OCA · benwillig · Apr 23, 2025 · Apr 23, 2025
diff --git a/base_group_erp_user/README.rst b/base_group_erp_user/README.rst
@@ -0,0 +1,91 @@
+===================
+Base Group Erp User
+===================
+
+.. 
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! This file is generated by oca-gen-addon-readme !!
+   !! changes will be overwritten.                   !!
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! source digest: sha256:f5447d6612e26998f20aa899bb8f2d09a3f933d5589af608f26c4b60b1015651
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
+    :target: https://odoo-community.org/page/development-status
+    :alt: Beta
+.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
+    :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
+    :alt: License: AGPL-3
+.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--backend-lightgray.png?logo=github
+    :target: https://github.com/OCA/server-backend/tree/16.0/base_group_erp_user
+    :alt: OCA/server-backend
+.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
+    :target: https://translation.odoo-community.org/projects/server-backend-16-0/server-backend-16-0-base_group_erp_user
+    :alt: Translate me on Weblate
+.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
+    :target: https://runboat.odoo-community.org/builds?repo=OCA/server-backend&target_branch=16.0
+    :alt: Try me on Runboat
+
+|badge1| |badge2| |badge3| |badge4| |badge5|
+
+This modules add a new group "User" in "Administration" category. This
+group has basic features to create users and groups but is not allowed
+to modify the groups of a user, or the groups of a groups.
+
+This module can also be used with base_group_erp_user role to allow
+"Administration Users" to create and edit roles without being able to
+modify inherited groups or linked users.
+
+**Table of contents**
+
+.. contents::
+   :local:
+
+Use Cases / Context
+===================
+
+This module has been created in order to allow people creating users and
+groups without being able to modify the related security (model access,
+model rules, group's users, group's groups, etc). This module can also
+be used alongside base_user_group_mgmt to allow administration user to
+request the assignation of groups to specific users.
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-backend/issues>`_.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+`feedback <https://github.com/OCA/server-backend/issues/new?body=module:%20base_group_erp_user%0Aversion:%2016.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+
+Do not contact contributors directly about support or help with technical issues.
+
+Credits
+=======
+
+Authors
+-------
+
+* ACSONE SA/NV
+
+Contributors
+------------
+
+-  Benjamin Willig [email protected] (https://acsone.eu)
+
+Maintainers
+-----------
+
+This module is maintained by the OCA.
+
+.. image:: https://odoo-community.org/logo.png
+   :alt: Odoo Community Association
+   :target: https://odoo-community.org
+
+OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.
+
+This module is part of the `OCA/server-backend <https://github.com/OCA/server-backend/tree/16.0/base_group_erp_user>`_ project on GitHub.
+
+You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.
diff --git a/base_group_erp_user/__init__.py b/base_group_erp_user/__init__.py
@@ -0,0 +1,2 @@
+from . import mixins
+from . import models
diff --git a/base_group_erp_user/__manifest__.py b/base_group_erp_user/__manifest__.py
@@ -0,0 +1,27 @@
+# Copyright 2025 ACSONE SA/NV
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+
+{
+    "name": "Base Group Erp User",
+    "summary": """
+        This module adds a new group in security management category.
