damien
/
muk_base
mirror of https://github.com/muk-it/muk_base
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
225 Commits
5 Branches
0 Tags
14 MiB
Tree: c4f4ba12d1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c4f4ba12d1'
${ noResults }
muk_base/muk_security/models/mixins_access_groups.py

274 lines
10 KiB
Raw Normal View History

publish muk_security - 12.0
6 years ago
publish muk_security - 12.0
6 years ago
publish muk_security - 12.0
6 years ago
  1. ###################################################################################
  2. #
  3. # Copyright (C) 2017 MuK IT GmbH
  4. #
  5. # This program is free software: you can redistribute it and/or modify
  6. # it under the terms of the GNU Affero General Public License as
  7. # published by the Free Software Foundation, either version 3 of the
  8. # License, or (at your option) any later version.
  9. #
  10. # This program is distributed in the hope that it will be useful,
  11. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  12. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  13. # GNU Affero General Public License for more details.
  14. #
  15. # You should have received a copy of the GNU Affero General Public License
  16. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  17. #
  18. ###################################################################################
  20. import logging
  22. from odoo import _, SUPERUSER_ID
  23. from odoo import models, api, fields
  24. from odoo.exceptions import AccessError
  26. from odoo.addons.muk_security.tools.security import NoSecurityUid
  28. _logger = logging.getLogger(__name__)
  30. class BaseModelAccessGroups(models.AbstractModel):
  32. _name = 'muk_security.mixins.access_groups'
  33. _description = "Group Access Mixin"
  34. _inherit = 'muk_security.mixins.access'
  36. # Set it to True to enforced security even if no group has been set
  37. _strict_security = False
  39. # If set the group fields are restricted by the access group
  40. _field_groups = None
  42. # If set the suspend fields are restricted by the access group
  43. _suspend_groups = None
  45. #----------------------------------------------------------
  46. # Datebase
  47. #----------------------------------------------------------
  49. @api.model
  50. def _add_magic_fields(self):
  51. super(BaseModelAccessGroups, self)._add_magic_fields()
  52. def add(name, field):
  53. if name not in self._fields:
  54. self._add_field(name, field)
  55. model = self._name.split(".")[-1]
  56. add('suspend_security_read', fields.Boolean(
  57. _module=self._module,
  58. string="Suspend Security for Read",
  59. automatic=True,
  60. default=False,
  61. groups=self._suspend_groups))
  62. add('suspend_security_create', fields.Boolean(
  63. _module=self._module,
  64. string="Suspend Security for Create",
  65. automatic=True,
  66. default=False,
  67. groups=self._suspend_groups))
  68. add('suspend_security_write', fields.Boolean(
  69. _module=self._module,
  70. string="Suspend Security for Write",
  71. automatic=True,
  72. default=False,
  73. groups=self._suspend_groups))
  74. add('suspend_security_unlink', fields.Boolean(
  75. _module=self._module,
  76. string="Suspend Security for Unlink",
  77. automatic=True,
  78. default=False,
  79. groups=self._suspend_groups))
  80. add('groups', fields.Many2many(
  81. _module=self._module,
  82. comodel_name='muk_security.groups',
  83. relation='muk_groups_%s_rel' % model,
  84. column1='aid',
  85. column2='gid',
  86. string="Groups",
  87. automatic=True,
  88. groups=self._field_groups))
  89. add('complete_groups', fields.Many2many(
  90. _module=self._module,
  91. comodel_name='muk_security.groups',
  92. relation='muk_groups_complete_%s_rel' % model,
  93. column1='aid',
  94. column2='gid',
  95. string="Complete Groups",
  96. compute='_compute_groups',
  97. store=True,
  98. automatic=True,
  99. groups=self._field_groups))
  101. #----------------------------------------------------------
  102. # Function
  103. #----------------------------------------------------------
  105. @api.model
  106. def _get_no_access_ids(self):
  107. model = self._name.split(".")[-1]
  108. if not self._strict_security:
  109. sql = '''
  110. SELECT id
  111. FROM %s a
  112. WHERE NOT EXISTS (
  113. SELECT *
  114. FROM muk_groups_complete_%s_rel r
  115. WHERE r.aid = a.id
  116. );
  117. ''' % (self._table, model)
  118. self.env.cr.execute(sql)
  119. fetch = self.env.cr.fetchall()
  120. return len(fetch) > 0 and list(map(lambda x: x[0], fetch)) or []
  121. else:
  122. return []
  124. @api.model
  125. def _get_suspended_access_ids(self, operation):
  126. model = self._name.split(".")[-1]
  127. sql = '''
  128. SELECT id
  129. FROM %s a
  130. WHERE a.suspend_security_%s = true
  131. ''' % (self._table, operation)
  132. self.env.cr.execute(sql)
  133. fetch = self.env.cr.fetchall()
  134. return len(fetch) > 0 and list(map(lambda x: x[0], fetch)) or []
  136. @api.model
  137. def _get_access_ids(self):
  138. model = self._name.split(".")[-1]
  139. sql = '''
  140. SELECT r.aid
  141. FROM muk_groups_complete_%s_rel r
