feat: Introduce permissive ir.rules and SQL-based ID retrieval for access restrictions, improving stock location visibility and adding stock_account dependency.
This commit is contained in:
parent
895dc077ec
commit
94705c64bf
@ -16,8 +16,10 @@
|
|||||||
""",
|
""",
|
||||||
'category': 'Extra Tools',
|
'category': 'Extra Tools',
|
||||||
'author': 'Suherdy Yacob',
|
'author': 'Suherdy Yacob',
|
||||||
'depends': ['base', 'stock', 'mrp', 'approvals'],
|
'depends': ['base', 'stock', 'mrp', 'approvals', 'stock_account'],
|
||||||
'data': [
|
'data': [
|
||||||
|
'security/ir.model.access.csv',
|
||||||
|
'security/ir_rule.xml',
|
||||||
'views/res_users_views.xml',
|
'views/res_users_views.xml',
|
||||||
],
|
],
|
||||||
'installable': True,
|
'installable': True,
|
||||||
|
|||||||
Binary file not shown.
@ -1,13 +1,23 @@
|
|||||||
|
import logging
|
||||||
from odoo import models, api
|
from odoo import models, api
|
||||||
from odoo.osv import expression
|
from odoo.osv import expression
|
||||||
|
|
||||||
|
_logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
def get_allowed_ids(env, field_name, table_name, user_id):
|
||||||
|
# Use SQL to avoid ORM recursion or self-filtering issues
|
||||||
|
query = f"SELECT {field_name.replace('_ids', '')}_id FROM {table_name} WHERE user_id = %s"
|
||||||
|
env.cr.execute(query, (user_id,))
|
||||||
|
return [r[0] for r in env.cr.fetchall()]
|
||||||
|
|
||||||
class StockWarehouse(models.Model):
|
class StockWarehouse(models.Model):
|
||||||
_inherit = 'stock.warehouse'
|
_inherit = 'stock.warehouse'
|
||||||
|
|
||||||
@api.model
|
@api.model
|
||||||
def _search(self, domain, offset=0, limit=None, order=None):
|
def _search(self, domain, offset=0, limit=None, order=None):
|
||||||
if not self.env.su and not self.env.user.has_group('base.group_system'):
|
if not self.env.su and not self.env.user.has_group('base.group_system'):
|
||||||
domain = expression.AND([domain or [], [('id', 'in', self.env.user.allowed_warehouse_ids.ids)]])
|
allowed_ids = get_allowed_ids(self.env, 'warehouse_ids', 'res_users_stock_warehouse_rel', self.env.user.id)
|
||||||
|
domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
|
||||||
return super()._search(domain, offset=offset, limit=limit, order=order)
|
return super()._search(domain, offset=offset, limit=limit, order=order)
|
||||||
|
|
||||||
class StockPickingType(models.Model):
|
class StockPickingType(models.Model):
|
||||||
@ -16,7 +26,8 @@ class StockPickingType(models.Model):
|
|||||||
@api.model
|
@api.model
|
||||||
def _search(self, domain, offset=0, limit=None, order=None):
|
def _search(self, domain, offset=0, limit=None, order=None):
|
||||||
if not self.env.su and not self.env.user.has_group('base.group_system'):
|
if not self.env.su and not self.env.user.has_group('base.group_system'):
|
||||||
domain = expression.AND([domain or [], [('id', 'in', self.env.user.allowed_picking_type_ids.ids)]])
|
allowed_ids = get_allowed_ids(self.env, 'picking_type_ids', 'res_users_stock_picking_type_rel', self.env.user.id)
|
||||||
|
domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
|
||||||
return super()._search(domain, offset=offset, limit=limit, order=order)
|
return super()._search(domain, offset=offset, limit=limit, order=order)
|
||||||
|
|
||||||
class StockLocation(models.Model):
|
class StockLocation(models.Model):
|
||||||
@ -25,7 +36,20 @@ class StockLocation(models.Model):
|
|||||||
@api.model
|
@api.model
|
||||||
def _search(self, domain, offset=0, limit=None, order=None):
|
def _search(self, domain, offset=0, limit=None, order=None):
|
||||||
