261 lines
13 KiB
Python
261 lines
13 KiB
Python
# -*- coding: utf-8 -*-
|
|
# Part of Odoo. See LICENSE file for full copyright and licensing details.
|
|
|
|
from collections import OrderedDict
|
|
from itertools import chain
|
|
from lxml import etree
|
|
|
|
from odoo.addons.hr.tests.common import TestHrCommon
|
|
from odoo.tests import new_test_user, tagged, Form
|
|
from odoo.exceptions import AccessError
|
|
|
|
@tagged('post_install', '-at_install')
|
|
class TestSelfAccessProfile(TestHrCommon):
|
|
|
|
def test_access_my_profile(self):
|
|
""" A simple user should be able to read all fields in his profile """
|
|
james = new_test_user(self.env, login='hel', groups='base.group_user', name='Simple employee', email='ric@example.com')
|
|
james = james.with_user(james)
|
|
self.env['hr.employee'].create({
|
|
'name': 'James',
|
|
'user_id': james.id,
|
|
'bank_account_id': self.env['res.partner.bank'].create({'acc_number': 'BE1234567890', 'partner_id': james.partner_id.id}).id
|
|
})
|
|
view = self.env.ref('hr.res_users_view_form_profile')
|
|
view_infos = james.get_view(view.id)
|
|
fields = [el.get('name') for el in etree.fromstring(view_infos['arch']).xpath('//field[not(ancestor::field)]')]
|
|
james.read(fields)
|
|
|
|
def test_readonly_fields(self):
|
|
""" Employee related fields should be readonly if self editing is not allowed """
|
|
self.env['ir.config_parameter'].sudo().set_param('hr.hr_employee_self_edit', False)
|
|
james = new_test_user(self.env, login='hel', groups='base.group_user', name='Simple employee', email='ric@example.com')
|
|
james = james.with_user(james)
|
|
self.env['hr.employee'].create({
|
|
'name': 'James',
|
|
'user_id': james.id,
|
|
})
|
|
|
|
view = self.env.ref('hr.res_users_view_form_profile')
|
|
fields = james._fields
|
|
view_infos = james.get_view(view.id)
|
|
employee_related_fields = {
|
|
el.get('name')
|
|
for el in etree.fromstring(view_infos['arch']).xpath('//field[not(ancestor::field)]')
|
|
if fields[el.get('name')].related and fields[el.get('name')].related.split('.')[0] == 'employee_id'
|
|
}
|
|
|
|
form = Form(james, view=view)
|
|
for field in employee_related_fields:
|
|
with self.assertRaises(AssertionError, msg="Field '%s' should be readonly in the employee profile when self editing is not allowed." % field):
|
|
form.__setattr__(field, 'some value')
|
|
|
|
|
|
def test_profile_view_fields(self):
|
|
""" A simple user should see all fields in profile view, even if they are protected by groups """
|
|
view = self.env.ref('hr.res_users_view_form_profile')
|
|
|
|
# For reference, check the view with user with every groups protecting user fields
|
|
all_groups_xml_ids = chain(*[
|
|
field.groups.split(',')
|
|
for field in self.env['res.users']._fields.values()
|
|
if field.groups
|
|
if field.groups != '.' # "no-access" group on purpose
|
|
])
|
|
all_groups = self.env['res.groups']
|
|
for xml_id in all_groups_xml_ids:
|
|
all_groups |= self.env.ref(xml_id.strip())
|
|
user_all_groups = new_test_user(self.env, groups='base.group_user', login='hel', name='God')
|
|
user_all_groups.write({'groups_id': [(4, group.id, False) for group in all_groups]})
|
|
view_infos = self.env['res.users'].with_user(user_all_groups).get_view(view.id)
|
|
full_fields = [el.get('name') for el in etree.fromstring(view_infos['arch']).xpath('//field[not(ancestor::field)]')]
|
|
|
|
# Now check the view for a simple user
|
|
user = new_test_user(self.env, login='gro', name='Grouillot')
|
|
view_infos = self.env['res.users'].with_user(user).get_view(view.id)
|
|
fields = [el.get('name') for el in etree.fromstring(view_infos['arch']).xpath('//field[not(ancestor::field)]')]
|
|
|
|
# Compare both
|
|
self.assertEqual(full_fields, fields, "View fields should not depend on user's groups")
|
|
|
|
def test_access_my_profile_toolbar(self):
|
|
""" A simple user shouldn't have the possibilities to see the 'Change Password' action"""
|
|
james = new_test_user(self.env, login='jam', groups='base.group_user', name='Simple employee', email='jam@example.com')
|
|
james = james.with_user(james)
|
|
self.env['hr.employee'].create({
|
|
'name': 'James',
|
|
'user_id': james.id,
|
|
})
|
|
view = self.env.ref('hr.res_users_view_form_profile')
|
|
available_actions = james.get_views([(view.id, 'form')], {'toolbar': True})['views']['form']['toolbar']['action']
|
|
change_password_action = self.env.ref("base.change_password_wizard_action")
|
|
|
|
self.assertFalse(any(x['id'] == change_password_action.id for x in available_actions))
|
|
|
|
# An ERP manager should have the possibilities to see the 'Change Password'
|
|
john = new_test_user(self.env, login='joh', groups='base.group_erp_manager', name='ERP Manager', email='joh@example.com')
|
|
john = john.with_user(john)
|
|
self.env['hr.employee'].create({
|
|
'name': 'John',
|
|
'user_id': john.id,
|
|
})
|
|
view = self.env.ref('hr.res_users_view_form_profile')
|
|
available_actions = john.get_views([(view.id, 'form')], {'toolbar': True})['views']['form']['toolbar']['action']
|
|
self.assertTrue(any(x['id'] == change_password_action.id for x in available_actions))
|
|
|
|
def test_employee_fields_groups(self):
