From 45accc9e48d72d2601b23f66407941d1388edcef Mon Sep 17 00:00:00 2001
From: Suherdy Yacob <suherdy.yacob@mapan.co.id>
Date: Tue, 6 Jan 2026 14:27:20 +0700
Subject: [PATCH] feat: Implement access restrictions for approval requests and
 refine domain application, including a fix for 'All Approvals' window action.

---
 __manifest__.py                               |   1 +
 .../restricted_models.cpython-312.pyc         | Bin 5895 -> 6767 bytes
 models/restricted_models.py                   |  58 ++++++++++--------
 security/ir_actions_act_window.xml            |   9 +++
 4 files changed, 44 insertions(+), 24 deletions(-)
 create mode 100644 security/ir_actions_act_window.xml

diff --git a/__manifest__.py b/__manifest__.py
index 53f1499..34b8f00 100644
--- a/__manifest__.py
+++ b/__manifest__.py
@@ -20,6 +20,7 @@
     'data': [
         'security/ir.model.access.csv',
         'security/ir_rule.xml',
+        'security/ir_actions_act_window.xml',
         'views/res_users_views.xml',
     ],
     'installable': True,
diff --git a/models/__pycache__/restricted_models.cpython-312.pyc b/models/__pycache__/restricted_models.cpython-312.pyc
index 056312a307a85144bee24e69a4e942768f538009..ffa2433456698abb00a3678907369f2ac6aa2975 100644
GIT binary patch
literal 6767
zcmeHMU2GKB6`tSy^V(~`CV2VV#z4FY*h)f#MM@JAOi%-hgGne`+UYQJcfGr_JDYoF
z{j)3rBqU7Q2>YS3QB^^nf=k=br}EgoMe56J9d*f+sz`n6TU5JJ%2Ut1vtzFvyN;>M
z6C?TDd(WIZbLX7%opbj1PtDCC4z7E@IhV;qIPM>G;azflGMnHzZj#eEoj1579R-8W
z3rQg_CPkjEMMKKVNtx#a4sqGA_ke{F`R~Fr=#>oU(p4@Q6u5UdUB1fcJ|tw@+<T4m
zuIR3kO-#}cl7Uqu!%Q*=lA%>3o0()2NQPIDY+;hkAlb5tWQ0jZK(cie$<|RmzTuzr
z^Ad5v@#Re&8N?CQVkXWzAv99Nh>(m~(4+>1P-9S)%>EV#7=y0}zW_s2c%b4h<%?2<
z%QlF6(`;Rh-kOdTsUoKMyMoK(xfOPL=5N?~w?03@-H<gQ&1u4q{2X^tuE@I70rw_^
zp9Ll0UX%xb@@zKD#pOiVKhSr)@9opEvM+Y@)X5XE@}}6CV|}OkVkLsGlF?&_V!H{Z
zM~aJ%pkc?4MvzvrkP}EDOB+-TBkprVR2XtXmU`YmN<q!TP0cjinZN!ZNB*#c@TkLM
z;)AEf*!5WJ88q{#hm-~p)<=8#N3B87FDSmp)J^l{-X5()EHkg_x>+DSs-}Sj6flE@
zGnxgaP|lAk^aVYxv3k5)NLO4=cX8B-q>-h-LCs-cXLN!$zyUx%97zDV%spypA0He~
zP7U48-aco)e8dj-UG94z`L7+la`al_N@D!AsRL6lej)9C5Z!)j&&@rzdT#d2L|^(#
