[IMP] runbot: Allow restrict access to repo.

runbot/__openerp__.py

@@ -14,6 +14,7 @@
         'res_config_view.xml',
         'security/runbot_security.xml',
         'security/ir.model.access.csv',
+        'security/ir.rule.csv',
     ],
     'installable': True,
 }

runbot/runbot.py

@@ -26,7 +26,7 @@ from matplotlib.textpath import TextToPath
 import werkzeug
 
 import openerp
-from openerp import http
+from openerp import http, SUPERUSER_ID
 from openerp.http import request
 from openerp.osv import fields, osv
 from openerp.tools import config, appdirs
@@ -190,6 +190,7 @@ class runbot_repo(osv.osv):
             string='Extra dependencies',
             help="Community addon repos which need to be present to run tests."),
         'token': fields.char("Github token"),
+        'group_ids': fields.many2many('res.groups', string='Limited to groups'),
     }
     _defaults = {
         'testing': 1,
@@ -851,7 +852,8 @@ class runbot_build(osv.osv):
 
             # Force it now
             if build.state == 'done' and build.result == 'skipped':
-                build.write({'state': 'pending', 'sequence':sequence, 'result': '' })
+                values = {'state': 'pending', 'sequence':sequence, 'result': ''}
+                self.write(cr, SUPERUSER_ID, [build.id], values, context=context)
             # or duplicate it
             elif build.state in ['running', 'done', 'duplicate']:
                 new_build = {
@@ -865,7 +867,7 @@ class runbot_build(osv.osv):
                     'subject': build.subject,
                     'modules': build.modules,
                 }
-                self.create(cr, 1, new_build, context=context)
+                self.create(cr, SUPERUSER_ID, new_build, context=context)
             return build.repo_id.id
 
     def schedule(self, cr, uid, ids, context=None):
@@ -1006,7 +1008,7 @@ class RunbotController(http.Controller):
 
     @http.route(['/runbot', '/runbot/repo/<model("runbot.repo"):repo>'], type='http', auth="public", website=True)
     def repo(self, repo=None, search='', limit='100', refresh='', **post):
-        registry, cr, uid = request.registry, request.cr, 1
+        registry, cr, uid = request.registry, request.cr, request.uid
 
         branch_obj = registry['runbot.branch']
         build_obj = registry['runbot.build']
@@ -1130,7 +1132,7 @@ class RunbotController(http.Controller):
 
     @http.route(['/runbot/build/<build_id>'], type='http', auth="public", website=True)
     def build(self, build_id=None, search=None, **post):
-        registry, cr, uid, context = request.registry, request.cr, 1, request.context
+        registry, cr, uid, context = request.registry, request.cr, request.uid, request.context
 
         Build = registry['runbot.build']
         Logging = registry['ir.logging']
@@ -1167,7 +1169,7 @@ class RunbotController(http.Controller):
 
     @http.route(['/runbot/build/<build_id>/force'], type='http', auth="public", methods=['POST'])
     def build_force(self, build_id, **post):
-        registry, cr, uid, context = request.registry, request.cr, 1, request.context
+        registry, cr, uid, context = request.registry, request.cr, request.uid, request.context
         repo_id = registry['runbot.build'].force(cr, uid, [int(build_id)])
         return werkzeug.utils.redirect('/runbot/repo/%s' % repo_id)
 
@@ -1246,7 +1248,7 @@ class RunbotController(http.Controller):
 
     @http.route(['/runbot/b/<branch_name>', '/runbot/<model("runbot.repo"):repo>/<branch_name>'], type='http', auth="public", website=True)
     def fast_launch(self, branch_name=False, repo=False, **post):
-        pool, cr, uid, context = request.registry, request.cr, 1, request.context
+        pool, cr, uid, context = request.registry, request.cr, request.uid, request.context
         Build = pool['runbot.build']
 
         domain = [('branch_id.branch_name', '=', branch_name)]

runbot/runbot.xml

@@ -27,6 +27,7 @@
                         <field name="dependency_ids" widget="many2many_tags"/>
                         <field name="modules"/>
                         <field name="token"/>
+                        <field name="group_ids" widget="many2many_tags"/>
                     </group>
                 </sheet>
             </form>

runbot/security/ir.model.access.csv

@@ -1,7 +1,7 @@
 id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
-access_runbot_repo,runbot_repo,runbot.model_runbot_repo,,1,0,0,0
+access_runbot_repo,runbot_repo,runbot.model_runbot_repo,group_user,1,0,0,0
-access_runbot_branch,runbot_branch,runbot.model_runbot_branch,,1,0,0,0
+access_runbot_branch,runbot_branch,runbot.model_runbot_branch,group_user,1,0,0,0
-access_runbot_build,runbot_build,runbot.model_runbot_build,,1,0,0,0
+access_runbot_build,runbot_build,runbot.model_runbot_build,group_user,1,0,0,0
 access_runbot_repo_admin,runbot_repo_admin,runbot.model_runbot_repo,runbot.group_runbot_admin,1,1,1,1
 access_runbot_branch_admin,runbot_branch_admin,runbot.model_runbot_branch,runbot.group_runbot_admin,1,1,1,1
 access_runbot_build_admin,runbot_build_admin,runbot.model_runbot_build,runbot.group_runbot_admin,1,1,1,1

runbot/security/ir.rule.csv

@@ -0,0 +1,7 @@
+id,name,model_id/id,groups/id,domain_force,perm_read,perm_create,perm_write,perm_unlink
+rule_repo,"limited to groups",model_runbot_repo,group_user,"['|', ('group_ids', '=', False), ('group_ids', 'in', [g.id for g in user.groups_id])]",1,1,1,1
+rule_repo_mgmt,"manager can see all",model_runbot_repo,group_runbot_admin,"[(1, '=', 1)]",1,1,1,1
+rule_branch,"limited to groups",model_runbot_branch,group_user,"['|', ('repo_id.group_ids', '=', False), ('repo_id.group_ids', 'in', [g.id for g in user.groups_id])]",1,1,1,1
+rule_branch_mgmt,"manager can see all",model_runbot_branch,group_runbot_admin,"[(1, '=', 1)]",1,1,1,1
+rule_build,"limited to groups",model_runbot_build,group_user,"['|', ('repo_id.group_ids', '=', False), ('repo_id.group_ids', 'in', [g.id for g in user.groups_id])]",1,1,1,1
+rule_build_mgmt,"manager can see all",model_runbot_build,group_runbot_admin,"[(1, '=', 1)]",1,1,1,1

runbot/security/runbot_security.xml

@@ -2,10 +2,23 @@
 <openerp>
   <data>
 
+    <record id="group_user" model="res.groups">
+      <field name="name">Runbot User</field>
+      <field name="category_id" ref="base.module_category_administration"/>
+      <!-- as public user is inactive, it wont be automatically added
+           to this group via implied groups. add it manually -->
+      <field name="user_ids" eval="[(4, ref('base.public_user'))]"/>
+    </record>
+
+    <record id="base.group_public" model="res.groups">
+      <field name="implied_ids" eval="[(4, ref('runbot.group_user'))]"/>
+    </record>
+
     <record id="group_runbot_admin" model="res.groups">
       <field name="name">Runbot Manager</field>
       <field name="category_id" ref="base.module_category_administration"/>
       <field name="users" eval="[(4, ref('base.user_root'))]"/>
+      <field name="implied_ids" eval="[(4, ref('runbot.group_user'))]"/>
     </record>
 
   </data>