+        This group allows users to have basic features such as user
+        or group creation. But they can't change groups associated to
+        a group or groups associated to a user""",
+    "version": "16.0.1.0.0",
+    "license": "AGPL-3",
+    "author": "ACSONE SA/NV,Odoo Community Association (OCA)",
+    "website": "https://github.com/OCA/server-backend",
+    "depends": [
+        "base",
+    ],
+    "data": [
+        "security/res_groups.xml",
+        "security/ir_model_access.xml",
+        "security/ir_module_category.xml",
+        "security/ir_rule.xml",
+        "security/res_users.xml",
+        "views/menus.xml",
+    ],
+    "demo": [],
+}
diff --git a/base_group_erp_user/mixins/__init__.py b/base_group_erp_user/mixins/__init__.py
@@ -0,0 +1 @@
+from . import mixin_erp_user_forbidden_fields
diff --git a/base_group_erp_user/mixins/mixin_erp_user_forbidden_fields.py b/base_group_erp_user/mixins/mixin_erp_user_forbidden_fields.py
@@ -0,0 +1,35 @@
+import logging
+
+from odoo import api, models
+
+_logger = logging.getLogger(__name__)
+
+
+class MixinErpUserForbiddenFields(models.AbstractModel):
+    _name = "mixin.erp.user.forbidden.fields"
+    _description = "Mixin ERP User Forbidden Fields"
+
+    @api.model_create_multi
+    def create(self, vals_list):
+        for vals in vals_list:
+            self._remove_erp_user_system_forbidden_fields(vals)
+        return super().create(vals_list)
+
+    def write(self, vals):
+        self._remove_erp_user_system_forbidden_fields(vals)
+        return super().write(vals)
+
+    @api.model
+    def _get_erp_user_system_forbidden_fields(self):
+        return []
+
+    @api.model
+    def _is_current_user_only_erp_user(self):
+        return self.env.user._is_user_only_erp_user()
+
+    @api.model
+    def _remove_erp_user_system_forbidden_fields(self, values):
+        if not self._is_current_user_only_erp_user():
+            return
+        for fname in self._get_erp_user_system_forbidden_fields():
+            values.pop(fname, False)
diff --git a/base_group_erp_user/models/__init__.py b/base_group_erp_user/models/__init__.py
@@ -0,0 +1,2 @@
+from . import res_groups
+from . import res_users
diff --git a/base_group_erp_user/models/res_groups.py b/base_group_erp_user/models/res_groups.py
@@ -0,0 +1,30 @@
+# Copyright 2025 ACSONE SA/NV
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+
+import logging
+
+from odoo import api, models
+
+_logger = logging.getLogger(__name__)
+
+
+class ResGroups(models.Model):
+    _name = "res.groups"
+    _inherit = ["res.groups", "mixin.erp.user.forbidden.fields"]
+
+    @api.model
+    def _get_erp_user_system_forbidden_fields(self):
+        return [
+            "implied_ids",
+            "users",
+        ]
+
+    @api.model
+    def _update_user_groups_view(self):
+        """
+        Need to bypass security as ERP user can still update groups names and create new ones.
+        """
+        safe_self = self
+        if self._is_current_user_only_erp_user():
+            safe_self = self.sudo()
+        return super(ResGroups, safe_self)._update_user_groups_view()
diff --git a/base_group_erp_user/models/res_users.py b/base_group_erp_user/models/res_users.py
@@ -0,0 +1,33 @@
+# Copyright 2025 ACSONE SA/NV
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+
+import logging
+
+from odoo import api, models
+
+_logger = logging.getLogger(__name__)
+
+
+class ResUsers(models.Model):
+    _name = "res.users"
+    _inherit = ["res.users", "mixin.erp.user.forbidden.fields"]
+
+    @api.model
+    def _get_erp_user_system_forbidden_fields(self):
+        return [
+            "groups_id",
+        ]
+
+    @api.model
+    def _default_groups(self):
+        if self._is_current_user_only_erp_user():
+            return []
+        return super()._default_groups()
+
+    def _is_user_only_erp_user(self):
+        self.ensure_one()
+        if self._is_admin():
+            return False
+        return self.has_group(
+            "base_group_erp_user.group_erp_user"
+        ) and not self.has_group("base.group_erp_manager")
diff --git a/base_group_erp_user/readme/CONTEXT.md b/base_group_erp_user/readme/CONTEXT.md
@@ -0,0 +1,4 @@
+This module has been created in order to allow people creating users and groups without being able to modify the
+related security (model access, model rules, group's users, group's groups, etc). This module
+can also be used alongside base_user_group_mgmt to allow administration user to request the assignation of groups
+to specific users.
diff --git a/base_group_erp_user/readme/CONTRIBUTORS.md b/base_group_erp_user/readme/CONTRIBUTORS.md
@@ -0,0 +1 @@
+- Benjamin Willig <[email protected]> (https://acsone.eu)
diff --git a/base_group_erp_user/readme/DESCRIPTION.md b/base_group_erp_user/readme/DESCRIPTION.md
@@ -0,0 +1,5 @@
+This modules add a new group "User" in "Administration" category. This group has basic features to create
+users and groups but is not allowed to modify the groups of a user, or the groups of a groups.
