feat: Extend user access restrictions to quality check buttons on manufacturing orders and stock pickings, and update domain handling for Odoo 19.

__manifest__.py

@@ -1,6 +1,6 @@
 {
     'name': 'Access Restriction By User',
-    'version': '18.0.1.0.0',
+    'version': '19.0.1.0.0',
     'summary': 'Restrict access to Warehouses, Picking Types, Locations, Work Centers, and Approvals by User',
     'description': """
         Restricts visibility of:
@@ -16,12 +16,14 @@
     """,
     'category': 'Extra Tools',
     'author': 'Suherdy Yacob',
-    'depends': ['base', 'stock', 'mrp', 'approvals', 'stock_account', 'sale'],
+    'depends': ['base', 'stock', 'mrp', 'approvals', 'stock_account', 'sale', 'quality_control', 'quality_mrp'],
     'data': [
         'security/ir.model.access.csv',
         'security/ir_rule.xml',
         'security/ir_actions_act_window.xml',
         'views/res_users_views.xml',
+        'views/stock_picking_views.xml',
+        'views/mrp_production_views.xml',
     ],
     'installable': True,
     'application': False,

models/__init__.py

@@ -1,4 +1,6 @@
 from . import res_users
 from . import restricted_models
 from . import sale_order
+from . import stock_picking
+from . import mrp_production
 

models/mrp_production.py

@@ -0,0 +1,24 @@
+from odoo import models, fields, api
+
+class MrpProduction(models.Model):
+    _inherit = 'mrp.production'
+
+    restrict_quality_check_button = fields.Boolean(compute='_compute_restrict_quality_check_button')
+
+    @api.depends_context('uid')
+    def _compute_restrict_quality_check_button(self):
+        user = self.env.user
+        for production in self:
+            is_inventory_user = user.has_group('stock.group_stock_user')
+            is_mrp_user = user.has_group('mrp.group_mrp_user')
+            is_mrp_manager = user.has_group('mrp.group_mrp_manager')
+
+            is_restricted_role = is_inventory_user or is_mrp_user or is_mrp_manager
+
+            is_quality_manager = user.has_group('quality.group_quality_manager')
+            is_system = user.has_group('base.group_system')
+
+            if is_restricted_role and not (is_quality_manager or is_system):
+                production.restrict_quality_check_button = True
+            else:
+                production.restrict_quality_check_button = False

models/restricted_models.py

@@ -1,6 +1,6 @@
 import logging
 from odoo import models, api
-from odoo.osv import expression
+from odoo.fields import Domain
 
 _logger = logging.getLogger(__name__)
 
@@ -14,35 +14,35 @@ class StockWarehouse(models.Model):
     _inherit = 'stock.warehouse'
 
     @api.model
-    def _search(self, domain, offset=0, limit=None, order=None):
+    def _search(self, domain, offset=0, limit=None, order=None, **kwargs):
         if self.env.context.get('bypass_user_restriction'):
-            return super()._search(domain, offset=offset, limit=limit, order=order)
+            return super()._search(domain, offset=offset, limit=limit, order=order, **kwargs)
         if not self.env.su and not self.env.user.has_group('base.group_system'):
             allowed_ids = get_allowed_ids(self.env, 'res_users_stock_warehouse_rel', 'warehouse_id', self.env.user.id)
             if allowed_ids:
-                domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
-        return super()._search(domain, offset=offset, limit=limit, order=order)
+                domain = list(Domain(domain or []) & Domain([('id', 'in', allowed_ids)]))
+        return super()._search(domain, offset=offset, limit=limit, order=order, **kwargs)
 
 class StockPickingType(models.Model):
     _inherit = 'stock.picking.type'
 
     @api.model
-    def _search(self, domain, offset=0, limit=None, order=None):
+    def _search(self, domain, offset=0, limit=None, order=None, **kwargs):
         if self.env.context.get('bypass_user_restriction'):
-            return super()._search(domain, offset=offset, limit=limit, order=order)
+            return super()._search(domain, offset=offset, limit=limit, order=order, **kwargs)
         if not self.env.su and not self.env.user.has_group('base.group_system'):
             allowed_ids = get_allowed_ids(self.env, 'res_users_stock_picking_type_rel', 'picking_type_id', self.env.user.id)
             if allowed_ids:
-                domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
-        return super()._search(domain, offset=offset, limit=limit, order=order)
+                domain = list(Domain(domain or []) & Domain([('id', 'in', allowed_ids)]))
+        return super()._search(domain, offset=offset, limit=limit, order=order, **kwargs)
 
 class StockLocation(models.Model):
     _inherit = 'stock.location'
 
