From 027a758c34e00ef86ec1d8f813736489d8ad61f9 Mon Sep 17 00:00:00 2001
From: Holger Brunn <hbrunn@therp.nl>
Date: Thu, 30 Jun 2016 08:22:46 +0200
Subject: [PATCH] [ADD] check if our user may access the cleanup

---
 database_cleanup/models/purge_wizard.py | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/database_cleanup/models/purge_wizard.py b/database_cleanup/models/purge_wizard.py
index 0a1bc199f..7fad9fbe2 100644
--- a/database_cleanup/models/purge_wizard.py
+++ b/database_cleanup/models/purge_wizard.py
@@ -3,6 +3,7 @@
 # License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
 import logging
 from openerp import _, api, fields, models
+from openerp.exceptions import AccessDenied
 
 
 class CleanupPurgeLine(models.AbstractModel):
@@ -20,6 +21,14 @@ class CleanupPurgeLine(models.AbstractModel):
     def purge(self):
         raise NotImplementedError
 
+    @api.model
+    def create(self, values):
+        # make sure the user trying this is actually supposed to do it
+        if not self.env.ref('database_cleanup.menu_database_cleanup')\
+           .parent_id._filter_visible_menus():
+            raise AccessDenied
+        return super(CleanupPurgeLine, self).create(values)
+
 
 class PurgeWizard(models.AbstractModel):
     """ Abstract base class for the purge wizards """
@@ -74,4 +83,12 @@ class PurgeWizard(models.AbstractModel):
             for this in self
         ]
 
+    @api.model
+    def create(self, values):
+        # make sure the user trying this is actually supposed to do it
+        if not self.env.ref('database_cleanup.menu_database_cleanup')\
+           .parent_id._filter_visible_menus():
+            raise AccessDenied
+        return super(CleanupPurgeLine, self).create(values)
+
     purge_line_ids = fields.One2many('cleanup.purge.line', 'wizard_id')