From c72297864f75991c7acdcbd1ddf8b6f32e10d77b Mon Sep 17 00:00:00 2001
From: Thomas Binsfeld <thomas.binsfeld@acsone.eu>
Date: Mon, 8 Oct 2018 11:45:13 +0200
Subject: [PATCH 1/4] [REF] Server Environment: restrict access to server
 config to allowed users New security group restricting access to server
 config Admin is part of the group by default

---
 server_environment/__openerp__.py          |  1 +
 server_environment/security/res_groups.xml | 10 ++++++++++
 server_environment/serv_config.py          |  5 +++++
 3 files changed, 16 insertions(+)
 create mode 100644 server_environment/security/res_groups.xml

diff --git a/server_environment/__openerp__.py b/server_environment/__openerp__.py
index f4bd078e7..3bdb61107 100644
--- a/server_environment/__openerp__.py
+++ b/server_environment/__openerp__.py
@@ -29,6 +29,7 @@
     "license": "GPL-3 or any later version",
     "category": "Tools",
     "data": [
+        'security/res_groups.xml',
         'serv_config.xml',
     ],
     'installable': True,
diff --git a/server_environment/security/res_groups.xml b/server_environment/security/res_groups.xml
new file mode 100644
index 000000000..1297fbf26
--- /dev/null
+++ b/server_environment/security/res_groups.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0"?>
+
+<odoo>
+
+    <record model="res.groups" id="has_server_configuration_access">
+        <field name="name">View Server Environment Configuration</field>
+        <field name="users" eval="[(4, ref('base.user_root'))]"/>
+    </record>
+
+</odoo>
diff --git a/server_environment/serv_config.py b/server_environment/serv_config.py
index 7f67d44c3..5f52d37c2 100644
--- a/server_environment/serv_config.py
+++ b/server_environment/serv_config.py
@@ -248,6 +248,11 @@ class ServerConfiguration(models.TransientModel):
 
     def default_get(self, cr, uid, fields_list, context=None):
         res = {}
+        current_user = self.pool['res.users'].browse(
+            cr, uid, uid, context=context)
+        if not current_user.has_group(
+                'server_environment.has_server_configuration_access'):
+            return res
         for key in self._conf_defaults:
             if 'passw' in key and not self.show_passwords:
                 res[key] = '**********'

From ab4f2127c4a98ff7ca9868c5e97a17fcea4bd233 Mon Sep 17 00:00:00 2001
From: Thomas Binsfeld <thomas.binsfeld@acsone.eu>
Date: Mon, 8 Oct 2018 11:48:18 +0200
Subject: [PATCH 2/4] [REF] Server Environment: allow to define secret keys New
 method defining which keys must be considered as secret keys and be hidden in
 other environments than DEV

---
 server_environment/serv_config.py | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/server_environment/serv_config.py b/server_environment/serv_config.py
index 5f52d37c2..b5dc9549a 100644
--- a/server_environment/serv_config.py
+++ b/server_environment/serv_config.py
@@ -25,7 +25,7 @@ import ConfigParser
 from lxml import etree
 from itertools import chain
 
-from openerp import models, fields
+from openerp import api, models, fields
 from openerp.tools.config import config as system_base_config
 
 from .system_info import get_server_environment
@@ -246,6 +246,16 @@ class ServerConfiguration(models.TransientModel):
             res['fields'] = xfields
         return res
 
+    @api.model
+    def _is_secret(self, key):
+        """
+        This method is intended to be inherited to defined which keywords
+        should be secret.
+        :return: list of secret keywords
+        """
+        secret_keys = ['passw', 'key', 'secret', 'token']
+        return any(secret_key in key for secret_key in secret_keys)
+
     def default_get(self, cr, uid, fields_list, context=None):
         res = {}
         current_user = self.pool['res.users'].browse(
@@ -254,7 +264,8 @@ class ServerConfiguration(models.TransientModel):
                 'server_environment.has_server_configuration_access'):
             return res
         for key in self._conf_defaults:
-            if 'passw' in key and not self.show_passwords:
+            if not self.show_passwords and self._is_secret(
+                    cr, uid, context=context, key=key):
                 res[key] = '**********'
             else:
                 res[key] = self._conf_defaults[key]()

From d55e6ad6be4601e03696521d8044e0bc9f445d24 Mon Sep 17 00:00:00 2001
From: Thomas Binsfeld <thomas.binsfeld@acsone.eu>
Date: Mon, 8 Oct 2018 12:02:05 +0200
Subject: [PATCH 3/4] [REF] Gitignore: ignore *.eggs

---
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index 890ff0109..7f2d43821 100644
--- a/.gitignore
+++ b/.gitignore
@@ -21,6 +21,7 @@ var/
 *.egg-info/
 .installed.cfg
 *.egg
+*.eggs
 
 # Installer logs
 pip-log.txt

From 6d4bbf2cfa63d7a98f81b706bdc7fd9245181e30 Mon Sep 17 00:00:00 2001
From: Thomas Binsfeld <thomas.binsfeld@acsone.eu>
Date: Thu, 25 Oct 2018 09:20:51 +0200
Subject: [PATCH 4/4] [UPD] Server Environment: new secret keys in README

---
 server_environment/README.rst | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/server_environment/README.rst b/server_environment/README.rst
index ddae44300..faf30cd29 100644
--- a/server_environment/README.rst
+++ b/server_environment/README.rst
@@ -15,7 +15,8 @@ module.
 
 All the settings will be read only and visible under the Configuration
 menu.  If you are not in the 'dev' environment you will not be able to
-see the values contained in keys named '*passw*'.
+see the values contained in the defined secret keys
+(by default : '*passw*', '*key*', '*secret*' and '*token*').
 
 Installation
 ============