     @api.model
-    def _search(self, domain, offset=0, limit=None, order=None):
+    def _search(self, domain, offset=0, limit=None, order=None, **kwargs):
         if self.env.context.get('bypass_user_restriction'):
-            return super()._search(domain, offset=offset, limit=limit, order=order)
+            return super()._search(domain, offset=offset, limit=limit, order=order, **kwargs)
         if not self.env.su and not self.env.user.has_group('base.group_system'):
             allowed_ids = get_allowed_ids(self.env, 'res_users_stock_location_rel', 'location_id', self.env.user.id)
             if allowed_ids:
@@ -52,44 +52,44 @@ class StockLocation(models.Model):
                     ('id', 'child_of', allowed_ids),
                     ('usage', 'not in', ['internal', 'transit'])
                 ]
-                domain = expression.AND([domain or [], restrict_domain])
-        return super()._search(domain, offset=offset, limit=limit, order=order)
+                domain = list(Domain(domain or []) & Domain(restrict_domain))
+        return super()._search(domain, offset=offset, limit=limit, order=order, **kwargs)
 
 class MrpWorkcenter(models.Model):
     _inherit = 'mrp.workcenter'
 
     @api.model
-    def _search(self, domain, offset=0, limit=None, order=None):
+    def _search(self, domain, offset=0, limit=None, order=None, **kwargs):
         if self.env.context.get('bypass_user_restriction'):
-            return super()._search(domain, offset=offset, limit=limit, order=order)
+            return super()._search(domain, offset=offset, limit=limit, order=order, **kwargs)
         if not self.env.su and not self.env.user.has_group('base.group_system'):
             allowed_ids = get_allowed_ids(self.env, 'res_users_mrp_workcenter_rel', 'workcenter_id', self.env.user.id)
             if allowed_ids:
-                domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
-        return super()._search(domain, offset=offset, limit=limit, order=order)
+                domain = list(Domain(domain or []) & Domain([('id', 'in', allowed_ids)]))
+        return super()._search(domain, offset=offset, limit=limit, order=order, **kwargs)
 
 class ApprovalCategory(models.Model):
     _inherit = 'approval.category'
 
     @api.model
-    def _search(self, domain, offset=0, limit=None, order=None):
+    def _search(self, domain, offset=0, limit=None, order=None, **kwargs):
         if self.env.context.get('bypass_user_restriction'):
-            return super()._search(domain, offset=offset, limit=limit, order=order)
+            return super()._search(domain, offset=offset, limit=limit, order=order, **kwargs)
         if not self.env.su and not self.env.user.has_group('base.group_system'):
             allowed_ids = get_allowed_ids(self.env, 'res_users_approval_category_rel', 'category_id', self.env.user.id)
             if allowed_ids:
-                domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
-        return super()._search(domain, offset=offset, limit=limit, order=order)
+                domain = list(Domain(domain or []) & Domain([('id', 'in', allowed_ids)]))
+        return super()._search(domain, offset=offset, limit=limit, order=order, **kwargs)
 
 class ApprovalRequest(models.Model):
     _inherit = 'approval.request'
 
     @api.model
-    def _search(self, domain, offset=0, limit=None, order=None):
+    def _search(self, domain, offset=0, limit=None, order=None, **kwargs):
         if self.env.context.get('bypass_user_restriction'):
-            return super()._search(domain, offset=offset, limit=limit, order=order)
+            return super()._search(domain, offset=offset, limit=limit, order=order, **kwargs)
         if not self.env.su and not self.env.user.has_group('base.group_system'):
             allowed_category_ids = get_allowed_ids(self.env, 'res_users_approval_category_rel', 'category_id', self.env.user.id)
             if allowed_category_ids:
-                domain = expression.AND([domain or [], [('category_id', 'in', allowed_category_ids)]])
-        return super()._search(domain, offset=offset, limit=limit, order=order)
+                domain = list(Domain(domain or []) & Domain([('category_id', 'in', allowed_category_ids)]))
+        return super()._search(domain, offset=offset, limit=limit, order=order, **kwargs)

models/stock_picking.py

@@ -0,0 +1,34 @@
+from odoo import models, fields, api
+
+class StockPicking(models.Model):
+    _inherit = 'stock.picking'
+
+    restrict_quality_check_button = fields.Boolean(compute='_compute_restrict_quality_check_button')
+
+    @api.depends_context('uid')
+    def _compute_restrict_quality_check_button(self):
+        user = self.env.user
+        for picking in self:
+            # Check if user is in restricted groups (Inventory User or MPS User/Manager)
+            # MPS user usually relates to Manufacturing Manager or User, but user specifically asked for "MPS User".
+            # Since there is no widespread "MPS User" group in standard, we assume it falls under Manufacturing.
+            # However, we will check strictly for the groups mentioned in the request:
+            # Inventory User: stock.group_stock_user
+            # Manufacturing User: mrp.group_mrp_user
+            # MPS User: mrp.group_mrp_manager (often implies MPS access)
+            
+            is_inventory_user = user.has_group('stock.group_stock_user')
+            is_mrp_user = user.has_group('mrp.group_mrp_user')
+            is_mrp_manager = user.has_group('mrp.group_mrp_manager')
+
+            # User is possibly restricted if they have one of these basic roles
+            is_restricted_role = is_inventory_user or is_mrp_user or is_mrp_manager
+
+            # But we must NOT hide if they are Quality Manager or System Admin
+            is_quality_manager = user.has_group('quality.group_quality_manager')
+            is_system = user.has_group('base.group_system')
+
+            if is_restricted_role and not (is_quality_manager or is_system):
+                picking.restrict_quality_check_button = True
+            else:
+                picking.restrict_quality_check_button = False

