[IMP] real_estate: restrict access date and define module data

gasa-odoo · gasa-odoo · commit 63322ee07414 · 2025-07-11T17:33:06.000+05:30
This tutorial helped implement strong security in the Real Estate module.
We learned to restrict access using user groups, access rights, and record rules.
Real estate agents can only manage their own properties, not others’.
Invoices can be created safely by bypassing access with proper checks.
Multi-company rules and visibility settings improve data privacy and user
experience.
This tutorial explained how to define and load different types of data in an
Odoo module.
We learned the difference between master data (essential for the module to work)
and demo data (useful for testing and demonstration).
Data can be added using CSV for simple entries and XML for more complex
or dynamic records.
We used eval, ref, search, and function to assign computed values, link existing
records, and run logic on data load.
We also learned to use X2many fields, how to extend data, and how to securely
access and reference records programmatically.
diff --git a/.gitignore b/.gitignore
@@ -127,3 +127,6 @@ dmypy.json
 
 # Pyre type checker
 .pyre/
+
+# Ignore VS Code settings
+.vscode/
diff --git a/estate_account/__init__.py b/estate_account/__init__.py
@@ -1 +1,2 @@
+# License LGPL-3
 from . import models
diff --git a/estate_account/__manifest__.py b/estate_account/__manifest__.py
@@ -2,12 +2,9 @@
     'name': "Account",
     'version': '1.0',
     'depends': ['base', 'estate_gasa', 'account'],
-    'author': "Author Name",
+    'author': "gasa",
     'category': 'Category',
     "license": "LGPL-3",
     "application": True,
-    "sequence": 1,
-    # 'data': [
-    #  'views/estate_property_views.xml',
-    # ],
+    "sequence": 1
 }
diff --git a/estate_account/models/estate.py b/estate_account/models/estate.py
@@ -5,19 +5,23 @@
 class Estate(models.Model):
     _inherit = 'estate.property'
 
-    def action_mark_sold(self):
+    def action_mark_sold(self): 
+        self.check_access_rights('write')
+        self.check_access_rule('write')
+
+        print(" REACHED ".center(100, '='))
         res = super().action_mark_sold()
 
+        journal = self.env['account.journal'].sudo().search([('type', '=', 'sale')], limit=1)
+        if not journal:
+            raise UserError("No sale journal found. Please configure at least one sale journal.")
+
         for record in self:
             if not record.buyer:
                 raise UserError("Please set a Buyer before generating an invoice.")
             if not record.selling_price:
                 raise UserError("Please set a Selling Price before generating an invoice.")
 
-            journal = self.env['account.journal'].search([('type', '=', 'sale')], limit=1)
-            if not journal:
-                raise UserError("No sale journal found. Please configure at least one sale journal.")
-
             invoice_vals = {
                 "partner_id": record.buyer.id,
                 "move_type": "out_invoice",
@@ -36,6 +40,6 @@ def action_mark_sold(self):
                 ]
             }
 
-            self.env["account.move"].create(invoice_vals)
+            self.env["account.move"].sudo().create(invoice_vals)
 