z)86s-#tx6EKRxp2roFbb_dhVOkNcw-KD<%V;NkO^=Q6Wz0qYt#3gVKy&Lst%Pl`y&
zGPKW2vxzQ_aVcIGt_D5xCVgYv2%q#1aB<0L8L&((cSgl%&;%8fBcLcP*FEepv_?On
zDra6wL&nef$(4Mo?t6^~A(a*U(EFqY;Vjkal1t~k5JS#bLGR}B&(sB7T>egWxwkE&
zw7YdV>ic-7)$F}5+v3d@#tJ{e6F@_n(<L3`Q(~G=3*Koj@>Z)Sd)-&zKHd!o1$0-$
ziu7xr_Z~2XKk<0Od6l5<G&V~`g^Usl<(=)|ip({M!VII#8wUK>aKa1AjP3~RuP`k-
zJ~Ndf$Z}*Olh43lVjbb>5T>8%2&Cjl)ZLxnph^_>KIY7L3*5%k;Es4Wam0~HsR&Yj
zg&-AcgVTOTBFIQNJ{_=>Dd4SCd>bX(>7J$ra5zCl(F_$}rVwgP7pRvp)dk)Kq`Y~t
z<8{|xLIubekgowzkxe&7u8-Wf@X>|a`#<gdr1#T9pB$=n9;|jAv|mqr(RuP=G=68-
zXI;}>_Wl9;ea%Lh8p>BuzJ_oW;TkGcQE4VRH1_V7k?6yY&RaWf?zpr0SKIEra=-1q
z^@ktYz3<rvPT5@pGaaYLeGemT*N3lPni{&3y5IMC``D$K$VoeJau&|QO^YmeB@)vC
zC!ny9q$o~Eq2Zwf(MoZ`it=GeHE7s^RY1uUAQojTOdZLQSrlR4?KIaFqanjklxZHv
zL4wfq`KGI#O)$ljP_H8~AYWhQ9z<f7k3EtD*Unx!J159;KR+vSzKA=;FM<%;vd+Px
zmD#L6qvbM%^y$$eDsObdMbTw-Tflo3F`in)!0ljoC$=<3)UBaVYp^g8S;WccF3@R8
z$5BdlPy&I8TLG(EmfGDzD~$k8g4Pf0A7t#DS<8`Xj?{7^)!axeccGfQFcYo(Uuboq
z@Dlx=y_CF457+>%*C>+`8tN9n)wvqD=$3T`S2I)caZ^)iNm6cck!94^i%=DS)37|8
zU3(t>XbqY1f9GNJl=JXD$ghxLbsx>KF#6dT(1UtNZ%PZ0cjb$|Z=0(tz7=w`e@TuG
zH{|H%gp0UsOA+T;iJ`4&eg*lMuQ0GV!6H;t1xqngP}L4*44uy85>eBr>?@d7EK_g-
znSzCIK{Xt|h1CLq^f3?5cmVGKtK%0aS)6!r7x0{jSF|ei?9B2C^%OVv#u}4v`yyZS
z&`e)IJ_EAG+<VGCt=d|;rsb+yuBH{MTCt{)szzp_7DMx+w&$icJ!tQkdi_q5-L{|3
z4&J_Cx4rtHecROFo#?%@cGnwr+nZkn<<5=ck-0Dz-L;Uc?_ILH-kIq*wqlB24fF@$
zlQ1Qn^aEo+SVrC10Q#ndj7q2O6X}-q2K@<KJY(XV2EKuCxh0Q_-NW<iMWBCHe6MHm
z{S9D)C6onAFkm+~tk<4I+ZUPI!`uPtl21_Y0_N7I-dzn$N8!MjlKu4LF(BUn)3W6$
z-LlSLYCT*mVsl6}-c~J?Ht}eAgIecwLsn(1XOMcz)#=WKT<IA@@r>c7%lXyXF|}o>
z#XVTj{>YQS>V5l+Zl|)fRH2$G)Ka9HBDK^|H8nI79bVVM^j$bGrsNHJ@)!^XtLGbX
z)UvRmTh<v?5l_jd5H#P2Rc`eR*^OP!Gf=GoRH81esYxU^6reu00L3T3>X^12@!}tG
zasP@{qSNNJXBzNE-0s8j9h&Es*xkbxeL49U$hRsJJ72lC|M$JW>$MO4*#1f0Hc8DK
zuA0L&vr;uHHS<!{yaX+lU55ob9Q!iTxwuWU{d37qoVR;5`+#nDp_z`<6BmK~R9lpM
zpB_I3gaPb3s{xE|iEnWHhM7)7*Ta!$OBsv6b$dGjy6!f~klQ#5LYMeBh$4*lfebXy
z=tfx4Zm}bup#KeEts3?#lvSlHn=<UP^G$PZ3Z|W~$ARy<9j5Q$BrNF<Suz3SE0O2<
zzj7^q=eGTg+xaN8b?k*&XlpgJb?VqmX!m9Rza)v@Hx~}_{rva`ljkPR&2e--x0!K<
pCMy#aj}xIXM<<U@9G~OpeC~NBQ|GL-i^-%WjS1u5?8)rN{{=?shdclP