  142. JOIN muk_security_groups g ON r.gid = g.id
  143. JOIN muk_security_groups_users_rel u ON r.gid = u.gid
  144. WHERE u.uid = %s AND g.perm_read = true
  145. ''' % (model, self.env.user.id)
  146. self.env.cr.execute(sql)
  147. fetch = self.env.cr.fetchall()
  148. access_ids = len(fetch) > 0 and list(map(lambda x: x[0], fetch)) or []
  149. return access_ids
  151. @api.model
  152. def _get_ids_without_security(self, operation):
  153. no_access_ids = self._get_no_access_ids()
  154. suspended_access_ids = self._get_suspended_access_ids(operation)
  155. return list(set(no_access_ids).union(suspended_access_ids))
  157. @api.model
  158. def _get_complete_access_ids(self, operation):
  159. access_ids = self._get_access_ids()
  160. no_access_ids = self._get_no_access_ids()
  161. suspended_access_ids = self._get_suspended_access_ids(operation)
  162. return list(set(access_ids).union(no_access_ids, suspended_access_ids))
  164. @api.multi
  165. def _eval_access_skip(self, operation):
  166. if isinstance(self.env.uid, NoSecurityUid):
  167. return True
  168. return False
  170. @api.multi
  171. def check_access_groups(self, operation):
  172. if self.env.user.id == SUPERUSER_ID or self._eval_access_skip(operation):
  173. return None
  174. model = self._name.split(".")[-1]
  175. filter_ids = self._get_ids_without_security(operation)
  176. for record in self.filtered(lambda rec: rec.id not in filter_ids):
  177. sql = '''
  178. SELECT perm_%s
  179. FROM muk_groups_complete_%s_rel r
  180. JOIN muk_security_groups g ON g.id = r.gid
  181. JOIN muk_security_groups_users_rel u ON u.gid = g.id
  182. WHERE r.aid = %s AND u.uid = %s
  183. ''' % (operation, model, record.id, self.env.user.id)
  184. self.env.cr.execute(sql)
  185. fetch = self.env.cr.fetchall()
  186. if not any(list(map(lambda x: x[0], fetch))):
  187. raise AccessError(_("This operation is forbidden!"))
  189. @api.multi
  190. def check_access(self, operation, raise_exception=False):
  191. res = super(BaseModelAccessGroups, self).check_access(operation, raise_exception)
  192. try:
  193. access_groups = self.check_access_groups(operation) == None
  194. access = res and access_groups
  195. if not access and raise_exception:
  196. raise AccessError(_("This operation is forbidden!"))
  197. return access
  198. except AccessError:
  199. if raise_exception:
  200. raise AccessError(_("This operation is forbidden!"))
  201. return False
  203. #----------------------------------------------------------
  204. # Read
  205. #----------------------------------------------------------
  207. @api.multi
  208. def _after_read(self, result, *largs, **kwargs):
  209. result = super(BaseModelAccessGroups, self)._after_read(result)
  210. if self.env.user.id == SUPERUSER_ID or self._eval_access_skip("read"):
  211. return result
  212. access_ids = self._get_complete_access_ids("read")
  213. result = [result] if not isinstance(result, list) else result
  214. if len(access_ids) > 0:
  215. access_result = []
  216. for record in result:
  217. if record['id'] in access_ids:
  218. access_result.append(record)
  219. return access_result
  220. return []
  222. @api.model
  223. def _after_search(self, result, *largs, **kwargs):
  224. result = super(BaseModelAccessGroups, self)._after_search(result)
  225. if self.env.user.id == SUPERUSER_ID or self._eval_access_skip("read"):
  226. return result
  227. access_ids = self._get_complete_access_ids("read")
  228. if len(access_ids) > 0:
  229. access_result = self.env[self._name]
  230. if isinstance(result, int):
  231. if result in access_ids:
  232. return result
  233. else:
  234. for record in result:
  235. if record.id in access_ids:
  236. access_result += record
  237. return access_result
  238. return self.env[self._name]
  240. @api.model
  241. def _after_name_search(self, result, *largs, **kwargs):
  242. result = super(BaseModelAccessGroups, self)._after_name_search(result)
  243. if self.env.user.id == SUPERUSER_ID or self._eval_access_skip("read"):
  244. return result
  245. access_ids = self._get_complete_access_ids("read")
  246. if len(access_ids) > 0:
  247. access_result = []
  248. for tuple in result:
  249. if tuple[0] in access_ids:
  250. access_result.append(tuple)
  251. return access_result
  252. return []
  254. #----------------------------------------------------------
  255. # Read, View
  256. #----------------------------------------------------------
  258. @api.depends('groups')
  259. def _compute_groups(self):
  260. for record in self:
  261. record.complete_groups = record.groups
  263. #----------------------------------------------------------
  264. # Create, Update, Delete
  265. #----------------------------------------------------------
  267. @api.multi
  268. def _before_write(self, vals, *largs, **kwargs):
  269. self.check_access_groups('write')
  270. return super(BaseModelAccessGroups, self)._before_write(vals, *largs, **kwargs)
  272. @api.multi
  273. def _before_unlink(self, *largs, **kwargs):
  274. self.check_access_groups('unlink')
  275. return super(BaseModelAccessGroups, self)._before_unlink(*largs, **kwargs)