feat: Implement access restrictions for approval requests and refine domain application, including a fix for 'All Approvals' window action.

2026-01-06 14:27:20 +07:00 · 2026-01-06 14:27:20 +07:00 · 45accc9e48
commit 45accc9e48
parent 94705c64bf
4 changed files with 44 additions and 24 deletions
--- a/manifest.py
+++ b/manifest.py
@ -20,6 +20,7 @@
    'data': [
        'security/ir.model.access.csv',
        'security/ir_rule.xml',
+        'security/ir_actions_act_window.xml',
        'views/res_users_views.xml',
    ],
    'installable': True,
--- a/models/pycache/restricted_models.cpython-312.pyc
+++ b/models/pycache/restricted_models.cpython-312.pyc
--- a/models/restricted_models.py
+++ b/models/restricted_models.py
@ -4,9 +4,9 @@ from odoo.osv import expression

 _logger = logging.getLogger(__name__)

-def get_allowed_ids(env, field_name, table_name, user_id):
+def get_allowed_ids(env, table_name, col_name, user_id):
    # Use SQL to avoid ORM recursion or self-filtering issues
-    query = f"SELECT {field_name.replace('_ids', '')}_id FROM {table_name} WHERE user_id = %s"
+    query = f"SELECT {col_name} FROM {table_name} WHERE user_id = %s"
    env.cr.execute(query, (user_id,))
    return [r[0] for r in env.cr.fetchall()]

@ -16,8 +16,9 @@ class StockWarehouse(models.Model):
    @api.model
    def _search(self, domain, offset=0, limit=None, order=None):
        if not self.env.su and not self.env.user.has_group('base.group_system'):
-            allowed_ids = get_allowed_ids(self.env, 'warehouse_ids', 'res_users_stock_warehouse_rel', self.env.user.id)
-            domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
+            allowed_ids = get_allowed_ids(self.env, 'res_users_stock_warehouse_rel', 'warehouse_id', self.env.user.id)
+            if allowed_ids:
+                domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
        return super()._search(domain, offset=offset, limit=limit, order=order)

 class StockPickingType(models.Model):
@ -26,8 +27,9 @@ class StockPickingType(models.Model):
    @api.model
    def _search(self, domain, offset=0, limit=None, order=None):
        if not self.env.su and not self.env.user.has_group('base.group_system'):
-            allowed_ids = get_allowed_ids(self.env, 'picking_type_ids', 'res_users_stock_picking_type_rel', self.env.user.id)
-            domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
+            allowed_ids = get_allowed_ids(self.env, 'res_users_stock_picking_type_rel', 'picking_type_id', self.env.user.id)
+            if allowed_ids:
+                domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
        return super()._search(domain, offset=offset, limit=limit, order=order)

 class StockLocation(models.Model):
@ -36,20 +38,15 @@ class StockLocation(models.Model):
    @api.model
    def _search(self, domain, offset=0, limit=None, order=None):
        if not self.env.su and not self.env.user.has_group('base.group_system'):
-            allowed_ids = get_allowed_ids(self.env, 'location_ids', 'res_users_stock_location_rel', self.env.user.id)
-            
-            # Robust filtering for Locations
-            # We allow:
-            # 1. Any record that is a 'parent_of' an allowed ID (to compute path names like WH/Stock)
-            # 2. Any record that is a 'child_of' an allowed ID (to allow access to bins within allowed locations)
-            # 3. Non-internal locations (Virtual/Partner) for system movements and reporting
-            restrict_domain = [
-                '|', '|',
-                ('id', 'parent_of', allowed_ids),
-                ('id', 'child_of', allowed_ids),
-                ('usage', 'not in', ['internal', 'transit'])
-            ]
-            domain = expression.AND([domain or [], restrict_domain])
+            allowed_ids = get_allowed_ids(self.env, 'res_users_stock_location_rel', 'location_id', self.env.user.id)
+            if allowed_ids:
+                restrict_domain = [
+                    '|', '|',
+                    ('id', 'parent_of', allowed_ids),
+                    ('id', 'child_of', allowed_ids),
+                    ('usage', 'not in', ['internal', 'transit'])
+                ]
+                domain = expression.AND([domain or [], restrict_domain])
        return super()._search(domain, offset=offset, limit=limit, order=order)

 class MrpWorkcenter(models.Model):
@ -58,8 +55,9 @@ class MrpWorkcenter(models.Model):
    @api.model
    def _search(self, domain, offset=0, limit=None, order=None):
        if not self.env.su and not self.env.user.has_group('base.group_system'):
-            allowed_ids = get_allowed_ids(self.env, 'workcenter_ids', 'res_users_mrp_workcenter_rel', self.env.user.id)
-            domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
+            allowed_ids = get_allowed_ids(self.env, 'res_users_mrp_workcenter_rel', 'workcenter_id', self.env.user.id)
+            if allowed_ids:
+                domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
        return super()._search(domain, offset=offset, limit=limit, order=order)

 class ApprovalCategory(models.Model):
@ -68,6 +66,18 @@ class ApprovalCategory(models.Model):
    @api.model
    def _search(self, domain, offset=0, limit=None, order=None):
        if not self.env.su and not self.env.user.has_group('base.group_system'):
-            allowed_ids = get_allowed_ids(self.env, 'approval_category_ids', 'res_users_approval_category_rel', self.env.user.id)
-            domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
+            allowed_ids = get_allowed_ids(self.env, 'res_users_approval_category_rel', 'category_id', self.env.user.id)
+            if allowed_ids:
+                domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
+        return super()._search(domain, offset=offset, limit=limit, order=order)
+
+class ApprovalRequest(models.Model):
+    _inherit = 'approval.request'
+
+    @api.model
+    def _search(self, domain, offset=0, limit=None, order=None):
+        if not self.env.su and not self.env.user.has_group('base.group_system'):
+            allowed_category_ids = get_allowed_ids(self.env, 'res_users_approval_category_rel', 'category_id', self.env.user.id)
+            if allowed_category_ids:
+                domain = expression.AND([domain or [], [('category_id', 'in', allowed_category_ids)]])
        return super()._search(domain, offset=offset, limit=limit, order=order)
--- a/security/ir_actions_act_window.xml
+++ b/security/ir_actions_act_window.xml
@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8"?>
+<odoo>
+    <data>
+        <!-- Fix hardcoded Action Domain on All Approvals -->
+        <record id="approvals.approval_request_action_all" model="ir.actions.act_window">
+            <field name="domain">[]</field>
+        </record>
+    </data>
+</odoo>