From 231acbb841f38d506ea4e5ad7b2edeaefc702122 Mon Sep 17 00:00:00 2001 From: MuK IT GmbH Date: Mon, 22 Oct 2018 17:42:26 +0000 Subject: [PATCH] publish muk_security - 12.0 --- muk_security/models/mixins_access_groups.py | 112 ++++++++++---------- 1 file changed, 56 insertions(+), 56 deletions(-) diff --git a/muk_security/models/mixins_access_groups.py b/muk_security/models/mixins_access_groups.py index e34ef7a..299d228 100644 --- a/muk_security/models/mixins_access_groups.py +++ b/muk_security/models/mixins_access_groups.py @@ -27,7 +27,7 @@ from odoo.addons.muk_security.tools.security import NoSecurityUid _logger = logging.getLogger(__name__) -class BaseModelAccessGroups(models.AbstractModel): +class AccessGroupsModel(models.AbstractModel): _name = 'muk_security.mixins.access_groups' _description = "Group Access Mixin" @@ -39,6 +39,9 @@ class BaseModelAccessGroups(models.AbstractModel): # If set the group fields are restricted by the access group _field_groups = None + # If set to True the model is extended by fields to suspend the checks + _active_suspend = False + # If set the suspend fields are restricted by the access group _suspend_groups = None @@ -48,39 +51,39 @@ class BaseModelAccessGroups(models.AbstractModel): @api.model def _add_magic_fields(self): - super(BaseModelAccessGroups, self)._add_magic_fields() + super(AccessGroupsModel, self)._add_magic_fields() def add(name, field): if name not in self._fields: self._add_field(name, field) - model = self._name.split(".")[-1] - add('suspend_security_read', fields.Boolean( - _module=self._module, - string="Suspend Security for Read", - automatic=True, - default=False, - groups=self._suspend_groups)) - add('suspend_security_create', fields.Boolean( - _module=self._module, - string="Suspend Security for Create", - automatic=True, - default=False, - groups=self._suspend_groups)) - add('suspend_security_write', fields.Boolean( - _module=self._module, - string="Suspend Security for Write", - automatic=True, - default=False, - groups=self._suspend_groups)) - add('suspend_security_unlink', fields.Boolean( - _module=self._module, - string="Suspend Security for Unlink", - automatic=True, - default=False, - groups=self._suspend_groups)) + if self._active_suspend: + add('suspend_security_read', fields.Boolean( + _module=self._module, + string="Suspend Security for Read", + automatic=True, + default=False, + groups=self._suspend_groups)) + add('suspend_security_create', fields.Boolean( + _module=self._module, + string="Suspend Security for Create", + automatic=True, + default=False, + groups=self._suspend_groups)) + add('suspend_security_write', fields.Boolean( + _module=self._module, + string="Suspend Security for Write", + automatic=True, + default=False, + groups=self._suspend_groups)) + add('suspend_security_unlink', fields.Boolean( + _module=self._module, + string="Suspend Security for Unlink", + automatic=True, + default=False, + groups=self._suspend_groups)) add('groups', fields.Many2many( _module=self._module, comodel_name='muk_security.groups', - relation='muk_groups_%s_rel' % model, + relation='%s_groups_rel' % (self._table), column1='aid', column2='gid', string="Groups", @@ -89,7 +92,7 @@ class BaseModelAccessGroups(models.AbstractModel): add('complete_groups', fields.Many2many( _module=self._module, comodel_name='muk_security.groups', - relation='muk_groups_complete_%s_rel' % model, + relation='%s_complete_groups_rel' % (self._table), column1='aid', column2='gid', string="Complete Groups", @@ -104,17 +107,16 @@ class BaseModelAccessGroups(models.AbstractModel): @api.model def _get_no_access_ids(self): - model = self._name.split(".")[-1] if not self._strict_security: sql = ''' SELECT id FROM %s a WHERE NOT EXISTS ( SELECT * - FROM muk_groups_complete_%s_rel r + FROM %s_complete_groups_rel r WHERE r.aid = a.id ); - ''' % (self._table, model) + ''' % (self._table, self._table) self.env.cr.execute(sql) fetch = self.env.cr.fetchall() return len(fetch) > 0 and list(map(lambda x: x[0], fetch)) or [] @@ -123,26 +125,28 @@ class BaseModelAccessGroups(models.AbstractModel): @api.model def _get_suspended_access_ids(self, operation): - model = self._name.split(".")[-1] - sql = ''' - SELECT id - FROM %s a - WHERE a.suspend_security_%s = true - ''' % (self._table, operation) - self.env.cr.execute(sql) - fetch = self.env.cr.fetchall() - return len(fetch) > 0 and list(map(lambda x: x[0], fetch)) or [] - + if self._active_suspend: + sql = ''' + SELECT id + FROM %s a + WHERE a.suspend_security_%s = true + ''' % (self._table, operation) + self.env.cr.execute(sql) + fetch = self.env.cr.fetchall() + return len(fetch) > 0 and list(map(lambda x: x[0], fetch)) or [] + else: + return [] + @api.model def _get_access_ids(self): model = self._name.split(".")[-1] sql = ''' SELECT r.aid - FROM muk_groups_complete_%s_rel r - JOIN muk_security_groups g ON r.gid = g.id - JOIN muk_security_groups_users_rel u ON r.gid = u.gid + FROM %s_complete_groups_rel r + JOIN muk_security_access_groups g ON r.gid = g.id + JOIN muk_security_access_groups_users_rel u ON r.gid = u.gid WHERE u.uid = %s AND g.perm_read = true - ''' % (model, self.env.user.id) + ''' % (self._table, self.env.user.id) self.env.cr.execute(sql) fetch = self.env.cr.fetchall() access_ids = len(fetch) > 0 and list(map(lambda x: x[0], fetch)) or [] @@ -171,16 +175,15 @@ class BaseModelAccessGroups(models.AbstractModel): def check_access_groups(self, operation): if self.env.user.id == SUPERUSER_ID or self._eval_access_skip(operation): return None - model = self._name.split(".")[-1] filter_ids = self._get_ids_without_security(operation) for record in self.filtered(lambda rec: rec.id not in filter_ids): sql = ''' SELECT perm_%s - FROM muk_groups_complete_%s_rel r - JOIN muk_security_groups g ON g.id = r.gid - JOIN muk_security_groups_users_rel u ON u.gid = g.id + FROM %s_complete_groups_rel r + JOIN muk_security_access_groups g ON r.gid = g.id + JOIN muk_security_access_groups_users_rel u ON r.gid = u.gid WHERE r.aid = %s AND u.uid = %s - ''' % (operation, model, record.id, self.env.user.id) + ''' % (operation, self._table, record.id, self.env.user.id) self.env.cr.execute(sql) fetch = self.env.cr.fetchall() if not any(list(map(lambda x: x[0], fetch))): @@ -191,13 +194,10 @@ class BaseModelAccessGroups(models.AbstractModel): res = super(BaseModelAccessGroups, self).check_access(operation, raise_exception) try: access_groups = self.check_access_groups(operation) == None - access = res and access_groups - if not access and raise_exception: - raise AccessError(_("This operation is forbidden!")) - return access + return res and access_groups except AccessError: if raise_exception: - raise AccessError(_("This operation is forbidden!")) + raise return False #----------------------------------------------------------