Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[15.0][MIG] base_user_role_company #241

Open
wants to merge 30 commits into
base: 15.0
Choose a base branch
from

Conversation

hbrunn
Copy link
Member

@hbrunn hbrunn commented Sep 27, 2023

this is a backport from v16 as it contains patches the previous v15 PRs (#139, #187) didn't

Enable User Roles depending on the Companies selected.

A company specific Role will only be enabled
if it is set for **all** the currently selected companies.
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dreispt this isn't true since at least v14. To me it would make sense to adapt the code accordingly, or do you as maintainer say better adapt the readme?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@hbrunn agree that the current README does not reflect what the code does.

The current code will poses a threat from a security standpoint. If you are assigned to Sales Manager role in company A only, you can still access to all sales manager functions in company B by just enabling this company together with company A.

I think that it's necessary to adapt the code to the README.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@hbrunn agree that the current README does not reflect what the code does.

The current code will poses a threat from a security standpoint. If you are assigned to Sales Manager role in company A only, you can still access to all sales manager functions in company B by just enabling this company together with company A.

I think that it's necessary to adapt the code to the README.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there some news about this?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed this right now

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think introducing a field last_cids on res.users that we write every time we rewrite groups should work. Then we can restrict the incoming allowed companies to the intersection with last_cids, and the company switcher then has to call a controller that does updating last_cids + group update in one transaction.

With this we should be able to guarantee you never have groups assigned for companies that shouldn't.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello here!
I work for an Odoo integrator. I think this module could be quite useful for some clients. I subscribe to the analysis that it doesn't do what it's expected to as soon it is considered as a security module (which is how I see it and how I think it could be useful).
I'm a functional guy so I'm probably missing many technical aspects. Anyways, here is my take about what the module should do :

  • Regarding the Menus / Views / Access Rights, consider the intersection of what the companies ticked in the selector give access to (through the groups associated to the roles and their inherited groups). Example with Access Rights, if you have access to those two groups through companies ticked in the selector :
    image
    image
    => Then you should only get read and write access to sales orders and sale orders lines
  • Regarding the record rules : apply an "AND" rule. In the example below we have 2 groups of record rules :
    image
    image
    => In this example, since we have a record rule restricting the modification to one's own sales and the other to the sales in "draft" state (quotations), if the companies in the selector give access to those two groups, the modification should only be allowed for one's own sales in "draft" state.

What's your opinion ? Happy to discuss this topic with you !

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what you describe is changing how roles work in the first place. That would involve changing the base module, so very much out of scope here.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @hbrunn ,
Thanks for reading my post and coming back to me!
Do you have other solutions in mind ?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what I wrote above, but that also won't happen in this PR I think

@hbrunn
Copy link
Member Author

hbrunn commented Sep 27, 2023

/ocabot migration base_user_role_company

@OCA-git-bot OCA-git-bot added this to the 15.0 milestone Sep 27, 2023
@OCA-git-bot
Copy link
Contributor

There's no issue in this repo with the title 'Migration to version 15.0' and the milestone 15.0, so not possible to add the comment.

@JordiBForgeFlow
Copy link
Member

@hbrunn Looks good. Perhaps a small glitch (not associated with the migration) is that when you access to the users associated to a role, from the role, the company assigned to the user is not visible.

image

It is only visible from the user:

image

@hbrunn
Copy link
Member Author

hbrunn commented Jan 25, 2024

@JordiBForgeFlow I think I can slip this into this PR if nobody objects?

Do you have an opinion about #241 (review) ?

@JordiBForgeFlow
Copy link
Member

@hbrunn I would add the change as a separate commit, so that we can fwp and backport.

Chandresh-OSI and others added 21 commits February 19, 2024 16:00
Currently translated at 100.0% (11 of 11 strings)

Translation: server-backend-14.0/server-backend-14.0-base_user_role_company
Translate-URL: https://translation.odoo-community.org/projects/server-backend-14-0/server-backend-14-0-base_user_role_company/it/
Issue found on logout / relogin.
The user groups were applied correctly, but the main menu showed apps
the user did not have access to.

This was related to the menu caching mechanisn, that was disabled here.
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Translation: server-backend-14.0/server-backend-14.0-base_user_role_company
Translate-URL: https://translation.odoo-community.org/projects/server-backend-14-0/server-backend-14-0-base_user_role_company/
Currently translated at 90.9% (10 of 11 strings)

Translation: server-backend-14.0/server-backend-14.0-base_user_role_company
Translate-URL: https://translation.odoo-community.org/projects/server-backend-14-0/server-backend-14-0-base_user_role_company/it/
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Translation: server-backend-16.0/server-backend-16.0-base_user_role_company
Translate-URL: https://translation.odoo-community.org/projects/server-backend-16-0/server-backend-16-0-base_user_role_company/
@hbrunn hbrunn force-pushed the 15.0-mig-base_user_role_company branch from c432df7 to 28c9cec Compare February 19, 2024 15:00
@hbrunn
Copy link
Member Author

hbrunn commented Feb 19, 2024

added the company column on the user tab in roles in a2e03bf, and fixed the behavior for multiple selected companies in 28c9cec

Copy link

There hasn't been any activity on this pull request in the past 4 months, so it has been marked as stale and it will be closed automatically if no further activity occurs in the next 30 days.
If you want this PR to never become stale, please ask a PSC member to apply the "no stale" label.

@github-actions github-actions bot added the stale PR/Issue without recent activity, it'll be soon closed automatically. label Jun 30, 2024
@github-actions github-actions bot closed this Aug 4, 2024
@dreispt dreispt reopened this Aug 22, 2024
@dreispt dreispt removed the stale PR/Issue without recent activity, it'll be soon closed automatically. label Aug 22, 2024
SiesslPhillip pushed a commit to grueneerde/OCA-server-backend that referenced this pull request Nov 20, 2024
Syncing from upstream OCA/server-backend (16.0)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.