admin.suherdy/access_restriction_by_user
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Implement access restrictions for approval requests and refine domain application, including a fix for 'All Approvals' window action.

Browse Source
This commit is contained in:
Suherdy Yacob 2026-01-06 14:27:20 +07:00
parent 94705c64bf
commit 45accc9e48
4 changed files with 44 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
__manifest__.py
View File

@ -20,6 +20,7 @@
'data': [ 'data': [
'security/ir.model.access.csv', 'security/ir.model.access.csv',
'security/ir_rule.xml', 'security/ir_rule.xml',
'security/ir_actions_act_window.xml',
'views/res_users_views.xml', 'views/res_users_views.xml',
], ],
'installable': True, 'installable': True,

BIN
models/__pycache__/restricted_models.cpython-312.pyc
View File

Binary file not shown.

58
models/restricted_models.py
View File

@ -4,9 +4,9 @@ from odoo.osv import expression
_logger = logging.getLogger(__name__) _logger = logging.getLogger(__name__)
def get_allowed_ids(env, field_name, table_name, user_id): def get_allowed_ids(env, table_name, col_name, user_id):
# Use SQL to avoid ORM recursion or self-filtering issues # Use SQL to avoid ORM recursion or self-filtering issues
query = f"SELECT {field_name.replace('_ids', '')}_id FROM {table_name} WHERE user_id = %s" query = f"SELECT {col_name} FROM {table_name} WHERE user_id = %s"
env.cr.execute(query, (user_id,)) env.cr.execute(query, (user_id,))
return [r[0] for r in env.cr.fetchall()] return [r[0] for r in env.cr.fetchall()]
@ -16,8 +16,9 @@ class StockWarehouse(models.Model):
@api.model @api.model
def _search(self, domain, offset=0, limit=None, order=None): def _search(self, domain, offset=0, limit=None, order=None):
if not self.env.su and not self.env.user.has_group('base.group_system'): if not self.env.su and not self.env.user.has_group('base.group_system'):
allowed_ids = get_allowed_ids(self.env, 'warehouse_ids', 'res_users_stock_warehouse_rel', self.env.user.id) allowed_ids = get_allowed_ids(self.env, 'res_users_stock_warehouse_rel', 'warehouse_id', self.env.user.id)
domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]]) if allowed_ids:
domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
return super()._search(domain, offset=offset, limit=limit, order=order) return super()._search(domain, offset=offset, limit=limit, order=order)
class StockPickingType(models.Model): class StockPickingType(models.Model):
@ -26,8 +27,9 @@ class StockPickingType(models.Model):
@api.model @api.model
def _search(self, domain, offset=0, limit=None, order=None): def _search(self, domain, offset=0, limit=None, order=None):
if not self.env.su and not self.env.user.has_group('base.group_system'): if not self.env.su and not self.env.user.has_group('base.group_system'):
allowed_ids = get_allowed_ids(self.env, 'picking_type_ids', 'res_users_stock_picking_type_rel', self.env.user.id) allowed_ids = get_allowed_ids(self.env, 'res_users_stock_picking_type_rel', 'picking_type_id', self.env.user.id)
domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]]) if allowed_ids:
domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
return super()._search(domain, offset=offset, limit=limit, order=order) return super()._search(domain, offset=offset, limit=limit, order=order)
class StockLocation(models.Model): class StockLocation(models.Model):
@ -36,20 +38,15 @@ class StockLocation(models.Model):
@api.model @api.model
def _search(self, domain, offset=0, limit=None, order=None): def _search(self, domain, offset=0, limit=None, order=None):
if not self.env.su and not self.env.user.has_group('base.group_system'): if not self.env.su and not self.env.user.has_group('base.group_system'):
allowed_ids = get_allowed_ids(self.env, 'location_ids', 'res_users_stock_location_rel', self.env.user.id) allowed_ids = get_allowed_ids(self.env, 'res_users_stock_location_rel', 'location_id', self.env.user.id)
if allowed_ids:
# Robust filtering for Locations restrict_domain = [
# We allow: '|', '|',
# 1. Any record that is a 'parent_of' an allowed ID (to compute path names like WH/Stock) ('id', 'parent_of', allowed_ids),
# 2. Any record that is a 'child_of' an allowed ID (to allow access to bins within allowed locations) ('id', 'child_of', allowed_ids),
# 3. Non-internal locations (Virtual/Partner) for system movements and reporting ('usage', 'not in', ['internal', 'transit'])
restrict_domain = [ ]
'|', '|', domain = expression.AND([domain or [], restrict_domain])
('id', 'parent_of', allowed_ids),
('id', 'child_of', allowed_ids),
('usage', 'not in', ['internal', 'transit'])
]
domain = expression.AND([domain or [], restrict_domain])
return super()._search(domain, offset=offset, limit=limit, order=order) return super()._search(domain, offset=offset, limit=limit, order=order)
class MrpWorkcenter(models.Model): class MrpWorkcenter(models.Model):
@ -58,8 +55,9 @@ class MrpWorkcenter(models.Model):
@api.model @api.model
def _search(self, domain, offset=0, limit=None, order=None): def _search(self, domain, offset=0, limit=None, order=None):
if not self.env.su and not self.env.user.has_group('base.group_system'): if not self.env.su and not self.env.user.has_group('base.group_system'):
allowed_ids = get_allowed_ids(self.env, 'workcenter_ids', 'res_users_mrp_workcenter_rel', self.env.user.id) allowed_ids = get_allowed_ids(self.env, 'res_users_mrp_workcenter_rel', 'workcenter_id', self.env.user.id)
domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]]) if allowed_ids:
domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
return super()._search(domain, offset=offset, limit=limit, order=order) return super()._search(domain, offset=offset, limit=limit, order=order)
class ApprovalCategory(models.Model): class ApprovalCategory(models.Model):
@ -68,6 +66,18 @@ class ApprovalCategory(models.Model):
@api.model @api.model
def _search(self, domain, offset=0, limit=None, order=None): def _search(self, domain, offset=0, limit=None, order=None):
if not self.env.su and not self.env.user.has_group('base.group_system'): if not self.env.su and not self.env.user.has_group('base.group_system'):
allowed_ids = get_allowed_ids(self.env, 'approval_category_ids', 'res_users_approval_category_rel', self.env.user.id) allowed_ids = get_allowed_ids(self.env, 'res_users_approval_category_rel', 'category_id', self.env.user.id)
domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]]) if allowed_ids:
domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
return super()._search(domain, offset=offset, limit=limit, order=order)
class ApprovalRequest(models.Model):
_inherit = 'approval.request'
@api.model
def _search(self, domain, offset=0, limit=None, order=None):
if not self.env.su and not self.env.user.has_group('base.group_system'):
allowed_category_ids = get_allowed_ids(self.env, 'res_users_approval_category_rel', 'category_id', self.env.user.id)
if allowed_category_ids:
domain = expression.AND([domain or [], [('category_id', 'in', allowed_category_ids)]])
return super()._search(domain, offset=offset, limit=limit, order=order) return super()._search(domain, offset=offset, limit=limit, order=order)

9
security/ir_actions_act_window.xml Normal file
View File

@ -0,0 +1,9 @@
<?xml version="1.0" encoding="utf-8"?>
<odoo>
<data>
<!-- Fix hardcoded Action Domain on All Approvals -->
<record id="approvals.approval_request_action_all" model="ir.actions.act_window">
<field name="domain">[]</field>
</record>
</data>
</odoo>