feat: Implement access restrictions for approval requests and add bypass_user_restriction context to various action methods across multiple models.

models/__init__.py

@@ -3,3 +3,4 @@ from . import restricted_models
 from . import sale_order
 from . import mrp_production
 from . import stock_picking
+from . import approval_request

models/approval_request.py

@@ -0,0 +1,40 @@
+from odoo import models, api
+from odoo.fields import Domain
+
+def get_allowed_ids(env, table_name, col_name, user_id):
+    # Use SQL to avoid ORM recursion or self-filtering issues
+    query = f"SELECT {col_name} FROM {table_name} WHERE user_id = %s"
+    env.cr.execute(query, (user_id,))
+    return [r[0] for r in env.cr.fetchall()]
+
+class ApprovalCategory(models.Model):
+    _inherit = 'approval.category'
+
+    @api.model
+    def _search(self, domain, offset=0, limit=None, order=None, **kwargs):
+        if self.env.context.get('bypass_user_restriction'):
+            return super()._search(domain, offset=offset, limit=limit, order=order, **kwargs)
+        if not self.env.su and not self.env.user.has_group('base.group_system'):
+            allowed_ids = get_allowed_ids(self.env, 'res_users_approval_category_rel', 'category_id', self.env.user.id)
+            if allowed_ids:
+                domain = list(Domain(domain or []) & Domain([('id', 'in', allowed_ids)]))
+        return super()._search(domain, offset=offset, limit=limit, order=order, **kwargs)
+
+class ApprovalRequest(models.Model):
+    _inherit = 'approval.request'
+
+    @api.model
+    def _search(self, domain, offset=0, limit=None, order=None, **kwargs):
+        if self.env.context.get('bypass_user_restriction'):
+            return super()._search(domain, offset=offset, limit=limit, order=order, **kwargs)
+        if not self.env.su and not self.env.user.has_group('base.group_system'):
+            allowed_category_ids = get_allowed_ids(self.env, 'res_users_approval_category_rel', 'category_id', self.env.user.id)
+            if allowed_category_ids:
+                domain = list(Domain(domain or []) & Domain([('category_id', 'in', allowed_category_ids)]))
+        return super()._search(domain, offset=offset, limit=limit, order=order, **kwargs)
+
+    def action_confirm(self):
+        return super(ApprovalRequest, self.with_context(bypass_user_restriction=True)).action_confirm()
+
+    def action_approve(self):
+        return super(ApprovalRequest, self.with_context(bypass_user_restriction=True)).action_approve()

models/mrp_production.py

@@ -9,3 +9,9 @@ class MrpProduction(models.Model):
     def _compute_hide_quality_check_button(self):
         for record in self:
             record.hide_quality_check_button = not self.env.user.allowed_quality_checks
+
+    def action_confirm(self):
+        return super(MrpProduction, self.with_context(bypass_user_restriction=True)).action_confirm()
+
+    def button_mark_done(self):
+        return super(MrpProduction, self.with_context(bypass_user_restriction=True)).button_mark_done()

models/restricted_models.py

@@ -68,28 +68,3 @@ class MrpWorkcenter(models.Model):
                 domain = list(Domain(domain or []) & Domain([('id', 'in', allowed_ids)]))
         return super()._search(domain, offset=offset, limit=limit, order=order, **kwargs)
 
-class ApprovalCategory(models.Model):
-    _inherit = 'approval.category'
-
-    @api.model
-    def _search(self, domain, offset=0, limit=None, order=None, **kwargs):
-        if self.env.context.get('bypass_user_restriction'):
-            return super()._search(domain, offset=offset, limit=limit, order=order, **kwargs)
-        if not self.env.su and not self.env.user.has_group('base.group_system'):
-            allowed_ids = get_allowed_ids(self.env, 'res_users_approval_category_rel', 'category_id', self.env.user.id)
-            if allowed_ids:
-                domain = list(Domain(domain or []) & Domain([('id', 'in', allowed_ids)]))
-        return super()._search(domain, offset=offset, limit=limit, order=order, **kwargs)
-
-class ApprovalRequest(models.Model):
-    _inherit = 'approval.request'
-
-    @api.model
-    def _search(self, domain, offset=0, limit=None, order=None, **kwargs):
-        if self.env.context.get('bypass_user_restriction'):
-            return super()._search(domain, offset=offset, limit=limit, order=order, **kwargs)
-        if not self.env.su and not self.env.user.has_group('base.group_system'):
-            allowed_category_ids = get_allowed_ids(self.env, 'res_users_approval_category_rel', 'category_id', self.env.user.id)
-            if allowed_category_ids:
-                domain = list(Domain(domain or []) & Domain([('category_id', 'in', allowed_category_ids)]))
-        return super()._search(domain, offset=offset, limit=limit, order=order, **kwargs)

models/sale_order.py

@@ -5,3 +5,6 @@ class SaleOrder(models.Model):
 
     def action_confirm(self):
         return super(SaleOrder, self.with_context(bypass_user_restriction=True)).action_confirm()
+
+    def _action_confirm(self):
+        return super(SaleOrder, self.with_context(bypass_user_restriction=True))._action_confirm()

models/stock_picking.py

@@ -9,3 +9,9 @@ class StockPicking(models.Model):
     def _compute_hide_quality_check_button(self):
         for record in self:
             record.hide_quality_check_button = not self.env.user.allowed_quality_checks
+
+    def action_confirm(self):
+        return super(StockPicking, self.with_context(bypass_user_restriction=True)).action_confirm()
+
+    def button_validate(self):
+        return super(StockPicking, self.with_context(bypass_user_restriction=True)).button_validate()