         return res
diff --git a/estate_gasa/__init__.py b/estate_gasa/__init__.py
@@ -1 +1,2 @@
+# License LGPL-3
 from . import models
diff --git a/estate_gasa/__manifest__.py b/estate_gasa/__manifest__.py
@@ -2,18 +2,24 @@
     'name': "estate",
     'version': '1.0',
     'depends': ['base'],
-    'author': "Author Name",
-    'category': 'Category',
+    'author': "gasa",
+    'category': 'Real Estate/Brokerage',
     "license": "LGPL-3",
     "application": True,
     "sequence": 1,
     'data': [
-     'security/ir.model.access.csv',
-     'views/estate_property_views.xml',
-     'views/estate_property_offer_views.xml',
-     'views/estate_property_type_views.xml',
-     'views/estate_tag_views.xml',
-     'views/inherited_model.xml',
-     'views/estate_menus.xml',
+        'security/security.xml',
+        'security/ir.model.access.csv',
+        'security/estate_property_rules.xml',
+        'data/estate.property.type.csv',
+        'views/estate_property_views.xml',
+        'views/estate_property_offer_views.xml',
+        'views/estate_property_type_views.xml',
+        'views/estate_tag_views.xml',
+        'views/inherited_model.xml',
+        'views/estate_menus.xml'
+    ],
+    "demo": [
+        'demo/estate_property_demo_data.xml',
     ],
 }
diff --git a/estate_gasa/data/estate.property.type.csv b/estate_gasa/data/estate.property.type.csv
@@ -0,0 +1,5 @@
+id,name
+estate_property_type_residential,Residential
+estate_property_type_commercial,Commercial
+estate_property_type_industrial,Industrial
+estate_property_type_land,Land
diff --git a/estate_gasa/demo/estate_property_demo_data.xml b/estate_gasa/demo/estate_property_demo_data.xml
@@ -0,0 +1,98 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<odoo>
+    <record id="demo_property_big_villa" model="estate.property">
+        <field name="name">Big Villa</field>
+        <field name="state">new</field>
+        <field name="description">A nice and big villa</field>
+        <field name="postcode">12345</field>
+        <field name="date_availability">2025-07-10</field>
+        <field name="expected_price">97000</field>
+        <field name="selling_price">97000</field>
+        <field name="bedrooms">6</field>
+        <field name="living_area">100</field>
+        <field name="facades">4</field>
+        <field name="garage">True</field>
+        <field name="garden">True</field>
+        <field name="garden_area">100</field>
+        <field name="garden_orientation">south</field>
+        <field name="property_type" ref="estate_property_type_residential" />
+    </record>
+
+    <record id="demo_property_trailer_home" model="estate.property">
+        <field name="name">Trailer home</field>
+        <field name="state">cancelled</field>
+        <field name="description">Home in a trailer park</field>
+        <field name="postcode">54321</field>
+        <field name="date_availability">2025-07-10</field>
+        <field name="expected_price">1000</field>
+        <field name="selling_price">1000</field>
+        <field name="bedrooms">2</field>
+        <field name="living_area">100</field>
+        <field name="facades">4</field>
+        <field name="garage">True</field>
+        <field name="garden">True</field>
+        <field name="garden_orientation">south</field>
+        <field name="property_type" ref="estate_property_type_residential" />
+    </record>
+
+    <record id="property_offer_1" model="estate.property.offer">
+        <field name="partner_id" ref="base.res_partner_2" />
+        <field name="property_id" ref="demo_property_big_villa" />
+        <field name="price">90000</field>
+        <field name="validity">14</field>
+        <field name="date_deadline" eval="(datetime.now() + timedelta(days=14)).date().isoformat()" />
+    </record>
+
+    <record id="property_offer_2" model="estate.property.offer">
+        <field name="partner_id" ref="base.res_partner_2" />
+        <field name="property_id" ref="demo_property_big_villa" />
+        <field name="price">1500000</field>
+        <field name="validity">14</field>
+        <field name="date_deadline" eval="(datetime.now() + timedelta(days=14)).date().isoformat()" />
+    </record>
+
+    <record id="property_offer_3" model="estate.property.offer">
+        <field name="partner_id" ref="base.res_partner_3" />
+        <field name="property_id" ref="demo_property_big_villa" />
+        <field name="price">1500001</field>
+        <field name="validity">14</field>
+        <field name="date_deadline" eval="(datetime.now() + timedelta(days=14)).date().isoformat()" />
+    </record>
+    <function model="estate.property.offer" name="action_accept">
+        <value eval="[ref('property_offer_1')]" />
+    </function>
+
+    <function model="estate.property.offer" name="action_refuse">
+        <value eval="[ref('property_offer_2')]" />
+    </function>
+
+    <function model="estate.property.offer" name="action_refuse">
+        <value eval="[ref('property_offer_3')]" />
+    </function>
+
+    <record id="demo_property_with_inline_offers" model="estate.property">
+        <field name="name">Estate with Inline Offers</field>
+        <field name="state">new</field>
+        <field name="postcode">44444</field>
+        <field name="expected_price">120000</field>
+        <field name="date_availability">2025-07-15</field>
+        <field name="garden">True</field>
+        <field name="garage">True</field>
+        <field name="bedrooms">3</field>
+        <field name="living_area">95</field>
+        <field name="property_type" ref="estate_property_type_residential" />
+        <field name="offer_ids"
+            eval="[
+            Command.create({
+                'partner_id': ref('base.res_partner_2'),
+                'price': 100000,
+                'validity': 10,
+            }),
+            Command.create({
+                'partner_id': ref('base.res_partner_3'),
+                'price': 115000,
+                'validity': 14,
+            })
+        ]" />
+    </record>
+</odoo>
diff --git a/estate_gasa/models/__init__.py b/estate_gasa/models/__init__.py
@@ -1,3 +1,4 @@
+# License LGPL-3
 from . import estate
 from . import estate_property_type
 from . import estate_property_tag
diff --git a/estate_gasa/models/estate.py b/estate_gasa/models/estate.py
@@ -20,7 +20,8 @@ class Estate(models.Model):
     active = fields.Boolean(default=True)
     living_area = fields.Integer(string="Living Area")
     facades = fields.Integer(string="Facades")
-    garden = fields.Boolean(string="Garage")
+    garage = fields.Boolean(string="Garage")
+    garden = fields.Boolean(string="Garden")
     garden_area = fields.Integer(string="Garden Area")
     garden_orientation = fields.Selection(
         [
@@ -64,16 +65,23 @@ class Estate(models.Model):
         store=True
     )
 