+
+This module can also be used with base_group_erp_user role to allow "Administration Users" to create and edit roles
+without being able to modify inherited groups or linked users.
diff --git a/base_group_erp_user/security/ir_model_access.xml b/base_group_erp_user/security/ir_model_access.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!-- Copyright 2025 ACSONE SA/NV
+     License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl). -->
+<odoo>
+  <record model="ir.model.access" id="ir_model_access_erp_user">
+    <field name="name">ir.model.access erp user</field>
+    <field name="model_id" ref="base.model_ir_model_access" />
+    <field name="group_id" ref="base_group_erp_user.group_erp_user" />
+    <field name="perm_read" eval="1" />
+    <field name="perm_create" eval="0" />
+    <field name="perm_write" eval="0" />
+    <field name="perm_unlink" eval="0" />
+  </record>
+</odoo>
diff --git a/base_group_erp_user/security/ir_module_category.xml b/base_group_erp_user/security/ir_module_category.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!-- Copyright 2025 ACSONE SA/NV
+     License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl). -->
+<odoo>
+  <record model="ir.model.access" id="ir_module_category_erp_user_access">
+    <field name="name">ir.module.category erp user access</field>
+    <field name="model_id" ref="base.model_ir_module_category" />
+    <field name="group_id" ref="base_group_erp_user.group_erp_user" />
+    <field name="perm_read" eval="1" />
+    <field name="perm_create" eval="0" />
+    <field name="perm_write" eval="0" />
+    <field name="perm_unlink" eval="0" />
+  </record>
+</odoo>
diff --git a/base_group_erp_user/security/ir_rule.xml b/base_group_erp_user/security/ir_rule.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!-- Copyright 2025 ACSONE SA/NV
+     License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl). -->
+<odoo>
+  <record model="ir.model.access" id="ir_rule_erp_user">
+    <field name="name">ir.rule erp user access</field>
+    <field name="model_id" ref="base.model_ir_rule" />
+    <field name="group_id" ref="base_group_erp_user.group_erp_user" />
+    <field name="perm_read" eval="1" />
+    <field name="perm_create" eval="0" />
+    <field name="perm_write" eval="0" />
+    <field name="perm_unlink" eval="0" />
+  </record>
+</odoo>
diff --git a/base_group_erp_user/security/res_groups.xml b/base_group_erp_user/security/res_groups.xml
@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!-- Copyright 2025 ACSONE SA/NV
+     License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl). -->
+<odoo>
+    <record model="res.groups" id="group_erp_user">
+        <field name="name">User</field>
+        <field
+            name="category_id"
+            ref="base.module_category_administration_administration"
+        />
+        <field name="implied_ids" eval="[Command.link(ref('base.group_user'))]" />
+    </record>
+    <record model="res.groups" id="base.group_erp_manager">
+        <field
+            name="implied_ids"
+            eval="[Command.link(ref('base_group_erp_user.group_erp_user')), Command.unlink(ref('base.group_erp_manager'))]"
+        />
+    </record>
+
+  <record model="ir.model.access" id="res_groups_erp_user">
+    <field name="name">res.groups erp user access</field>
+    <field name="model_id" ref="base.model_res_groups" />
+    <field name="group_id" ref="base_group_erp_user.group_erp_user" />
+    <field name="perm_read" eval="1" />
+    <field name="perm_create" eval="1" />
+    <field name="perm_write" eval="1" />
+    <field name="perm_unlink" eval="0" />
+  </record>
+</odoo>
diff --git a/base_group_erp_user/security/res_users.xml b/base_group_erp_user/security/res_users.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!-- Copyright 2025 ACSONE SA/NV
+     License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl). -->
+<odoo>
+  <record model="ir.model.access" id="res_users_erp_user">
+    <field name="name">res.users erp user access</field>
+    <field name="model_id" ref="base.model_res_users" />
+    <field name="group_id" ref="base_group_erp_user.group_erp_user" />
+    <field name="perm_read" eval="1" />
+    <field name="perm_create" eval="1" />
+    <field name="perm_write" eval="1" />
+    <field name="perm_unlink" eval="0" />
+  </record>
+</odoo>
diff --git a/base_group_erp_user/static/description/icon.png b/base_group_erp_user/static/description/icon.png
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		from . import res_groups
		from . import res_users
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		- Benjamin Willig <[email protected]> (https://acsone.eu)