feat: Implement access restrictions for approval requests and refine domain application, including a fix for 'All Approvals' window action.

__manifest__.py

@@ -20,6 +20,7 @@
     'data': [
         'security/ir.model.access.csv',
         'security/ir_rule.xml',
+        'security/ir_actions_act_window.xml',
         'views/res_users_views.xml',
     ],
     'installable': True,

models/restricted_models.py

@@ -4,9 +4,9 @@ from odoo.osv import expression
 
 _logger = logging.getLogger(__name__)
 
-def get_allowed_ids(env, field_name, table_name, user_id):
+def get_allowed_ids(env, table_name, col_name, user_id):
     # Use SQL to avoid ORM recursion or self-filtering issues
-    query = f"SELECT {field_name.replace('_ids', '')}_id FROM {table_name} WHERE user_id = %s"
+    query = f"SELECT {col_name} FROM {table_name} WHERE user_id = %s"
     env.cr.execute(query, (user_id,))
     return [r[0] for r in env.cr.fetchall()]
 
@@ -16,7 +16,8 @@ class StockWarehouse(models.Model):
     @api.model
     def _search(self, domain, offset=0, limit=None, order=None):
         if not self.env.su and not self.env.user.has_group('base.group_system'):
-            allowed_ids = get_allowed_ids(self.env, 'warehouse_ids', 'res_users_stock_warehouse_rel', self.env.user.id)
+            allowed_ids = get_allowed_ids(self.env, 'res_users_stock_warehouse_rel', 'warehouse_id', self.env.user.id)
+            if allowed_ids:
                 domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
         return super()._search(domain, offset=offset, limit=limit, order=order)
 
@@ -26,7 +27,8 @@ class StockPickingType(models.Model):
     @api.model
     def _search(self, domain, offset=0, limit=None, order=None):
         if not self.env.su and not self.env.user.has_group('base.group_system'):
-            allowed_ids = get_allowed_ids(self.env, 'picking_type_ids', 'res_users_stock_picking_type_rel', self.env.user.id)
+            allowed_ids = get_allowed_ids(self.env, 'res_users_stock_picking_type_rel', 'picking_type_id', self.env.user.id)
+            if allowed_ids:
                 domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
         return super()._search(domain, offset=offset, limit=limit, order=order)
 
@@ -36,13 +38,8 @@ class StockLocation(models.Model):
     @api.model
     def _search(self, domain, offset=0, limit=None, order=None):
         if not self.env.su and not self.env.user.has_group('base.group_system'):
-            allowed_ids = get_allowed_ids(self.env, 'location_ids', 'res_users_stock_location_rel', self.env.user.id)
-            
-            # Robust filtering for Locations
-            # We allow:
-            # 1. Any record that is a 'parent_of' an allowed ID (to compute path names like WH/Stock)
-            # 2. Any record that is a 'child_of' an allowed ID (to allow access to bins within allowed locations)
-            # 3. Non-internal locations (Virtual/Partner) for system movements and reporting
+            allowed_ids = get_allowed_ids(self.env, 'res_users_stock_location_rel', 'location_id', self.env.user.id)
+            if allowed_ids:
                 restrict_domain = [
                     '|', '|',
                     ('id', 'parent_of', allowed_ids),
@@ -58,7 +55,8 @@ class MrpWorkcenter(models.Model):
     @api.model
     def _search(self, domain, offset=0, limit=None, order=None):
         if not self.env.su and not self.env.user.has_group('base.group_system'):
-            allowed_ids = get_allowed_ids(self.env, 'workcenter_ids', 'res_users_mrp_workcenter_rel', self.env.user.id)
+            allowed_ids = get_allowed_ids(self.env, 'res_users_mrp_workcenter_rel', 'workcenter_id', self.env.user.id)
+            if allowed_ids:
                 domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
         return super()._search(domain, offset=offset, limit=limit, order=order)
 
@@ -68,6 +66,18 @@ class ApprovalCategory(models.Model):
     @api.model
     def _search(self, domain, offset=0, limit=None, order=None):
         if not self.env.su and not self.env.user.has_group('base.group_system'):
-            allowed_ids = get_allowed_ids(self.env, 'approval_category_ids', 'res_users_approval_category_rel', self.env.user.id)
+            allowed_ids = get_allowed_ids(self.env, 'res_users_approval_category_rel', 'category_id', self.env.user.id)
+            if allowed_ids:
                 domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
         return super()._search(domain, offset=offset, limit=limit, order=order)
+
+class ApprovalRequest(models.Model):
+    _inherit = 'approval.request'
+
+    @api.model
+    def _search(self, domain, offset=0, limit=None, order=None):
+        if not self.env.su and not self.env.user.has_group('base.group_system'):
+            allowed_category_ids = get_allowed_ids(self.env, 'res_users_approval_category_rel', 'category_id', self.env.user.id)
+            if allowed_category_ids:
+                domain = expression.AND([domain or [], [('category_id', 'in', allowed_category_ids)]])
+        return super()._search(domain, offset=offset, limit=limit, order=order)

security/ir_actions_act_window.xml

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8"?>
+<odoo>
+    <data>
+        <!-- Fix hardcoded Action Domain on All Approvals -->
+        <record id="approvals.approval_request_action_all" model="ir.actions.act_window">
+            <field name="domain">[]</field>
+        </record>
+    </data>
+</odoo>