-    @api.depends('living_area', 'garden_area')
-    def _compute_total_area(self):
-        for record in self:
-            record.total_area = record.living_area + record.garden_area
-
     best_price = fields.Float(
         string="Best Offer",
         compute="_compute_best_price"
     )
+
     selling_price = fields.Float(copy=False)
+    company_id = fields.Many2one(
+        'res.company',
+        string='Company',
+        required=True,
+        default=lambda self: self.env.company
+    )
+
+    @api.depends('living_area', 'garden_area')
+    def _compute_total_area(self):
+        for record in self:
+            record.total_area = record.living_area + record.garden_area
 
     @api.depends("offer_ids.price")
     def _compute_best_price(self):
@@ -102,11 +110,6 @@ def action_mark_cancelled(self):
                 raise UserError("Sold properties cannot be canceled.")
             record.state = 'cancelled'
 
-    _sql_constraints = [
-        ('check_expected_price_positive', 'CHECK(expected_price > 0)', 'The expected price must be strictly positive.'),
-        ('check_selling_price_positive', 'CHECK(selling_price >= 0)', 'The selling price must be positive.'),
-    ]
-
     @api.constrains('selling_price', 'expected_price')
     def _check_selling_price_threshold(self):
         for record in self:
@@ -127,3 +130,8 @@ def _check_property_state_before_delete(self):
         for record in self:
             if record.state not in ['new', 'cancelled']:
                 raise UserError("You can only delete properties that are in 'New' or 'Cancelled' state.")
+
+    _sql_constraints = [
+        ('check_expected_price_positive', 'CHECK(expected_price > 0)', 'The expected price must be strictly positive.'),
+        ('check_selling_price_positive', 'CHECK(selling_price >= 0)', 'The selling price must be positive.'),
+    ]
diff --git a/estate_gasa/models/estate_property_type.py b/estate_gasa/models/estate_property_type.py
@@ -9,15 +9,15 @@ class EstatePropertyType(models.Model):
     name = fields.Char(required=True)
     sequence = fields.Integer(string="Sequence", default=10)
     property_ids = fields.One2many("estate.property", "property_type", string="Properties")
-
-    _sql_constraints = [
-    ('unique_property_type_name', 'UNIQUE(name)',
-     'Property type name must be unique.'),
-    ]
     offer_ids = fields.One2many('estate.property.offer', 'property_type_id', string="Offers")
     offer_count = fields.Integer(compute='_compute_offer_count')
 
