[FIX] dms: fix access rules for beter security

kobros-tech · kobros-tech · commit fb37d63b9322 · 2025-03-25T03:37:32.000+03:00
diff --git a/dms/controllers/portal.py b/dms/controllers/portal.py
@@ -177,6 +177,11 @@ def _get_files(self, access_token, dms_directory_id, search, search_in, sort_br)
         file_domain = [
             ("is_hidden", "=", False),
             ("directory_id", "=", dms_directory_id),
+            (
+                "message_partner_ids",
+                "child_of",
+                [request.env.user.commercial_partner_id.id],
+            ),
         ]
         # search
         if search and search_in == "name":
@@ -206,7 +211,15 @@ def _get_directories(
         :rtype: tuple[odoo.model.dms_directory, bool|odoo.model.dms_directory]
         """
         # domain
-        domain = [("is_hidden", "=", False), ("parent_id", "=", dms_directory_id)]
+        domain = [
+            ("is_hidden", "=", False),
+            ("parent_id", "=", dms_directory_id),
+            (
+                "file_ids.message_partner_ids",
+                "child_of",
+                [request.env.user.commercial_partner_id.id],
+            ),
+        ]
         # search
         if search and search_in:
             domain.append(("name", "ilike", search))
diff --git a/dms/security/ir.model.access.csv b/dms/security/ir.model.access.csv
@@ -8,17 +8,14 @@ access_dms_storage_portal,dms_storage_portal,model_dms_storage,base.group_portal
 access_dms_storage_user,dms_storage_user,model_dms_storage,group_dms_user,1,0,0,0
 access_dms_storage_manager,dms_storage_manager,model_dms_storage,group_dms_manager,1,1,1,1
 
-access_dms_directory_public,dms_directory_public,model_dms_directory,base.group_public,1,0,0,0
 access_dms_directory_portal,dms_directory_portal,model_dms_directory,base.group_portal,1,0,0,0
 access_dms_directory_base_user,dms_directory_base_user,model_dms_directory,base.group_user,1,0,0,0
 access_dms_directory_user,dms_directory_user,model_dms_directory,group_dms_user,1,1,1,1
 
-access_dms_file_public,dms_file_public,model_dms_file,base.group_public,1,0,0,0
 access_dms_file_portal,dms_file_portal,model_dms_file,base.group_portal,1,0,0,0
 access_dms_file_base_user,dms_file_base_user,model_dms_file,base.group_user,1,0,0,0
 access_dms_file_user,dms_file_user,model_dms_file,group_dms_user,1,1,1,1
 
