From 023fa4d544585542bf1090a37d332adbccd07ec1 Mon Sep 17 00:00:00 2001
From: Suherdy Yacob <suherdy.yacob@mapan.co.id>
Date: Tue, 6 Jan 2026 09:02:57 +0700
Subject: [PATCH] fix: enforce access restrictions when allowed lists are empty
 and update field help messages to reflect this behavior.

---
 models/__pycache__/res_users.cpython-312.pyc  | Bin 1862 -> 1932 bytes
 .../restricted_models.cpython-312.pyc         | Bin 4624 -> 4224 bytes
 models/res_users.py                           |  10 +++++-----
 models/restricted_models.py                   |  10 +++++-----
 4 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/models/__pycache__/res_users.cpython-312.pyc b/models/__pycache__/res_users.cpython-312.pyc
index 5d3af7a13485ee18d92c12b36106b42904c0d433..620603c45a557d4dc929185ae8ec7cff7721ece6 100644
GIT binary patch
delta 245
zcmX@c*Tc_ynwOW00SFkgV=_ZF@-i|p22JK?vJx*!EiNg_OfFGKOioTME><YXSIEoH
zOPw6VRKOD&keQsFnU}5*Qduy0K8q1f#hlCmjDeG*m@RRtn8O^(6B3?Zl&#>Lnpcuq
zG<gAwAx_2SEMbh%llxelajDpRizSMYF>$gfn;K)v<QO2CFu55>CQn`kB(o-8WGe*#
D1kq6f

delta 153
zcmeC-KgP#<nwOW00SH8`qBHq6@-i|px=iM0vf@n4$;mHQ0Fsjvm<kx(CtqZ;MG{kG
z4q$YiT*hpPBzBBBl+kUn42untSUyV_qwnNnEY1kA%?hkhjEupPtJ%~T!zM2Rl0lPC
Q0?E+HAAn@cWO4RV0Qa6O=Kufz

diff --git a/models/__pycache__/restricted_models.cpython-312.pyc b/models/__pycache__/restricted_models.cpython-312.pyc
index b4a26e384727cb5b02d8c81c2cbc4615e1f92c41..a6c7e60485a90a9423477b0217bdb4984be818c1 100644
GIT binary patch
delta 464
zcmbQB(xAw9nwOW00SK70V=`;mH}V~4WO~9d`5}iPvwI2a<b|9vle5@V8963DWE7qp
z&L%v0FQ?b!zf5{uMXW$gx0oIMTqbKX%T5krz9<w06#3D>@PJ>qzoN6Ezq+e>@(cml
z%}Fd}1kH@m02x;#2qJ_)21_L7<m8v9ro<OyCTC~nrN@_47No{!rW8-M=hd2=!Y+r)
zwu9_)gl*$SvTd>ym(*kjprILDQaBCeBH2)08K9vqxC}hZ%R-_nnFN%925L@@5Wwd3
J%`*fl7y*%Dh;;w}

delta 673
zcmZoroS?#YnwOW00SI0@MrQ_aY~(x6$fUwJ*^$GLF@5p`R&hp_$qyNYCm&}OW+`$n
z;hcPsLuT?VR#k-X<hvYRllL;|so!ELElw@EC7PI%lV6^i5?`KJl$wzb6pPPHDK26K
zT5*fn(a&YF5c5T)EFkYk1H%J;;r@!wivH@Z>KP^TD`r;Aubo+YUEb-EywhY3e%Z}J
zEM=s-CWcXPaxa@4C&<PkVIVP?pGRx*6*f5nwz^)DcLm$3$Sy~Qttx^bABw<ypOc@Q
zSdy8a2lqV8DcX}eIHd?U#qpB7BiJbyImvN~8rUgfFsGE~7iA}>=9Q!tVK~N>fJ2-w
k$vcA`(#*p`MwkF&qK8izEhcX85sC?~OY&ZuIru9W0q`E!7XSbN