delta 1946
zcmbu9Urbw79LMjy^dHc_wD(ddjDj`LiGUl<IW{Q{$VT}W!7Uh|DZRJQa%nH;mVdPb
zj2OD7wL4K3jS2B-#%SsriHXs~Hxs>06H6LR_Tn>J*2Tpq&p90vbxF5)lYZ~-{QLb*
zKlgjiQTJ|#@kfK9ibBt~$>~tNF>SQduCH5Pq*WWV+XUnE>-wM2;2y=(2|7%}KE1V(
z;VZsi@DhspgyK~R2C4c}^`<I8g&CMuSz!ZXg%4>fU21vsR@linXbto-4!d?VuALYd
z9=JT|EU0`TUM^7aO7w;@(_E!0Xn`P!{(t~KWSo{@NDz5n#J?mIs$%{*QGh=%A9vYM
zVJ-T}(@3_dyGAw@&U0;9uI&z&smXEO3j1ni>L7j~Dnm1heim+5^s24;z7`d{ul2zf
zROjd+xW%2J<Iu0Fg*VMM=+U2|--bTD2*p}Al+<q-4QqZNEJRmi0q+rhuXe&Cb&J!0
zN){M-rJzD1pisHsmwodfx*`F*E8u{yXgaD-;jjsd6NWWy8Y>Q4;cbnR-nqqgc`{?l
z0IvkY`Cud)jO2rIHYn$VtJ&acu6`}){grLnn@!K|U;AwO4#-R%bbseix<{0=ql#-R
z$Brilp<=9s{aP>G3R7B^Ye(s28i@yxN*pf7!EdyUoJu`TKd7KIrXqtw@N#L$W155G
zx}Gu^JhooWjusTmQYf$(ip=|B8&V0!@0BfMz=4xBU}?nCjHL~Uj6aT(JlmxmwW5x=
zeIgbOERL5_O`=R4K3VXCz(PG<^T93lOz)s_C9H^2UW{eMSYF)7iW_+`krflU`pswK
zVt13j*nv`lPAune@)K~*<4!EKu%Wu{>445dk0}7Zsy<5xiBFRM@JWF9<Y)a(4S}N<
zqXB;`6pav{TsJhS=mhe?uAyh^2^O~wxN+UnSWdVDH(x?hFabf1flwgk<D*OdPy~=~
zszXC1j?R-HSpstSaoJ;vE;L#G63HWUBuv(u>o=gDb%ipcO8=a~FXVYK%Zqt_Im<8S
z`B;{Z<?2_G-g{=sVoOaNTG-UP`(DM|g`@a>k7DjTwAgRA?Z1<$Q(UNd@m{66$(S4~
z>M727!k)c~>vE3mC#Eb5{}S3Bz|ssYraI32w>xoIa_1!k|D*EGv=R8mwJ2B&2$7fo
z2>ve1sp04KB|8G7>rc`g<Gg@z5>xgoga7lemgRC4bHVZ&;quf|dlhk+gGV(N%Cm70
zHmqNgKy=kF`j9_``6$>Rh~Bp~w?7Xe_?xX!(~oJS&=DQ-DkBj^ishyCthAn&HnY;^
z9~8Ar_c8ZNuLl(6c$0a?(>hb;w2ophSo-h=oJbz+P=}_L?JIZHy4|Vwrb_qPf37&Z
z#BGK{b=?zPC@g4wVsw690OXb~s7Io_AOdnv;;VpIlJF<BKBr1f#Fy!xx{FIuenk}C
z08^-mFA{kR{!({(Mn{j+scU=F>FFYc<D!l9tnMY!iQ^s{o-?>NoE|PxI4-u6Igfk(
Lz3L&!Lu&s8QK}^2

diff --git a/models/restricted_models.py b/models/restricted_models.py
index 34904e3..c16d2db 100644
--- a/models/restricted_models.py
+++ b/models/restricted_models.py
@@ -4,9 +4,9 @@ from odoo.osv import expression
 
 _logger = logging.getLogger(__name__)
 
-def get_allowed_ids(env, field_name, table_name, user_id):
+def get_allowed_ids(env, table_name, col_name, user_id):
     # Use SQL to avoid ORM recursion or self-filtering issues
-    query = f"SELECT {field_name.replace('_ids', '')}_id FROM {table_name} WHERE user_id = %s"
+    query = f"SELECT {col_name} FROM {table_name} WHERE user_id = %s"
     env.cr.execute(query, (user_id,))
     return [r[0] for r in env.cr.fetchall()]
 
