From f4615911fe111ddc5d692f504782f76cd87b38c7 Mon Sep 17 00:00:00 2001
From: Christophe Monniez <moc@odoo.com>
Date: Fri, 1 Mar 2024 15:29:32 +0100
Subject: [PATCH] [IMP] runbot: add security rules for objects by projects

---
 runbot/security/runbot_security.xml | 36 +++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/runbot/security/runbot_security.xml b/runbot/security/runbot_security.xml
index 1aa25c6e..8ace14d8 100644
--- a/runbot/security/runbot_security.xml
+++ b/runbot/security/runbot_security.xml
@@ -130,5 +130,41 @@
         <field name="perm_read" eval="False"/>
     </record>
 
+    <record id="runbot_bundle_access_user" model="ir.rule">
+      <field name="name">User can read bundle from public projects or specific groups</field>
+      <field name="model_id" ref="model_runbot_bundle"/>
+      <field name="domain_force">['|', ('project_id.group_ids.users', 'in', user.id), ('project_id.group_ids', '=', False)]</field>
+    </record>
+
+    <record id="runbot_branch_access_user" model="ir.rule">
+      <field name="name">User can read branch from public projects or specific groups</field>
+      <field name="model_id" ref="model_runbot_branch"/>
+      <field name="domain_force">['|', ('bundle_id.project_id.group_ids.users', 'in', user.id), ('bundle_id.project_id.group_ids', '=', False)]</field>
+    </record>
+
+    <record id="runbot_batch_access_user" model="ir.rule">
+      <field name="name">User can read batch from public projects or specific groups</field>
+      <field name="model_id" ref="model_runbot_batch"/>
+      <field name="domain_force">['|', ('bundle_id.project_id.group_ids.users', 'in', user.id), ('bundle_id.project_id.group_ids', '=', False)]</field>
+    </record>
+
+    <record id="runbot_commit_access_user" model="ir.rule">
+      <field name="name">User can read commits from public projects or specific groups</field>
+      <field name="model_id" ref="model_runbot_commit"/>
+      <field name="domain_force">['|', ('repo_id.project_id.group_ids.users', 'in', user.id), ('repo_id.project_id.group_ids', '=', False)]</field>
+    </record>
+
+    <record id="runbot_batch_slot_access_user" model="ir.rule">
+      <field name="name">User can read batch slot from public projects or specific groups</field>
+      <field name="model_id" ref="model_runbot_batch_slot"/>
+      <field name="domain_force">['|', ('batch_id.bundle_id.project_id.group_ids.users', 'in', user.id), ('batch_id.bundle_id.project_id.group_ids', '=', False)]</field>
+    </record>
+
+    <record id="runbot_build_access_user" model="ir.rule">
+      <field name="name">User can read build from public projects or specific groups</field>
+      <field name="model_id" ref="model_runbot_build"/>
+      <field name="domain_force">['|', ('params_id.project_id.group_ids.users', 'in', user.id), ('params_id.project_id.group_ids', '=', False)]</field>
+    </record>
+
   </data>
 </odoo>