     @api.depends('offer_ids')
     def _compute_offer_count(self):
         for rec in self:
             rec.offer_count = len(rec.offer_ids)
+
+    _sql_constraints = [
+    ('unique_property_type_name', 'UNIQUE(name)',
+     'Property type name must be unique.'),
+    ]
diff --git a/estate_gasa/security/estate_property_rules.xml b/estate_gasa/security/estate_property_rules.xml
@@ -0,0 +1,35 @@
+<odoo>
+    <record id="estate_property_agent_rule" model="ir.rule">
+        <field name="name">Agents: Own or Unassigned Properties Only</field>
+        <field name="model_id" ref="model_estate_property" />
+        <field name="groups" eval="[(4, ref('estate_group_user'))]" />
+        <field name="domain_force">[
+            '|',
+            ('seller', '=', user.id),
+            ('seller', '=', False)
+            ]</field>
+        <field name="perm_read" eval="True" />
+        <field name="perm_write" eval="True" />
+        <field name="perm_create" eval="True" />
+        <field name="perm_unlink" eval="False" />
+    </record>
+    <record id="estate_property_manager_rule" model="ir.rule">
+        <field name="name">Managers: Full Access to Properties</field>
+        <field name="model_id" ref="model_estate_property" />
+        <field name="groups" eval="[(4, ref('estate_group_manager'))]" />
+        <field name="domain_force">[(1, '=', 1)]</field>
+        <field name="perm_read" eval="True" />
+        <field name="perm_write" eval="True" />
+        <field name="perm_create" eval="True" />
+        <field name="perm_unlink" eval="False" />
+    </record>
+    <record id="estate_property_multicompany_rule" model="ir.rule">
+        <field name="name">Estate Property Multi-company</field>
+        <field name="model_id" ref="model_estate_property" />
+        <field name="domain_force">[
+            ('company_id', 'in', company_ids)
+            ]</field>
+        <field name="global" eval="True" />
+        <field name="groups" eval="[(4, ref('estate_group_user'))]" />
+    </record>
+</odoo>
diff --git a/estate_gasa/security/ir.model.access.csv b/estate_gasa/security/ir.model.access.csv
@@ -1,5 +1,9 @@
-id,name,model_id/id,group_id/id,perm_read,perm_write,perm_create,perm_unlink
-access_estate_property,access_estate_property,model_estate_property,base.group_user,1,1,1,1
-access_estate_property_type,access_estate_property_type,model_estate_property_type,base.group_user,1,1,1,1
-access_estate_property_tag,access_estate_property_tag,model_estate_property_tag,base.group_user,1,1,1,1
-access_estate_property_offer,access_estate_property_offer,model_estate_property_offer,base.group_user,1,1,1,1
+id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
+access_estate_property_manager,access_estate_property_manager,model_estate_property,estate_group_manager,1,1,1,0
+access_estate_property_type_manager,access_estate_property_type_manager,model_estate_property_type,estate_group_manager,1,1,1,1
+access_estate_property_tag_manager,access_estate_property_tag_manager,model_estate_property_tag,estate_group_manager,1,1,1,1
+access_estate_offer_manager,access_estate_offer_manager,model_estate_property_offer,estate_group_manager,1,1,1,1
+
+access_estate_property_user,access_estate_property_user,model_estate_property,estate_group_user,1,1,1,0
+access_estate_property_type_user,access_estate_property_type_user,model_estate_property_type,estate_group_user,1,0,0,0
+access_estate_property_tag_user,access_estate_property_tag_user,model_estate_property_tag,estate_group_user,1,0,0,0
diff --git a/estate_gasa/security/security.xml b/estate_gasa/security/security.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<odoo>
+    <record id="estate_group_user" model="res.groups">
+        <field name="name">Agent</field>
+        <field name="category_id" ref="base.module_category_real_estate_brokerage" />
+    </record>
+
+    <record id="estate_group_manager" model="res.groups">
+        <field name="name">Manager</field>
+        <field name="category_id" ref="base.module_category_real_estate_brokerage" />
+        <field name="implied_ids" eval="[(4, ref('estate_group_user'))]" />
+    </record>
+</odoo>
diff --git a/estate_gasa/views/estate_menus.xml b/estate_gasa/views/estate_menus.xml
@@ -8,7 +8,8 @@
         parent="estate_menu_properties" />
 
     <!-- Submenu: Settings -->
-    <menuitem id="estate_menu_settings" name="Settings" parent="estate_menu_root" />
+    <menuitem id="estate_menu_settings" name="Settings" parent="estate_menu_root" sequence="100"
+        groups="estate_group_manager" />
     <menuitem id="estate_menu_property_type" name="Property Types"
         action="estate_property_type_action" parent="estate_menu_settings" />
     <menuitem id="estate_menu_property_tag" name="Property Tags"
diff --git a/estate_gasa/views/estate_property_type_views.xml b/estate_gasa/views/estate_property_type_views.xml
@@ -38,5 +38,6 @@
         <field name="name">Property Types</field>
         <field name="res_model">estate.property.type</field>
         <field name="view_mode">list,form</field>
+        <field name="groups_id" eval="[(4, ref('estate_group_manager'))]" />
     </record>
 </odoo>
diff --git a/estate_gasa/views/estate_property_views.xml b/estate_gasa/views/estate_property_views.xml
@@ -16,6 +16,9 @@
                         string="Cancel"
                         class="btn-secondary"
                         invisible="context.get('readonly', False) or state in ('sold', 'cancelled')" />
+                    <field name="state" widget="statusbar"
+                        statusbar_visible="new,offer_received,offer_accepted,sold,cancelled"
+                        style="min-width: 300px;" />
                 </header>
                 <sheet>
                     <div class="oe_title">
@@ -24,9 +27,7 @@
                             <h1>
                                 <field name="name" readonly="0" />
                             </h1>
-                            <field name="state" widget="statusbar"
-                                statusbar_visible="new,offer_received,offer_accepted,sold,cancelled"
-                                style="min-width: 300px;" />
+
                         </div>
                     </div>
                     <group>
diff --git a/estate_gasa/views/estate_tag_views.xml b/estate_gasa/views/estate_tag_views.xml

Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
	`1`	`+# License LGPL-3`
`1`	`2`	`from . import models`
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+# License LGPL-3`
`1`	`2`	`from . import estate`
`2`	`3`	`from . import estate_property_type`
`3`	`4`	`from . import estate_property_tag`