[12.0][add] New decorator @api.allowed_groups

decorator_allowed_groups/README.rst

@@ -0,0 +1,4 @@
+==========================
+Decorator - Allowed Groups
+==========================
+

decorator_allowed_groups/__init__.py

@@ -0,0 +1 @@
+from . import models

decorator_allowed_groups/__manifest__.py

@@ -0,0 +1,17 @@
+# Copyright (C) 2021-Today: GRAP (<http://www.grap.coop/>)
+# @author: Sylvain LE GAL (https://twitter.com/legalsylvain)
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl.html).
+
+{
+    'name': "Decorator - Allowed Groups",
+    'summary': "Decorator that checks if user belong to given groups",
+    'author': 'GRAP, Odoo Community Association (OCA)',
+    'website': "https://github.com/OCA/server-tools/",
+    'category': 'Technical',
+    'version': '12.0.1.0.0',
+    'license': 'AGPL-3',
+    'depends': [
+        'base',
+    ],
+    'installable': True
+}

decorator_allowed_groups/i18n/fr.po

@@ -0,0 +1,30 @@
+# Translation of Odoo Server.
+# This file contains the translation of the following modules:
+#   * decorator_allowed_groups
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: Odoo Server 12.0\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2021-02-19 07:52+0000\n"
+"PO-Revision-Date: 2021-02-19 07:52+0000\n"
+"Last-Translator: <>\n"
+"Language-Team: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: \n"
+"Plural-Forms: \n"
+
+#. module: decorator_allowed_groups
+#: code:addons/decorator_allowed_groups/models/decorator.py:45
+#, python-format
+msgid "To execute the function {}, you should be member of one of the following groups:\n"
+" {}"
+msgstr "Pour executer cette fonction {}, vous devez être membre de l'un des groupes suivants:\n"
+" {}"
+
+#. module: decorator_allowed_groups
+#: model:ir.model,name:decorator_allowed_groups.model_ir_ui_view
+msgid "View"
+msgstr "Vue"
+

decorator_allowed_groups/models/__init__.py

@@ -0,0 +1,2 @@
+from . import decorator
+from . import ir_ui_view

decorator_allowed_groups/models/decorator.py

@@ -0,0 +1,53 @@
+# Copyright (C) 2021-Today: GRAP (<http://www.grap.coop/>)
+# @author: Sylvain LE GAL (https://twitter.com/legalsylvain)
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl.html).
+
+from odoo import _, api
+from odoo.exceptions import AccessError
+
+
+def allowed_groups(*group_xml_ids):
+    """ Return a decorator that specifies group(s)
+        to which the user must belong in order to perform
+        this function.
+        - if the user does not belong to any group,
+        an AccessError will be raised if the function is called.
+        - Also in the generated views, the according button
+        will be hidden if the user doesn't belong to the group(s).
+
+            @api.allowed_groups(
+                "purchase.group_purchase_manager",
+                "sale.group_sale_manager"
+            )
+            def my_secure_action(self):
+                pass
+    """
+
+    def decorator(method):
+        def secure_method(*args, **kwargs):
+            _self = args[0]
+            # Check if current user is member of correct groups
+            if any([
+                _self.env.user.has_group(group_xml_id)
+                for group_xml_id in group_xml_ids
+            ]):
+                # If it's OK, return the original method
+                return method(*args, **kwargs)
+            else:
+                # If it's KO, raise an error.
+                # We raise a technical message (with function name
+                # and xml_ids of the groups, because this message
+                # will be raised only in XML-RPC call.
+                raise AccessError(_(
+                    "To execute the function {}, you should be member"
+                    " of one of the following groups:\n {}".format(
+                        method,
+                        ', '.join(group_xml_ids))
+                ))
+        setattr(secure_method, "_allowed_groups", group_xml_ids)
+        return secure_method
+
+    return decorator
+
+
+api.allowed_groups = allowed_groups

decorator_allowed_groups/models/ir_ui_view.py

@@ -0,0 +1,20 @@
+# Copyright (C) 2021-Today: GRAP (<http://www.grap.coop/>)
+# @author: Sylvain LE GAL (https://twitter.com/legalsylvain)
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl.html).
+
+from odoo import api, models
+
+
+class IrUiView(models.Model):
+    _inherit = "ir.ui.view"
+
+    @api.model
+    def postprocess(self, model, node, view_id, in_tree_view, model_fields):
+        if node.tag == "button" and node.get("name", False):
+            func = getattr(self.env[model], node.get("name"), False)
+            if func:
+                group_xml_ids = getattr(func, "_allowed_groups", False)
+                if group_xml_ids:
+                    node.set("groups", ",".join(group_xml_ids))
+        return super().postprocess(
+            model, node, view_id, in_tree_view, model_fields)

decorator_allowed_groups/readme/CONTRIBUTORS.rst

@@ -0,0 +1 @@
+* Sylvain LE GAL (https://twitter.com/legalsylvain)

decorator_allowed_groups/readme/DESCRIPTION.rst

@@ -0,0 +1,18 @@
+This module is a technical module for developpers.
+
+It adds a new decorator, named ``@api.allowed_groups``.
+
+- When the function is executed, it checks if the user belong to one of the given groups.
+
+- It also adds automatically group(s) in the according form views to hide
+  buttons if the user doesn't belong to one of the given groups.
+
+Interests
+---------
+
+It makes the application more secure and more concise, the developer only has to write the accreditation level in one place, instead of writing it twice (once in the XML view, and the other time in the python code)
+
+In Odoo, there are many places where an action is hidden in the Form view, but the function can be called in particular by XML-RPC calls, that makes a lot a security issue, included
+in recent version.
+
+Ref : https://github.com/odoo/odoo/pull/66505

decorator_allowed_groups/readme/ROADMAP.rst

@@ -0,0 +1 @@
+* Write tests.

decorator_allowed_groups/readme/USAGE.rst

@@ -0,0 +1,56 @@
+Once installed, the following code:
+
+.. code-block:: xml
+
+    <button type="object" name="my_action" groups="purchase.group_purchase_manager"/>
+
+.. code-block:: python
+
+    def my_action(self):
+        if not self.env.user.has_group("purchase.group_purchase_manager"):
+            raise AccessError(_("Some Error"))
+        pass
+
+can be replaced by:
+
+.. code-block:: xml
+
+    <button type="object" name="my_action"/>
+
+.. code-block:: python
+
+    @api.allowed_groups("purchase.group_purchase_manager")
+    def my_action(self):
+        pass
+
+
+Note
+----
+
+- it is possible to list many groups. In that case, the action will be allowed
+  if the user belong to at least one group.
+
+.. code-block:: python
+
+    @api.allowed_groups("purchase.group_purchase_manager", "sale.group_sale_manager")
+    def my_action(self):
+        pass
+
+- it is possible to change accreditation level in custom module.
+
+For exemple, if a module define a function like this:
+
+.. code-block:: python
+
+    @api.allowed_groups("purchase.group_purchase_manager")
+    def my_action(self):
+        pass
+
+Another module that depends on the first module can redefine the accreditation
+level by writing.
+
+.. code-block:: python
+
+    @api.allowed_groups("purchase.group_purchase_user")
+    def my_action(self):
+        return super().my_action()