[IMP] runbot_merge: view warnings around ACLs

Eventually we might want to add a proper "sensitive" flag on overrides and compute the flag based on that. For now just check for `ci/security`.
2025-03-15 23:45:44 +07:00 · 2024-03-19 12:24:43 +01:00 · 2024-03-19 12:24:43 +01:00 · 9f22305903
commit 9f22305903
parent 5024c2e27b
2 changed files with 19 additions and 2 deletions
--- a/runbot_merge/models/res_partner.py
+++ b/runbot_merge/models/res_partner.py
@ -19,6 +19,7 @@ class Partner(models.Model):
    formatted_email = fields.Char(string="commit email", compute='_rfc5322_formatted')
    review_rights = fields.One2many('res.partner.review', 'partner_id')
    override_rights = fields.Many2many('res.partner.override')
+    override_sensitive = fields.Boolean(compute="_compute_sensitive_overrides")

    def _auto_init(self):
        res = super(Partner, self)._auto_init()
@ -45,6 +46,11 @@ class Partner(models.Model):
            p.email = gh.user(p.github_login)['email'] or False
        return False

+    @api.depends("override_rights.context")
+    def _compute_sensitive_overrides(self):
+        for p in self:
+            p.override_sensitive = any(o.context == 'ci/security' for o in p.override_rights)
+
 class PartnerMerge(models.TransientModel):
    _inherit = 'base.partner.merge.automatic.wizard'

--- a/runbot_merge/views/res_partner.xml
+++ b/runbot_merge/views/res_partner.xml
@ -50,6 +50,7 @@
            </xpath>
            <xpath expr="//notebook" position="inside">
                <page string="Mergebot" groups="runbot_merge.group_admin">
+                    <field name="override_sensitive" invisible="1"/>
                    <group>
                        <group>
                            <field name="github_login"/>
@ -57,7 +58,12 @@
                    </group>
                    <group>
                        <group colspan="4" string="Review Rights">
-                            <field name="review_rights" nolabel="1">
+                            <div colspan="4" class="alert alert-warning" role="alert" attrs="{'invisible': [('review_rights', '=', [])]}">
+                                Review access requires successfully following
+                                the Code Review (QDP) and Security (DLE)
+                                trainings. Please check before giving r+ access.
+                            </div>
+                            <field colspan="4" name="review_rights" nolabel="1">
                                <tree string="Review ACLs" editable="bottom">
                                    <field name="repository_id"/>
                                    <field name="review"/>
@ -66,7 +72,12 @@
                            </field>
                        </group>
                        <group colspan="4">
-                            <field name="override_rights" widget="many2many_tags"/>
+                            <div colspan="4" class="alert alert-danger" role="alert" attrs="{'invisible': [('override_sensitive', '=', False)]}">
+                                Security Override <b>REQUIRES</b> successfully
+                                following the Security training. Please ask DLE
+                                before granting access.
+                            </div>
+                            <field colspan="4" name="override_rights" widget="many2many_tags"/>
                        </group>
                    </group>
                    <group>