196 lines
8.0 KiB
Python
196 lines
8.0 KiB
Python
# -*- coding: utf-8 -*-
|
|
# Part of Odoo. See LICENSE file for full copyright and licensing details.
|
|
|
|
from odoo.exceptions import AccessError, ValidationError
|
|
from odoo.tests.common import TransactionCase
|
|
from odoo.tools import mute_logger
|
|
from odoo import Command
|
|
|
|
|
|
class TestRules(TransactionCase):
|
|
@classmethod
|
|
def setUpClass(cls):
|
|
super().setUpClass()
|
|
|
|
ObjCateg = cls.env['test_access_right.obj_categ']
|
|
SomeObj = cls.env['test_access_right.some_obj']
|
|
cls.categ = ObjCateg.create({'name': 'Food'})
|
|
cls.allowed = SomeObj.create({'val': 1, 'categ_id': cls.categ.id})
|
|
cls.forbidden = SomeObj.create({'val': -1, 'categ_id': cls.categ.id})
|
|
# create a global rule forbidding access to records with a negative
|
|
# (or zero) val
|
|
cls.env['ir.rule'].create({
|
|
'name': 'Forbid negatives',
|
|
'model_id': cls.env.ref('test_access_rights.model_test_access_right_some_obj').id,
|
|
'domain_force': "[('val', '>', 0)]"
|
|
})
|
|
# create a global rule that forbid access to records without
|
|
# categories, the search is part of the test
|
|
cls.env['ir.rule'].create({
|
|
'name': 'See all categories',
|
|
'model_id': cls.env.ref('test_access_rights.model_test_access_right_some_obj').id,
|
|
'domain_force': "[('categ_id', 'in', user.env['test_access_right.obj_categ'].search([]).ids)]"
|
|
})
|
|
|
|
@mute_logger('odoo.addons.base.models.ir_rule')
|
|
def test_basic_access(self):
|
|
env = self.env(user=self.env.ref('base.public_user'))
|
|
allowed = self.allowed.with_env(env)
|
|
forbidden = self.forbidden.with_env(env)
|
|
|
|
# this one should not blow up
|
|
self.assertEqual(allowed.val, 1)
|
|
|
|
# but this one should
|
|
allowed.invalidate_model(['val'])
|
|
with self.assertRaises(AccessError):
|
|
self.assertEqual(forbidden.val, -1)
|
|
|
|
@mute_logger('odoo.addons.base.models.ir_rule')
|
|
def test_group_rule(self):
|
|
env = self.env(user=self.env.ref('base.public_user'))
|
|
allowed = self.allowed.with_env(env)
|
|
forbidden = self.forbidden.with_env(env)
|
|
|
|
# we forbid access to the public group, to which the public user belongs
|
|
self.env['ir.rule'].create({
|
|
'name': 'Forbid public group',
|
|
'model_id': self.env.ref('test_access_rights.model_test_access_right_some_obj').id,
|
|
'groups': [Command.set([self.env.ref('base.group_public').id])],
|
|
'domain_force': "[(0, '=', 1)]"
|
|
})
|
|
|
|
# everything should blow up
|
|
(allowed + forbidden).invalidate_model(['val'])
|
|
with self.assertRaises(AccessError):
|
|
self.assertEqual(forbidden.val, -1)
|
|
with self.assertRaises(AccessError):
|
|
self.assertEqual(allowed.val, 1)
|
|
|
|
def test_many2many(self):
|
|
""" Test assignment of many2many field where rules apply. """
|
|
ids = [self.allowed.id, self.forbidden.id]
|
|
|
|
# create container as superuser, connected to all some_objs
|
|
container_admin = self.env['test_access_right.container'].create({'some_ids': [Command.set(ids)]})
|
|
self.assertItemsEqual(container_admin.some_ids.ids, ids)
|
|
|
|
# check the container as the public user
|
|
container_user = container_admin.with_user(self.env.ref('base.public_user'))
|
|
container_user.invalidate_model(['some_ids'])
|
|
self.assertItemsEqual(container_user.some_ids.ids, [self.allowed.id])
|
|
|
|
# this should not fail
|
|
container_user.write({'some_ids': [Command.set(ids)]})
|
|
container_user.invalidate_model(['some_ids'])
|
|
self.assertItemsEqual(container_user.some_ids.ids, [self.allowed.id])
|
|
container_admin.invalidate_model(['some_ids'])
|
|
self.assertItemsEqual(container_admin.some_ids.ids, ids)
|
|
|
|
# this removes all records
|
|
container_user.write({'some_ids': [Command.clear()]})
|
|
container_user.invalidate_model(['some_ids'])
|
|
self.assertItemsEqual(container_user.some_ids.ids, [])