@@ -16,8 +16,9 @@ class StockWarehouse(models.Model):
     @api.model
     def _search(self, domain, offset=0, limit=None, order=None):
         if not self.env.su and not self.env.user.has_group('base.group_system'):
-            allowed_ids = get_allowed_ids(self.env, 'warehouse_ids', 'res_users_stock_warehouse_rel', self.env.user.id)
-            domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
+            allowed_ids = get_allowed_ids(self.env, 'res_users_stock_warehouse_rel', 'warehouse_id', self.env.user.id)
+            if allowed_ids:
+                domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
         return super()._search(domain, offset=offset, limit=limit, order=order)
 
 class StockPickingType(models.Model):
@@ -26,8 +27,9 @@ class StockPickingType(models.Model):
     @api.model
     def _search(self, domain, offset=0, limit=None, order=None):
         if not self.env.su and not self.env.user.has_group('base.group_system'):
-            allowed_ids = get_allowed_ids(self.env, 'picking_type_ids', 'res_users_stock_picking_type_rel', self.env.user.id)
-            domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
+            allowed_ids = get_allowed_ids(self.env, 'res_users_stock_picking_type_rel', 'picking_type_id', self.env.user.id)
+            if allowed_ids:
+                domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
         return super()._search(domain, offset=offset, limit=limit, order=order)
 
 class StockLocation(models.Model):
@@ -36,20 +38,15 @@ class StockLocation(models.Model):
     @api.model
     def _search(self, domain, offset=0, limit=None, order=None):
         if not self.env.su and not self.env.user.has_group('base.group_system'):
-            allowed_ids = get_allowed_ids(self.env, 'location_ids', 'res_users_stock_location_rel', self.env.user.id)
-            
-            # Robust filtering for Locations
-            # We allow:
-            # 1. Any record that is a 'parent_of' an allowed ID (to compute path names like WH/Stock)
-            # 2. Any record that is a 'child_of' an allowed ID (to allow access to bins within allowed locations)
-            # 3. Non-internal locations (Virtual/Partner) for system movements and reporting
-            restrict_domain = [
-                '|', '|',
-                ('id', 'parent_of', allowed_ids),
-                ('id', 'child_of', allowed_ids),
-                ('usage', 'not in', ['internal', 'transit'])
-            ]
-            domain = expression.AND([domain or [], restrict_domain])
+            allowed_ids = get_allowed_ids(self.env, 'res_users_stock_location_rel', 'location_id', self.env.user.id)
+            if allowed_ids:
+                restrict_domain = [
+                    '|', '|',
+                    ('id', 'parent_of', allowed_ids),
+                    ('id', 'child_of', allowed_ids),
+                    ('usage', 'not in', ['internal', 'transit'])
+                ]
+                domain = expression.AND([domain or [], restrict_domain])
         return super()._search(domain, offset=offset, limit=limit, order=order)
 
 class MrpWorkcenter(models.Model):
@@ -58,8 +55,9 @@ class MrpWorkcenter(models.Model):
     @api.model
     def _search(self, domain, offset=0, limit=None, order=None):
         if not self.env.su and not self.env.user.has_group('base.group_system'):
-            allowed_ids = get_allowed_ids(self.env, 'workcenter_ids', 'res_users_mrp_workcenter_rel', self.env.user.id)
-            domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
+            allowed_ids = get_allowed_ids(self.env, 'res_users_mrp_workcenter_rel', 'workcenter_id', self.env.user.id)
+            if allowed_ids:
+                domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
         return super()._search(domain, offset=offset, limit=limit, order=order)
 
 class ApprovalCategory(models.Model):
@@ -68,6 +66,18 @@ class ApprovalCategory(models.Model):
     @api.model
     def _search(self, domain, offset=0, limit=None, order=None):
         if not self.env.su and not self.env.user.has_group('base.group_system'):
-            allowed_ids = get_allowed_ids(self.env, 'approval_category_ids', 'res_users_approval_category_rel', self.env.user.id)
-            domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
+            allowed_ids = get_allowed_ids(self.env, 'res_users_approval_category_rel', 'category_id', self.env.user.id)
+            if allowed_ids:
+                domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
+        return super()._search(domain, offset=offset, limit=limit, order=order)
+
+class ApprovalRequest(models.Model):
+    _inherit = 'approval.request'
+
+    @api.model
+    def _search(self, domain, offset=0, limit=None, order=None):
+        if not self.env.su and not self.env.user.has_group('base.group_system'):
+            allowed_category_ids = get_allowed_ids(self.env, 'res_users_approval_category_rel', 'category_id', self.env.user.id)
+            if allowed_category_ids:
+                domain = expression.AND([domain or [], [('category_id', 'in', allowed_category_ids)]])
         return super()._search(domain, offset=offset, limit=limit, order=order)
diff --git a/security/ir_actions_act_window.xml b/security/ir_actions_act_window.xml
new file mode 100644
index 0000000..2144ad8
--- /dev/null
+++ b/security/ir_actions_act_window.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8"?>
+<odoo>
+    <data>
+        <!-- Fix hardcoded Action Domain on All Approvals -->
+        <record id="approvals.approval_request_action_all" model="ir.actions.act_window">
+            <field name="domain">[]</field>
+        </record>
+    </data>
+</odoo>