From 16c6c0f49297e4275bdd72826dd9f1d1af5c5d62 Mon Sep 17 00:00:00 2001 From: Raphael Collet Date: Mon, 2 Sep 2024 13:40:43 +0200 Subject: [PATCH] [IMP] *: adapt to the new check_access API closes odoo/documentation#10991 Related: odoo/odoo#179148 Related: odoo/enterprise#69425 Signed-off-by: Raphael Collet --- .../reference/backend/orm/changelog.rst | 3 +++ content/developer/reference/external_api.rst | 25 +++++++++---------- .../tutorials/restrict_data_access.rst | 18 +++++-------- 3 files changed, 21 insertions(+), 25 deletions(-) diff --git a/content/developer/reference/backend/orm/changelog.rst b/content/developer/reference/backend/orm/changelog.rst index d2991d6af..4c13a10f4 100644 --- a/content/developer/reference/backend/orm/changelog.rst +++ b/content/developer/reference/backend/orm/changelog.rst @@ -9,6 +9,9 @@ Odoo version 18.0 - Searching by name is now implemented as `_search_display_name` like all other fields. See `#174967 `_. +- New methods to check access rights and rules now combine both access rights + and rules: `check_access`, `has_access` and `_filtered_access`. + See `#179148 `_. Odoo Online version 17.4 diff --git a/content/developer/reference/external_api.rst b/content/developer/reference/external_api.rst index ed356ad34..ba37db0ce 100644 --- a/content/developer/reference/external_api.rst +++ b/content/developer/reference/external_api.rst @@ -324,27 +324,26 @@ Each call to ``execute_kw`` takes the following parameters: .. example:: - For instance, to see if we can read the ``res.partner`` model, we can call - ``check_access_rights`` with ``operation`` passed by position and - ``raise_exception`` passed by keyword (in order to get a true/false result - rather than true/error): + For instance, to search for records in the ``res.partner`` model, we can call + ``name_search`` with ``name`` passed by position and ``limit`` passed by + keyword (in order to get maximum 10 results): .. tabs:: .. code-tab:: python models = xmlrpc.client.ServerProxy('{}/xmlrpc/2/object'.format(url)) - models.execute_kw(db, uid, password, 'res.partner', 'check_access_rights', ['read'], {'raise_exception': False}) + models.execute_kw(db, uid, password, 'res.partner', 'name_search', ['foo'], {'limit': 10}) .. code-tab:: ruby models = XMLRPC::Client.new2("#{url}/xmlrpc/2/object").proxy - models.execute_kw(db, uid, password, 'res.partner', 'check_access_rights', ['read'], {raise_exception: false}) + models.execute_kw(db, uid, password, 'res.partner', 'name_search', ['foo'], {limit: 10}) .. code-tab:: php $models = ripcord::client("$url/xmlrpc/2/object"); - $models->execute_kw($db, $uid, $password, 'res.partner', 'check_access_rights', array('read'), array('raise_exception' => false)); + $models->execute_kw($db, $uid, $password, 'res.partner', 'name_search', array('foo'), array('limit' => 10)); .. code-tab:: java @@ -355,9 +354,9 @@ Each call to ``execute_kw`` takes the following parameters: }}; models.execute("execute_kw", asList( db, uid, password, - "res.partner", "check_access_rights", - asList("read"), - new HashMap() {{ put("raise_exception", false); }} + "res.partner", "name_search", + asList("foo"), + new HashMap() {{ put("limit", 10); }} )); .. code-tab:: go @@ -369,9 +368,9 @@ Each call to ``execute_kw`` takes the following parameters: var result bool if err := models.Call("execute_kw", []any{ db, uid, password, - "res.partner", "check_access_rights", - []string{"read"}, - map[string]bool{"raise_exception": false}, + "res.partner", "name_search", + []string{"foo"}, + map[string]bool{"limit": 10}, }, &result); err != nil { log.Fatal(err) } diff --git a/content/developer/tutorials/restrict_data_access.rst b/content/developer/tutorials/restrict_data_access.rst index 1a19f6b2e..3dea23a89 100644 --- a/content/developer/tutorials/restrict_data_access.rst +++ b/content/developer/tutorials/restrict_data_access.rst @@ -355,21 +355,15 @@ Explicit security checks can be performed by: specific models or records. * Checking that the current user has specific groups hard-coded to allow or deny an operation (``self.env.user.has_group``). -* Calling the ``check_access_rights(operation)`` method on a recordset, this - verifies whether the current user has access to the model itself. -* Calling ``check_access_rule(operations)`` on a non-empty recordset, this - verifies that the current user is allowed to perform the operation on *every* - record of the set. - -.. warning:: Checking access rights and checking record rules are separate - operations, if you're checking record rules you usually want to - also check access rights beforehand. +* Calling ``check_access(operations)`` on a recordset, this verifies that the + current user is allowed to perform the operation on *every* record of the set. + As a special case, when the recordset is empty, it verifies that the current + user has some access rights to perform the operation on the model in general. .. exercise:: - Before creating the invoice, use ``check_access_rights`` and - ``check_access_rule`` to ensure that the current user can update properties - in general as well as the specific property the invoice is for. + Before creating the invoice, use ``check_access`` to ensure that the current + user can update the property the invoice is for. Re-run the bypass script, check that the error occurs before the print.