if not self.env.su and not self.env.user.has_group('base.group_system'):
|
if not self.env.su and not self.env.user.has_group('base.group_system'):
|
||||||
domain = expression.AND([domain or [], [('id', 'in', self.env.user.allowed_location_ids.ids)]])
|
allowed_ids = get_allowed_ids(self.env, 'location_ids', 'res_users_stock_location_rel', self.env.user.id)
|
||||||
|
|
||||||
|
# Robust filtering for Locations
|
||||||
|
# We allow:
|
||||||
|
# 1. Any record that is a 'parent_of' an allowed ID (to compute path names like WH/Stock)
|
||||||
|
# 2. Any record that is a 'child_of' an allowed ID (to allow access to bins within allowed locations)
|
||||||
|
# 3. Non-internal locations (Virtual/Partner) for system movements and reporting
|
||||||
|
restrict_domain = [
|
||||||
|
'|', '|',
|
||||||
|
('id', 'parent_of', allowed_ids),
|
||||||
|
('id', 'child_of', allowed_ids),
|
||||||
|
('usage', 'not in', ['internal', 'transit'])
|
||||||
|
]
|
||||||
|
domain = expression.AND([domain or [], restrict_domain])
|
||||||
return super()._search(domain, offset=offset, limit=limit, order=order)
|
return super()._search(domain, offset=offset, limit=limit, order=order)
|
||||||
|
|
||||||
class MrpWorkcenter(models.Model):
|
class MrpWorkcenter(models.Model):
|
||||||
@ -34,7 +58,8 @@ class MrpWorkcenter(models.Model):
|
|||||||
@api.model
|
@api.model
|
||||||
def _search(self, domain, offset=0, limit=None, order=None):
|
def _search(self, domain, offset=0, limit=None, order=None):
|
||||||
if not self.env.su and not self.env.user.has_group('base.group_system'):
|
if not self.env.su and not self.env.user.has_group('base.group_system'):
|
||||||
domain = expression.AND([domain or [], [('id', 'in', self.env.user.allowed_workcenter_ids.ids)]])
|
allowed_ids = get_allowed_ids(self.env, 'workcenter_ids', 'res_users_mrp_workcenter_rel', self.env.user.id)
|
||||||
|
domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
|
||||||
return super()._search(domain, offset=offset, limit=limit, order=order)
|
return super()._search(domain, offset=offset, limit=limit, order=order)
|
||||||
|
|
||||||
class ApprovalCategory(models.Model):
|
class ApprovalCategory(models.Model):
|
||||||
@ -43,5 +68,6 @@ class ApprovalCategory(models.Model):
|
|||||||
@api.model
|
@api.model
|
||||||
def _search(self, domain, offset=0, limit=None, order=None):
|
def _search(self, domain, offset=0, limit=None, order=None):
|
||||||
if not self.env.su and not self.env.user.has_group('base.group_system'):
|
if not self.env.su and not self.env.user.has_group('base.group_system'):
|
||||||
domain = expression.AND([domain or [], [('id', 'in', self.env.user.allowed_approval_category_ids.ids)]])
|
allowed_ids = get_allowed_ids(self.env, 'approval_category_ids', 'res_users_approval_category_rel', self.env.user.id)
|
||||||
|
domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
|
||||||
return super()._search(domain, offset=offset, limit=limit, order=order)
|
return super()._search(domain, offset=offset, limit=limit, order=order)
|
||||||
|
|||||||
2
security/ir.model.access.csv
Normal file
2
security/ir.model.access.csv
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
|
||||||
|
access_stock_valuation_layer_internal_user,stock.valuation.layer.internal.user,stock_account.model_stock_valuation_layer,base.group_user,1,0,0,0
|
||||||
|
97
security/ir_rule.xml
Normal file
97
security/ir_rule.xml
Normal file
@ -0,0 +1,97 @@
|
|||||||
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
|
<odoo>
|
||||||
|
<data>
|
||||||
|
<!-- Permissive Rules to allow Read access, avoiding Access Errors.
