diff --git a/analytic_restrictions/__init__.py b/analytic_restrictions/__init__.py index e69de29b..1ccbfaa5 100644 --- a/analytic_restrictions/__init__.py +++ b/analytic_restrictions/__init__.py @@ -0,0 +1 @@ +from .hooks import uninstall_hook diff --git a/analytic_restrictions/__manifest__.py b/analytic_restrictions/__manifest__.py index cb4ccbfd..7f51a160 100644 --- a/analytic_restrictions/__manifest__.py +++ b/analytic_restrictions/__manifest__.py @@ -9,10 +9,17 @@ "license": "AGPL-3", "author": "Escodoo", "website": "https://github.com/Escodoo/account-addons", - "depends": ["analytic", "account_analytic_tag", "account"], + "depends": [ + "analytic", + "account_analytic_tag", + "account", + "project", + "hr_timesheet", + ], "data": [ "security/analytic_security.xml", "security/ir.model.access.csv", ], "demo": [], + "uninstall_hook": "uninstall_hook", } diff --git a/analytic_restrictions/hooks.py b/analytic_restrictions/hooks.py new file mode 100644 index 00000000..964ce50c --- /dev/null +++ b/analytic_restrictions/hooks.py @@ -0,0 +1,40 @@ +# Copyright 2026 - TODAY, Wesley Oliveira +# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl). + +from odoo import SUPERUSER_ID, api + +_ORIGINAL_PERMS = { + "analytic.access_account_analytic_account": (1, 1, 1, 1), + "analytic.access_account_analytic_line": (1, 1, 1, 1), + "analytic.access_account_analytic_distribution_model": (1, 1, 1, 1), + "analytic.access_account_analytic_plan": (1, 1, 1, 1), + "analytic.access_account_analytic_applicability": (1, 1, 1, 1), + "account_analytic_tag.access_account_analytic_tag_manager": (1, 1, 1, 1), + "project.access_account_analytic_line_project": (1, 1, 1, 1), + "account.access_account_analytic_accountant": (1, 1, 1, 1), + "account.access_account_analytic_plan_accountant": (1, 1, 1, 1), + "account.access_account_analytic_applicability_accountant": (1, 1, 1, 1), + "account.access_account_analytic_distribution_invoice": (1, 1, 1, 1), + "hr_timesheet.access_account_analytic_user": (1, 1, 0, 0), +} + + +def uninstall_hook(cr, registry): + env = api.Environment(cr, SUPERUSER_ID, {}) + for xmlid, ( + perm_read, + perm_write, + perm_create, + perm_unlink, + ) in _ORIGINAL_PERMS.items(): + acl = env.ref(xmlid, raise_if_not_found=False) + if not acl: + continue + acl.write( + { + "perm_read": bool(perm_read), + "perm_write": bool(perm_write), + "perm_create": bool(perm_create), + "perm_unlink": bool(perm_unlink), + } + ) diff --git a/analytic_restrictions/security/analytic_security.xml b/analytic_restrictions/security/analytic_security.xml index b95494c4..5cac51f5 100644 --- a/analytic_restrictions/security/analytic_security.xml +++ b/analytic_restrictions/security/analytic_security.xml @@ -5,7 +5,156 @@ + + + + account.analytic.account.read + + + + + + + + + + account.analytic.line.read + + + + + + + + + + account.analytic.distribution.model.read + + + + + + + + + + account.analytic.plan.read + + + + + + + + + + account.analytic.applicability.read + + + + + + + + + + + account.analytic.tag.read + + + + + + + + + + + account.analytic.line.read + + + + + + + + + + + account.analytic.account.read + + + + + + + + + + account.analytic.plan.read + + + + + + + + + + account.analytic.applicability.read + + + + + + + + + + account.analytic.distribution.model.read + + + + + + + + + + + account.analytic.account.read + + + + + + + diff --git a/analytic_restrictions/security/ir.model.access.csv b/analytic_restrictions/security/ir.model.access.csv index a5d5f84d..4aee2569 100644 --- a/analytic_restrictions/security/ir.model.access.csv +++ b/analytic_restrictions/security/ir.model.access.csv @@ -1,8 +1,7 @@ id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink -access_account_analytic_account,access_account_analytic_account,analytic.model_account_analytic_account,analytic.group_analytic_accounting,1,0,0,0 -access_account_analytic_line,access_account_analytic_line,analytic.model_account_analytic_line,analytic.group_analytic_accounting,1,0,0,0 -access_account_analytic_distribution,access_account_analytic_distribution,analytic.model_account_analytic_distribution_model,analytic.group_analytic_accounting,1,0,0,0 - access_account_analytic_account_admin,access_account_analytic_account_admin,analytic.model_account_analytic_account,analytic_restrictions.group_analytic_accounting_admin,1,1,1,1 access_account_analytic_line_admin,access_account_analytic_line_admin,analytic.model_account_analytic_line,analytic_restrictions.group_analytic_accounting_admin,1,1,1,1 access_account_analytic_distribution_admin,access_account_analytic_distribution_admin,analytic.model_account_analytic_distribution_model,analytic_restrictions.group_analytic_accounting_admin,1,1,1,1 +access_account_analytic_tag_admin,access_account_analytic_tag_admin,account_analytic_tag.model_account_analytic_tag,analytic_restrictions.group_analytic_accounting_admin,1,1,1,1 +access_account_analytic_plan_admin,access_account_analytic_plan_admin,analytic.model_account_analytic_plan,analytic_restrictions.group_analytic_accounting_admin,1,1,1,1 +access_account_analytic_applicability_admin,access_account_analytic_applicability_admin,analytic.model_account_analytic_applicability,analytic_restrictions.group_analytic_accounting_admin,1,1,1,1 diff --git a/analytic_restrictions/tests/test_analytic_restrictions.py b/analytic_restrictions/tests/test_analytic_restrictions.py index 406591f0..4a953eb7 100644 --- a/analytic_restrictions/tests/test_analytic_restrictions.py +++ b/analytic_restrictions/tests/test_analytic_restrictions.py @@ -20,6 +20,9 @@ def setUpClass(cls): cls.env.ref("analytic.model_account_analytic_account").model, cls.env.ref("analytic.model_account_analytic_line").model, cls.env.ref("analytic.model_account_analytic_distribution_model").model, + cls.env.ref("analytic.model_account_analytic_plan").model, + cls.env.ref("analytic.model_account_analytic_applicability").model, + cls.env.ref("account_analytic_tag.model_account_analytic_tag").model, ] cls.user_analytic = cls.env["res.users"].create( @@ -39,16 +42,8 @@ def setUpClass(cls): } ) - def test_admin_group_implies_analytic_group(self): - self.assertTrue( - self.user_admin.has_group( - "analytic_restrictions.group_analytic_accounting_admin" - ) - ) - self.assertTrue(self.user_admin.has_group("analytic.group_analytic_accounting")) - def test_acl_records_loaded(self): - ro = self.env.ref("analytic_restrictions.access_account_analytic_account") + ro = self.env.ref("analytic.access_account_analytic_account") self.assertTrue(ro.perm_read) self.assertFalse(ro.perm_write) self.assertFalse(ro.perm_create) @@ -64,18 +59,18 @@ def test_acl_records_loaded(self): self.assertTrue(admin.perm_unlink) self.assertEqual(admin.group_id, self.group_admin) - def test_admin_group_full_access_rights(self): + def test_analytic_group_is_read_only(self): for model_name in self.model_names: - m = self.env[model_name].with_user(self.user_admin) + m = self.env[model_name].with_user(self.user_analytic) self.assertTrue( m.check_access_rights("read", raise_exception=False), model_name ) - self.assertTrue( + self.assertFalse( m.check_access_rights("create", raise_exception=False), model_name ) - self.assertTrue( + self.assertFalse( m.check_access_rights("write", raise_exception=False), model_name ) - self.assertTrue( + self.assertFalse( m.check_access_rights("unlink", raise_exception=False), model_name )