|
|
# Note: If this tests is crashing, this is probably because the linked field on the error
|
|
# message is defined on hr.employee only (and not on hr.employee.public) and has no group
|
|
# defined on it (at least hr.group_hr_user).
|
|
internal_user = new_test_user(self.env, login='mireille', groups='base.group_user', name='Mireille', email='mireille@example.com')
|
|
self.env['hr.employee'].with_user(internal_user).search([]).read([])
|
|
|
|
class TestSelfAccessRights(TestHrCommon):
|
|
|
|
@classmethod
|
|
def setUpClass(cls):
|
|
super(TestSelfAccessRights, cls).setUpClass()
|
|
cls.richard = new_test_user(cls.env, login='ric', groups='base.group_user', name='Simple employee', email='ric@example.com')
|
|
cls.richard_emp = cls.env['hr.employee'].create({
|
|
'name': 'Richard',
|
|
'user_id': cls.richard.id,
|
|
'private_phone': '21454',
|
|
})
|
|
cls.hubert = new_test_user(cls.env, login='hub', groups='base.group_user', name='Simple employee', email='hub@example.com')
|
|
cls.hubert_emp = cls.env['hr.employee'].create({
|
|
'name': 'Hubert',
|
|
'user_id': cls.hubert.id,
|
|
})
|
|
|
|
cls.protected_fields_emp = OrderedDict([(k, v) for k, v in cls.env['hr.employee']._fields.items() if v.groups == 'hr.group_hr_user'])
|
|
# Compute fields and id field are always readable by everyone
|
|
cls.read_protected_fields_emp = OrderedDict([(k, v) for k, v in cls.env['hr.employee']._fields.items() if not v.compute and k != 'id'])
|
|
cls.self_protected_fields_user = OrderedDict([
|
|
(k, v)
|
|
for k, v in cls.env['res.users']._fields.items()
|
|
if v.groups == 'hr.group_hr_user' and k in cls.env['res.users'].SELF_READABLE_FIELDS
|
|
])
|
|
|
|
# Read hr.employee #
|
|
def testReadSelfEmployee(self):
|
|
with self.assertRaises(AccessError):
|
|
self.hubert_emp.with_user(self.richard).read(self.protected_fields_emp.keys())
|
|
|
|
def testReadOtherEmployee(self):
|
|
with self.assertRaises(AccessError):
|
|
self.hubert_emp.with_user(self.richard).read(self.protected_fields_emp.keys())
|
|
|
|
# Write hr.employee #
|
|
def testWriteSelfEmployee(self):
|
|
for f in self.protected_fields_emp:
|
|
with self.assertRaises(AccessError):
|
|
self.richard_emp.with_user(self.richard).write({f: 'dummy'})
|
|
|
|
def testWriteOtherEmployee(self):
|
|
for f in self.protected_fields_emp:
|
|
with self.assertRaises(AccessError):
|
|
self.hubert_emp.with_user(self.richard).write({f: 'dummy'})
|
|
|
|
# Read res.users #
|
|
def testReadSelfUserEmployee(self):
|
|
for f in self.self_protected_fields_user:
|
|
self.richard.with_user(self.richard).read([f]) # should not raise
|
|
|
|
def testReadOtherUserEmployee(self):
|
|
with self.assertRaises(AccessError):
|
|
self.hubert.with_user(self.richard).read(self.self_protected_fields_user)
|
|
|
|
# Write res.users #
|
|
def testWriteSelfUserEmployeeSettingFalse(self):
|
|
for f, v in self.self_protected_fields_user.items():
|
|
with self.assertRaises(AccessError):
|
|
self.richard.with_user(self.richard).write({f: 'dummy'})
|
|
|
|
def testWriteSelfUserEmployee(self):
|
|
self.env['ir.config_parameter'].set_param('hr.hr_employee_self_edit', True)
|
|
for f, v in self.self_protected_fields_user.items():
|
|
val = None
|
|
if v.type == 'char' or v.type == 'text':
|
|
val = '0000' if f in ['pin', 'barcode'] else 'dummy'
|
|
if val is not None:
|
|
self.richard.with_user(self.richard).write({f: val})
|
|
|
|
def testWriteSelfUserPreferencesEmployee(self):
|
|
# self should always be able to update non hr.employee fields if
|