security/ir.model.access.csv

@@ -1,2 +1,2 @@
 id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
-access_stock_valuation_layer_internal_user,stock.valuation.layer.internal.user,stock_account.model_stock_valuation_layer,base.group_user,1,0,0,0
+

security/ir_rule.xml

@@ -60,16 +60,7 @@
         </record>
 
         <!-- New rules to satisfy Inventory Reporting requirements -->
-        <record id="stock_valuation_layer_permissive_rule" model="ir.rule">
-            <field name="name">Stock Valuation Layer Permissive Access</field>
-            <field name="model_id" ref="stock_account.model_stock_valuation_layer"/>
-            <field name="groups" eval="[(4, ref('base.group_user'))]"/>
-            <field name="domain_force">[(1, '=', 1)]</field>
-            <field name="perm_read" eval="True"/>
-            <field name="perm_write" eval="False"/>
-            <field name="perm_create" eval="False"/>
-            <field name="perm_unlink" eval="False"/>
-        </record>
+
 
         <record id="stock_quant_permissive_rule" model="ir.rule">
             <field name="name">Stock Quant Permissive Access</field>

views/mrp_production_views.xml

@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="utf-8"?>
+<odoo>
+    <!-- Inherit from quality_mrp view -->
+    <record id="view_mrp_production_form_inherit_access_restriction" model="ir.ui.view">
+        <field name="name">mrp.production.view.form.inherit.access.restriction</field>
+        <field name="model">mrp.production</field>
+        <field name="inherit_id" ref="quality_mrp.mrp_production_view_form_inherit_quality"/>
+        <field name="arch" type="xml">
+            <field name="state" position="before">
+                 <field name="restrict_quality_check_button" invisible="1"/>
+            </field>
+
+            <!-- Header Button -->
+            <xpath expr="//button[@name='check_quality']" position="attributes">
+                <attribute name="invisible">not quality_check_todo or restrict_quality_check_button</attribute>
+            </xpath>
+
+             <!-- Smart Buttons -->
+            <xpath expr="//button[@name='%(quality_mrp.quality_check_action_mo)d'][1]" position="attributes">
+                <attribute name="invisible">not check_ids or quality_check_fail or not quality_check_todo or restrict_quality_check_button</attribute>
+            </xpath>
+            <xpath expr="//button[@name='%(quality_mrp.quality_check_action_mo)d'][2]" position="attributes">
+                <attribute name="invisible">not check_ids or quality_check_fail or quality_check_todo or restrict_quality_check_button</attribute>
+            </xpath>
+             <xpath expr="//button[@name='%(quality_mrp.quality_check_action_mo)d'][3]" position="attributes">
+                <attribute name="invisible">not check_ids or not quality_check_fail or restrict_quality_check_button</attribute>
+            </xpath>
+
+        </field>
+    </record>
+</odoo>

views/stock_picking_views.xml

@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="utf-8"?>
+<odoo>
+    <!-- Inherit from the quality control view that adds the button -->
+    <!-- We need to ensure we target the right buttons. The Quality Checks button is added by quality_control/views/stock_picking_views.xml -->
+    <!-- The button names are 'check_quality', 'open_quality_alert_picking', 'action_open_quality_check_picking' -->
+    
+    <record id="view_picking_form_inherit_access_restriction" model="ir.ui.view">
+        <field name="name">stock.picking.view.form.inherit.access.restriction</field>
+        <field name="model">stock.picking</field>
+        <field name="inherit_id" ref="quality_control.stock_picking_view_form_inherit_quality"/>
+        <field name="arch" type="xml">
+            <field name="state" position="before">
+                <field name="restrict_quality_check_button" invisible="1"/>
+            </field>
+            
+            <!-- Hide the 'Quality Checks' button (header) -->
+            <xpath expr="//button[@name='check_quality']" position="attributes">
+                <attribute name="invisible">not quality_check_todo or state in ('done', 'cancel') or restrict_quality_check_button</attribute>
+            </xpath>
+
+            <!-- Hide the 'Quality Checks' smart buttons -->
+            <!-- There are multiple buttons with same name/icon but different states/colors -->
+            <!-- We target all of them if possible, or specifically by their index/attributes -->
+            
+            <xpath expr="//button[@name='action_open_quality_check_picking'][1]" position="attributes">
+                 <attribute name="invisible">not check_ids or quality_check_fail or not quality_check_todo or restrict_quality_check_button</attribute>
+            </xpath>
+             <xpath expr="//button[@name='action_open_quality_check_picking'][2]" position="attributes">
+                 <attribute name="invisible">not check_ids or quality_check_fail or quality_check_todo or restrict_quality_check_button</attribute>
+            </xpath>
+             <xpath expr="//button[@name='action_open_quality_check_picking'][3]" position="attributes">
+                 <attribute name="invisible">not check_ids or not quality_check_fail or restrict_quality_check_button</attribute>
+            </xpath>
+            
+        </field>
+    </record>
+</odoo>