diff --git a/models/res_users.py b/models/res_users.py
index abd2dd7..a50010c 100644
--- a/models/res_users.py
+++ b/models/res_users.py
@@ -9,7 +9,7 @@ class ResUsers(models.Model):
         'user_id',
         'warehouse_id',
         string="Allowed Warehouses",
-        help="Warehouses this user is allowed to access. Leave empty to allow all."
+        help="Warehouses this user is allowed to access. Leave empty to restrict access to none."
     )
 
     allowed_picking_type_ids = fields.Many2many(
@@ -18,7 +18,7 @@ class ResUsers(models.Model):
         'user_id',
         'picking_type_id',
         string="Allowed Picking Types",
-        help="Picking Types this user is allowed to access. Leave empty to allow all."
+        help="Picking Types this user is allowed to access. Leave empty to restrict access to none."
     )
 
     allowed_location_ids = fields.Many2many(
@@ -27,7 +27,7 @@ class ResUsers(models.Model):
         'user_id',
         'location_id',
         string="Allowed Locations",
-        help="Locations this user is allowed to access. Leave empty to allow all."
+        help="Locations this user is allowed to access. Leave empty to restrict access to none."
     )
 
     allowed_workcenter_ids = fields.Many2many(
@@ -36,7 +36,7 @@ class ResUsers(models.Model):
         'user_id',
         'workcenter_id',
         string="Allowed Work Centers",
-        help="Work Centers this user is allowed to access. Leave empty to allow all."
+        help="Work Centers this user is allowed to access. Leave empty to restrict access to none."
     )
 
     allowed_approval_category_ids = fields.Many2many(
@@ -45,5 +45,5 @@ class ResUsers(models.Model):
         'user_id',
         'category_id',
         string="Allowed Approvals",
-        help="Approval Categories this user is allowed to access. Leave empty to allow all."
+        help="Approval Categories this user is allowed to access. Leave empty to restrict access to none."
     )
diff --git a/models/restricted_models.py b/models/restricted_models.py
index b0df31b..906af83 100644
--- a/models/restricted_models.py
+++ b/models/restricted_models.py
@@ -6,7 +6,7 @@ class StockWarehouse(models.Model):
 
     @api.model
     def _search(self, domain, offset=0, limit=None, order=None):
-        if not self.env.su and self.env.user.allowed_warehouse_ids:
+        if not self.env.su:
             domain = expression.AND([domain or [], [('id', 'in', self.env.user.allowed_warehouse_ids.ids)]])
         return super()._search(domain, offset=offset, limit=limit, order=order)
 
@@ -15,7 +15,7 @@ class StockPickingType(models.Model):
 
     @api.model
     def _search(self, domain, offset=0, limit=None, order=None):
-        if not self.env.su and self.env.user.allowed_picking_type_ids:
+        if not self.env.su:
             domain = expression.AND([domain or [], [('id', 'in', self.env.user.allowed_picking_type_ids.ids)]])
         return super()._search(domain, offset=offset, limit=limit, order=order)
 
@@ -24,7 +24,7 @@ class StockLocation(models.Model):
 
     @api.model
     def _search(self, domain, offset=0, limit=None, order=None):
-        if not self.env.su and self.env.user.allowed_location_ids:
+        if not self.env.su:
             domain = expression.AND([domain or [], [('id', 'in', self.env.user.allowed_location_ids.ids)]])
         return super()._search(domain, offset=offset, limit=limit, order=order)
 
@@ -33,7 +33,7 @@ class MrpWorkcenter(models.Model):
 
     @api.model
     def _search(self, domain, offset=0, limit=None, order=None):
-        if not self.env.su and self.env.user.allowed_workcenter_ids:
+        if not self.env.su:
             domain = expression.AND([domain or [], [('id', 'in', self.env.user.allowed_workcenter_ids.ids)]])
         return super()._search(domain, offset=offset, limit=limit, order=order)
 
@@ -42,6 +42,6 @@ class ApprovalCategory(models.Model):
 
     @api.model
     def _search(self, domain, offset=0, limit=None, order=None):
-        if not self.env.su and self.env.user.allowed_approval_category_ids:
+        if not self.env.su:
             domain = expression.AND([domain or [], [('id', 'in', self.env.user.allowed_approval_category_ids.ids)]])
         return super()._search(domain, offset=offset, limit=limit, order=order)