_access_settings/security/res_groups.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright 2024 Sylvain LE GAL - GRAP
+     License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl). -->
+
+<odoo>
+
+    <record model="res.groups" id="group_limited_settings">
+        <field name="name">Limited Settings</field>
+        <field name="implied_ids" eval="[Command.link(ref('base.group_user'))]"/>
+    </record>
+
+</odoo>
diff --git a/user_limited_access_settings/tests/__init__.py b/user_limited_access_settings/tests/__init__.py
@@ -0,0 +1 @@
+from . import test_module
diff --git a/user_limited_access_settings/tests/test_module.py b/user_limited_access_settings/tests/test_module.py
@@ -0,0 +1,31 @@
+# Copyright (C) 2024 - Today: GRAP (http://www.grap.coop)
+# @author: Sylvain LE GAL (https://twitter.com/legalsylvain)
+# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
+
+from odoo import Command
+from odoo.exceptions import ValidationError
+from odoo.tests.common import TransactionCase
+
+
+class TestModule(TransactionCase):
+    @classmethod
+    def setUpClass(cls):
+        super().setUpClass()
+        cls.demo_user = cls.env.ref("user_limited_access_settings.user_demo")
+        cls.limited_group = cls.env.ref(
+            "user_limited_access_settings.group_limited_settings"
+        )
+        cls.random_group = cls.env.ref("base.group_private_addresses")
+        cls.user_vals = {
+            "name": "User 1",
+            "login": "login1",
+            "groups_id": [Command.set(cls.random_group.ids)],
+        }
+
+    def test_access_escalation_forbidden(self):
+        with self.assertRaises(ValidationError):
+            self.env["res.users"].with_user(self.demo_user).create(self.user_vals)
+
+    def test_access_escalation_allowed(self):
+        self.demo_user.groups_id = [Command.link(self.random_group.id)]
+        self.env["res.users"].with_user(self.demo_user).create(self.user_vals)
diff --git a/user_limited_access_settings/views/menu.xml b/user_limited_access_settings/views/menu.xml
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright 2024 Sylvain LE GAL - GRAP
+     License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl). -->
+
+<odoo>
+
+    <record model="ir.ui.menu" id="base.menu_administration">
+        <field name="groups_id"
+            eval="[Command.link(ref('user_limited_access_settings.group_limited_settings'))]"/>
+    </record>
+
+    <record model="ir.ui.menu" id="base.menu_custom">
+        <field name="groups_id"
+            eval="[Command.set([ref('base.group_erp_manager')])]"/>
+    </record>
+
+    <record model="ir.ui.menu" id="base.menu_translation">
+        <field name="groups_id"
+            eval="[Command.set([ref('base.group_erp_manager')])]"/>
+    </record>
+
+</odoo>
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		from . import res_users
		from . import res_partner