|
||||||
|
Actual visibility restriction is handled by _search method in models/restricted_models.py. -->
|
||||||
|
|
||||||
|
<record id="stock_warehouse_permissive_rule" model="ir.rule">
|
||||||
|
<field name="name">Stock Warehouse Permissive Access</field>
|
||||||
|
<field name="model_id" ref="stock.model_stock_warehouse"/>
|
||||||
|
<field name="groups" eval="[(4, ref('base.group_user'))]"/>
|
||||||
|
<field name="domain_force">[(1, '=', 1)]</field>
|
||||||
|
<field name="perm_read" eval="True"/>
|
||||||
|
<field name="perm_write" eval="False"/>
|
||||||
|
<field name="perm_create" eval="False"/>
|
||||||
|
<field name="perm_unlink" eval="False"/>
|
||||||
|
</record>
|
||||||
|
|
||||||
|
<record id="stock_picking_type_permissive_rule" model="ir.rule">
|
||||||
|
<field name="name">Stock Picking Type Permissive Access</field>
|
||||||
|
<field name="model_id" ref="stock.model_stock_picking_type"/>
|
||||||
|
<field name="groups" eval="[(4, ref('base.group_user'))]"/>
|
||||||
|
<field name="domain_force">[(1, '=', 1)]</field>
|
||||||
|
<field name="perm_read" eval="True"/>
|
||||||
|
<field name="perm_write" eval="False"/>
|
||||||
|
<field name="perm_create" eval="False"/>
|
||||||
|
<field name="perm_unlink" eval="False"/>
|
||||||
|
</record>
|
||||||
|
|
||||||
|
<record id="stock_location_permissive_rule" model="ir.rule">
|
||||||
|
<field name="name">Stock Location Permissive Access</field>
|
||||||
|
<field name="model_id" ref="stock.model_stock_location"/>
|
||||||
|
<field name="groups" eval="[(4, ref('base.group_user'))]"/>
|
||||||
|
<field name="domain_force">[(1, '=', 1)]</field>
|
||||||
|
<field name="perm_read" eval="True"/>
|
||||||
|
<field name="perm_write" eval="False"/>
|
||||||
|
<field name="perm_create" eval="False"/>
|
||||||
|
<field name="perm_unlink" eval="False"/>
|
||||||
|
</record>
|
||||||
|
|
||||||
|
<record id="mrp_workcenter_permissive_rule" model="ir.rule">
|
||||||
|
<field name="name">MRP Workcenter Permissive Access</field>
|
||||||
|
<field name="model_id" ref="mrp.model_mrp_workcenter"/>
|
||||||
|
<field name="groups" eval="[(4, ref('base.group_user'))]"/>
|
||||||
|
<field name="domain_force">[(1, '=', 1)]</field>
|
||||||
|
<field name="perm_read" eval="True"/>
|
||||||
|
<field name="perm_write" eval="False"/>
|
||||||
|
<field name="perm_create" eval="False"/>
|
||||||
|
<field name="perm_unlink" eval="False"/>
|
||||||
|
</record>
|
||||||
|
|
||||||
|
<record id="approval_category_permissive_rule" model="ir.rule">
|
||||||
|
<field name="name">Approval Category Permissive Access</field>
|
||||||
|
<field name="model_id" ref="approvals.model_approval_category"/>
|
||||||
|
<field name="groups" eval="[(4, ref('base.group_user'))]"/>
|
||||||
|
<field name="domain_force">[(1, '=', 1)]</field>
|
||||||
|
<field name="perm_read" eval="True"/>
|
||||||
|
<field name="perm_write" eval="False"/>
|
||||||
|
<field name="perm_create" eval="False"/>
|
||||||
|
<field name="perm_unlink" eval="False"/>
|
||||||
|
</record>
|
||||||
|
|
||||||
|
<!-- New rules to satisfy Inventory Reporting requirements -->
|
||||||
|
<record id="stock_valuation_layer_permissive_rule" model="ir.rule">
|
||||||
|
<field name="name">Stock Valuation Layer Permissive Access</field>
|
||||||
|
<field name="model_id" ref="stock_account.model_stock_valuation_layer"/>
|
||||||
|
<field name="groups" eval="[(4, ref('base.group_user'))]"/>
|
||||||
|
<field name="domain_force">[(1, '=', 1)]</field>
|
||||||
|
<field name="perm_read" eval="True"/>
|
||||||
|
<field name="perm_write" eval="False"/>
|
||||||
|
<field name="perm_create" eval="False"/>
|
||||||
|
<field name="perm_unlink" eval="False"/>
|
||||||
|
</record>
|
||||||
|
|
||||||
|
<record id="stock_quant_permissive_rule" model="ir.rule">
|
||||||
|
<field name="name">Stock Quant Permissive Access</field>
|
||||||
|
<field name="model_id" ref="stock.model_stock_quant"/>
|
||||||
|
<field name="groups" eval="[(4, ref('base.group_user'))]"/>
|
||||||
|
<field name="domain_force">[(1, '=', 1)]</field>
|
||||||
|
<field name="perm_read" eval="True"/>
|
||||||
|
<field name="perm_write" eval="False"/>
|
||||||
|
<field name="perm_create" eval="False"/>
|
||||||
|
<field name="perm_unlink" eval="False"/>
|
||||||
|
</record>
|
||||||
|
|
||||||
|
<record id="approval_request_permissive_rule" model="ir.rule">
|
||||||
|
<field name="name">Approval Request Permissive Access</field>
|
||||||
|
<field name="model_id" ref="approvals.model_approval_request"/>
|
||||||
|
<field name="groups" eval="[(4, ref('base.group_user'))]"/>
|
||||||
|
<field name="domain_force">[(1, '=', 1)]</field>
|
||||||
|
<field name="perm_read" eval="True"/>
|
||||||
|
<field name="perm_write" eval="False"/>
|
||||||
|
<field name="perm_create" eval="False"/>
|
||||||
|
<field name="perm_unlink" eval="False"/>
|
||||||
|
</record>
|
||||||
|
|
||||||
|
</data>
|
||||||
|
</odoo>
|
||||||
Loading…
Reference in New Issue
Block a user