-access_dms_access_group_public,access_dms_access_group_public,model_dms_access_group,base.group_public,1,0,0,0
 access_dms_access_group_portal,access_dms_access_group_portal,model_dms_access_group,base.group_portal,1,0,0,0
 access_security_access_groups_user,access_security_access_groups_user,model_dms_access_group,base.group_user,1,0,0,0
 access_security_access_groups_dms_user,access_security_access_groups_dms_user,model_dms_access_group,group_dms_user,1,1,1,1
diff --git a/dms/security/security.xml b/dms/security/security.xml
@@ -15,7 +15,7 @@
     <record id="group_dms_user" model="res.groups">
         <field name="name">User</field>
         <field name="category_id" ref="category_dms_security" />
-        <field name="implied_ids" eval="[(4, ref('base.group_user'))]" />
+        <field name="implied_ids" eval="[(4, ref('base.group_erp_manager'))]" />
     </record>
     <record id="group_dms_manager" model="res.groups">
         <field name="name">Manager</field>
@@ -45,7 +45,8 @@
     <record id="rule_multi_company_file" model="ir.rule">
         <field name="name">File multi-company</field>
         <field name="model_id" ref="model_dms_file" />
-        <field name="global" eval="True" />
+        <field name="global" eval="False" />
+        <field name="groups" eval="[(4, ref('group_dms_user'))]" />
         <field
             name="domain_force"
         >['|',('company_id','=',False),('company_id','in',company_ids)]</field>
@@ -121,7 +122,8 @@
     <record id="rule_directory_computed_read" model="ir.rule">
         <field name="name">Apply computed read permissions.</field>
         <field name="model_id" ref="model_dms_directory" />
-        <field name="global" eval="True" />
+        <field name="global" eval="False" />
+        <field name="groups" eval="[(4, ref('group_dms_user'))]" />
         <field name="perm_read" eval="1" />
         <field name="perm_create" eval="0" />
         <field name="perm_write" eval="0" />
@@ -148,6 +150,22 @@
         <field name="perm_unlink" eval="0" />
         <field name="domain_force">[('permission_write', '=', True)]</field>
     </record>
+    <!-- Portal/Base Users Access Rules -->
+    <record id="portal_rule_directory_computed_read" model="ir.rule">
+        <field name="name">Portal Personal Directories Read</field>
+        <field name="model_id" ref="model_dms_directory" />
+        <field
+            name="domain_force"
+        >[('file_ids.message_partner_ids','child_of',[user.commercial_partner_id.id])]</field>
+        <field
+            name="groups"
+            eval="[Command.link(ref('base.group_portal')), Command.link(ref('base.group_user'))]"
+        />
+        <field name="perm_unlink" eval="False" />
+        <field name="perm_write" eval="False" />
+        <field name="perm_read" eval="True" />
+        <field name="perm_create" eval="False" />
+    </record>
     <record id="rule_file_computed_create" model="ir.rule">
         <field name="name">Apply computed create permissions.</field>
         <field name="model_id" ref="model_dms_file" />
@@ -161,7 +179,8 @@
     <record id="rule_file_computed_read" model="ir.rule">
         <field name="name">Apply computed read permissions.</field>
         <field name="model_id" ref="model_dms_file" />
-        <field name="global" eval="True" />
+        <field name="global" eval="False" />
+        <field name="groups" eval="[(4, ref('group_dms_user'))]" />
         <field name="perm_read" eval="1" />
         <field name="perm_create" eval="0" />
         <field name="perm_write" eval="0" />
@@ -188,4 +207,21 @@
         <field name="perm_unlink" eval="0" />
         <field name="domain_force">[('permission_write', '=', True)]</field>
     </record>
+    <!-- Portal/Base Users Access Rules -->
+    <record id="portal_rule_file_computed_read" model="ir.rule">
+        <field name="name">Portal Personal Files Read</field>
+        <field name="model_id" ref="model_dms_file" />
+        <field name="global" eval="False" />
+        <field
+            name="domain_force"
+        >[('message_partner_ids','child_of',[user.commercial_partner_id.id])]</field>
+        <field
+            name="groups"
+            eval="[Command.link(ref('base.group_portal')), Command.link(ref('base.group_user'))]"
+        />
+        <field name="perm_unlink" eval="False" />
+        <field name="perm_write" eval="False" />
+        <field name="perm_read" eval="True" />
+        <field name="perm_create" eval="False" />
+    </record>
 </odoo>
diff --git a/dms/tests/test_portal.py b/dms/tests/test_portal.py
@@ -46,7 +46,17 @@ def test_access_portal(self):
         )
 
     def test_tour(self):
-        # self.portal_user.groups_id = self.env.ref("dms.group_dms_user")
+        file_id = self.env.ref("dms.file_11_demo")
+        follower = self.env["mail.followers"].create(
+            {
+                "res_model": "dms.file",
+                "res_id": file_id.id,
+                "partner_id": self.portal_user.partner_id.id,
+                "is_active": True,
+            }
+        )
+
+        file_id.message_follower_ids = follower
         for tour in ("dms_portal_mail_tour", "dms_portal_partners_tour"):
             with self.subTest(tour=tour):
                 self.start_tour("/my", tour, login="portal")