|
|
container_admin.invalidate_model(['some_ids'])
|
|
self.assertItemsEqual(container_admin.some_ids.ids, [])
|
|
|
|
def test_access_rule_performance(self):
|
|
env = self.env(user=self.env.ref('base.public_user'))
|
|
Model = env['test_access_right.some_obj']
|
|
# cache warmup for check() in 'ir.model.access'
|
|
Model.check_access('read')
|
|
with self.assertQueryCount(0):
|
|
Model._filtered_access('read')
|
|
|
|
def test_no_context_in_ir_rules(self):
|
|
""" The context should not impact the ir rules. """
|
|
ObjCateg = self.env['test_access_right.obj_categ']
|
|
SomeObj = self.env['test_access_right.some_obj']
|
|
|
|
# validate the effect of context on category search, there are
|
|
# no existing media category
|
|
self.assertTrue(ObjCateg.search([]))
|
|
self.assertFalse(ObjCateg.with_context(only_media=True).search([]))
|
|
|
|
# record1 is food and is accessible with an empy context
|
|
self.env.registry.clear_cache()
|
|
records = SomeObj.search([('id', '=', self.allowed.id)])
|
|
self.assertTrue(records)
|
|
|
|
# it should also be accessible as the context is not used when
|
|
# searching for SomeObjs
|
|
self.env.registry.clear_cache()
|
|
records = SomeObj.with_context(only_media=True).search([('id', '=', self.allowed.id)])
|
|
self.assertTrue(records)
|
|
|
|
def test_check_access_rule_with_inherits(self):
|
|
"""
|
|
For models in `_inherits`, verify that both methods `check_access`
|
|
and `_apply_ir_rules` check the rules from parent models.
|
|
"""
|
|
ChildModel = self.env['test_access_right.inherits']
|
|
allowed_child, __ = children = ChildModel.create([
|
|
{'some_id': self.allowed.id}, {'some_id': self.forbidden.id},
|
|
])
|
|
|
|
user = self.env.ref('base.public_user')
|
|
search_result = children.with_user(user).search([('id', 'in', children.ids)], order='id')
|
|
filter_result = children.with_user(user)._filtered_access('read')
|
|
|
|
self.assertEqual(search_result, allowed_child)
|
|
self.assertEqual(filter_result, allowed_child)
|
|
|
|
def test_flush_search_with_inherits(self):
|
|
"""
|
|
For models with `_inherits`, verify that method `_flush_search` takes in
|
|
account the rules from inherited models, as method `_search` does.
|
|
"""
|
|
ChildModel = self.env['test_access_right.inherits']
|
|
child = ChildModel.create([{'some_id': self.allowed.id}])
|
|
self.env.flush_all()
|
|
|
|
self.env['ir.rule'].create({
|
|
'name': 'Forbid 0 value',
|
|
'model_id': self.env['ir.model']._get('test_access_right.some_obj').id,
|
|
'domain_force': str([('val', '!=', 0)]),
|
|
})
|
|
|
|
user = self.env.ref('base.public_user')
|
|
|
|
# the parent record is accessible, so is the child record
|
|
search_result = ChildModel.with_user(user).search([('id', '=', child.id)], order='id')
|
|
self.assertEqual(search_result, child)
|
|
|
|
# make the parent record inaccessible, and verify that the child record
|
|
# becomes inaccessible, too
|
|
self.allowed.val = 0
|
|
search_result = ChildModel.with_user(user).search([('id', '=', child.id)], order='id')
|
|
self.assertEqual(search_result, ChildModel)
|
|
|
|
def test_domain_constrains(self):
|
|
""" An error should be raised if domain is not correct """
|
|
|
|
rule = self.env['ir.rule'].create({
|
|
'name': 'Test record rule',
|
|
'model_id': self.env.ref('test_access_rights.model_test_access_right_some_obj').id,
|
|
'domain_force': [],
|
|
})
|
|
invalid_domains = [
|
|
'A really bad domain!',
|
|
[(1, '!=', 1)],
|
|
[('non_existing_field', '=', 'value')],
|
|
]
|
|
|
|
for domain in invalid_domains:
|
|
with self.assertRaisesRegex(ValidationError, 'Invalid domain'):
|
|
rule.domain_force = domain
|
|
|
|
valid_domains = [
|
|
False,
|
|
[(1, '=', 1)],
|
|
[('val', '=', 12)],
|
|
]
|
|
for domain in valid_domains:
|
|
# no error is raised
|
|
rule.domain_force = domain
|