|
# they are in SELF_READABLE_FIELDS
|
|
self.env['ir.config_parameter'].set_param('hr.hr_employee_self_edit', False)
|
|
# should not raise
|
|
vals = [
|
|
{'tz': "Australia/Sydney"},
|
|
{'email': "new@example.com"},
|
|
{'signature': "<p>I'm Richard!</p>"},
|
|
{'notification_type': "email"},
|
|
]
|
|
for v in vals:
|
|
# should not raise
|
|
self.richard.with_user(self.richard).write(v)
|
|
|
|
def testWriteOtherUserPreferencesEmployee(self):
|
|
# self should always be able to update non hr.employee fields if
|
|
# they are in SELF_READABLE_FIELDS
|
|
self.env['ir.config_parameter'].set_param('hr.hr_employee_self_edit', False)
|
|
vals = [
|
|
{'tz': "Australia/Sydney"},
|
|
{'email': "new@example.com"},
|
|
{'signature': "<p>I'm Richard!</p>"},
|
|
{'notification_type': "email"},
|
|
]
|
|
for v in vals:
|
|
with self.assertRaises(AccessError):
|
|
self.hubert.with_user(self.richard).write(v)
|
|
|
|
def testWriteSelfPhoneEmployee(self):
|
|
# phone is a related from res.partner (from base) but added in SELF_READABLE_FIELDS
|
|
self.env['ir.config_parameter'].set_param('hr.hr_employee_self_edit', False)
|
|
with self.assertRaises(AccessError):
|
|
self.richard.with_user(self.richard).write({'phone': '2154545'})
|
|
|
|
def testWriteOtherUserEmployee(self):
|
|
for f in self.self_protected_fields_user:
|
|
with self.assertRaises(AccessError):
|
|
self.hubert.with_user(self.richard).write({f: 'dummy'})
|
|
|
|
def testSearchUserEMployee(self):
|
|
# Searching user based on employee_id field should not raise bad query error
|
|
self.env['res.users'].with_user(self.richard).search([('employee_id', 'ilike', 'Hubert')])
|
|
|
|
def test_onchange_readable_fields_with_no_access(self):
|
|
"""
|
|
The purpose is to test that the onchange logic takes into account `SELF_READABLE_FIELDS`.
|
|
|
|
The view contains fields that are in `SELF_READABLE_FIELDS` (example: `private_street`).
|
|
Even if the user does not have read access to the employee,
|
|
it should not cause an access error if these fields are in `SELF_READABLE_FIELDS`.
|
|
"""
|
|
self.env['res.lang']._activate_lang("fr_FR")
|
|
with Form(self.richard.with_user(self.richard), view='hr.res_users_view_form_profile') as form:
|
|
# triggering an onchange should not trigger some access error
|
|
form.lang = "fr_FR"
|
|
form.tz = "Europe/Brussels"
|
|
|
|
def test_access_employee_account(self):
|
|
hubert = new_test_user(self.env, login='hubert', groups='base.group_user', name='Hubert Bonisseur de La Bath', email='hubert@oss.fr')
|
|
hubert = hubert.with_user(hubert)
|
|
hubert_acc = self.env['res.partner.bank'].create({'acc_number': 'FR1234567890', 'partner_id': hubert.partner_id.id})
|
|
hubert_emp = self.env['hr.employee'].create({
|
|
'name': 'Hubert',
|
|
'user_id': hubert.id,
|
|
'bank_account_id': hubert_acc.id
|
|
})
|
|
hubert.partner_id.sudo().employee_ids = hubert_emp
|
|
|
|
self.assertFalse(hubert.env.user.has_group('hr.group_hr_user'))
|
|
self.assertFalse(hubert.env.su)
|
|
|
|
self.assertEqual(hubert.read(['employee_bank_account_id'])[0]['employee_bank_account_id'][1], 'FR******7890')
|
|
self.assertEqual(hubert.sudo().employee_bank_account_id.display_name, 'FR******7890')
|
|
self.assertEqual(hubert_emp.with_user(hubert).sudo().bank_account_id.display_name, 'FR******7890')
|
|
|
|
hubert_acc.invalidate_recordset(["display_name"])
|
|
self.assertEqual(hubert_emp.with_user(hubert).sudo().bank_account_id.sudo(False).display_name, 'FR******7890')
|