NextERP/documentation
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[IMP] *: adapt to the new check_access API

Browse Source 
closes odoo/documentation#10991

Related: odoo/odoo#179148
Related: odoo/enterprise#69425
Signed-off-by: Raphael Collet <rco@odoo.com>
This commit is contained in:
Raphael Collet 2024-09-02 13:40:43 +02:00
parent ca39c79dfe
commit 16c6c0f492
3 changed files with 21 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
content/developer/reference/backend/orm/changelog.rst
View File

@ -9,6 +9,9 @@ Odoo version 18.0
- Searching by name is now implemented as `_search_display_name` like all other fields. - Searching by name is now implemented as `_search_display_name` like all other fields.
See `#174967 <https://github.com/odoo/odoo/pull/174967>`_. See `#174967 <https://github.com/odoo/odoo/pull/174967>`_.
- New methods to check access rights and rules now combine both access rights
and rules: `check_access`, `has_access` and `_filtered_access`.
See `#179148 <https://github.com/odoo/odoo/pull/179148>`_.
Odoo Online version 17.4 Odoo Online version 17.4

25
content/developer/reference/external_api.rst
View File

@ -324,27 +324,26 @@ Each call to ``execute_kw`` takes the following parameters:
.. example:: .. example::
For instance, to see if we can read the ``res.partner`` model, we can call For instance, to search for records in the ``res.partner`` model, we can call
``check_access_rights`` with ``operation`` passed by position and ``name_search`` with ``name`` passed by position and ``limit`` passed by
``raise_exception`` passed by keyword (in order to get a true/false result keyword (in order to get maximum 10 results):
rather than true/error):
.. tabs:: .. tabs::
.. code-tab:: python .. code-tab:: python
models = xmlrpc.client.ServerProxy('{}/xmlrpc/2/object'.format(url)) models = xmlrpc.client.ServerProxy('{}/xmlrpc/2/object'.format(url))
models.execute_kw(db, uid, password, 'res.partner', 'check_access_rights', ['read'], {'raise_exception': False}) models.execute_kw(db, uid, password, 'res.partner', 'name_search', ['foo'], {'limit': 10})
.. code-tab:: ruby .. code-tab:: ruby
models = XMLRPC::Client.new2("#{url}/xmlrpc/2/object").proxy models = XMLRPC::Client.new2("#{url}/xmlrpc/2/object").proxy
models.execute_kw(db, uid, password, 'res.partner', 'check_access_rights', ['read'], {raise_exception: false}) models.execute_kw(db, uid, password, 'res.partner', 'name_search', ['foo'], {limit: 10})
.. code-tab:: php .. code-tab:: php
$models = ripcord::client("$url/xmlrpc/2/object"); $models = ripcord::client("$url/xmlrpc/2/object");
$models->execute_kw($db, $uid, $password, 'res.partner', 'check_access_rights', array('read'), array('raise_exception' => false)); $models->execute_kw($db, $uid, $password, 'res.partner', 'name_search', array('foo'), array('limit' => 10));
.. code-tab:: java .. code-tab:: java
@ -355,9 +354,9 @@ Each call to ``execute_kw`` takes the following parameters:
}}; }};
models.execute("execute_kw", asList( models.execute("execute_kw", asList(
db, uid, password, db, uid, password,
"res.partner", "check_access_rights", "res.partner", "name_search",
asList("read"), asList("foo"),
new HashMap() {{ put("raise_exception", false); }} new HashMap() {{ put("limit", 10); }}
)); ));
.. code-tab:: go .. code-tab:: go
@ -369,9 +368,9 @@ Each call to ``execute_kw`` takes the following parameters:
var result bool var result bool
if err := models.Call("execute_kw", []any{ if err := models.Call("execute_kw", []any{
db, uid, password, db, uid, password,
"res.partner", "check_access_rights", "res.partner", "name_search",
[]string{"read"}, []string{"foo"},
map[string]bool{"raise_exception": false}, map[string]bool{"limit": 10},
}, &result); err != nil { }, &result); err != nil {
log.Fatal(err) log.Fatal(err)
} }

18
content/developer/tutorials/restrict_data_access.rst
View File

@ -355,21 +355,15 @@ Explicit security checks can be performed by:
specific models or records. specific models or records.
* Checking that the current user has specific groups hard-coded to allow or deny * Checking that the current user has specific groups hard-coded to allow or deny
an operation (``self.env.user.has_group``). an operation (``self.env.user.has_group``).
* Calling the ``check_access_rights(operation)`` method on a recordset, this * Calling ``check_access(operations)`` on a recordset, this verifies that the
verifies whether the current user has access to the model itself. current user is allowed to perform the operation on *every* record of the set.
* Calling ``check_access_rule(operations)`` on a non-empty recordset, this As a special case, when the recordset is empty, it verifies that the current
verifies that the current user is allowed to perform the operation on *every* user has some access rights to perform the operation on the model in general.
record of the set.
.. warning:: Checking access rights and checking record rules are separate
operations, if you're checking record rules you usually want to
also check access rights beforehand.
.. exercise:: .. exercise::
Before creating the invoice, use ``check_access_rights`` and Before creating the invoice, use ``check_access`` to ensure that the current
``check_access_rule`` to ensure that the current user can update properties user can update the property the invoice is for.
in general as well as the specific property the invoice is for.
Re-run the bypass script, check that the error occurs before the print. Re-run the bypass script, check that the error occurs before the print.