[15.0][ADD] model_access_restriction

model_access_restriction/README.rst

@@ -0,0 +1,145 @@
+========================
+Model Access Restriction
+========================
+
+.. 
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! This file is generated by oca-gen-addon-readme !!
+   !! changes will be overwritten.                   !!
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! source digest: sha256:6337b5f5fe7be747949769f4c064d9a6ca5495d905fa33e50b868be80bde4557
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
+    :target: https://odoo-community.org/page/development-status
+    :alt: Beta
+.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
+    :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
+    :alt: License: AGPL-3
+.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--backend-lightgray.png?logo=github
+    :target: https://github.com/OCA/server-backend/tree/15.0/model_access_restriction
+    :alt: OCA/server-backend
+.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
+    :target: https://translation.odoo-community.org/projects/server-backend-15-0/server-backend-15-0-model_access_restriction
+    :alt: Translate me on Weblate
+.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
+    :target: https://runboat.odoo-community.org/builds?repo=OCA/server-backend&target_branch=15.0
+    :alt: Try me on Runboat
+
+|badge1| |badge2| |badge3| |badge4| |badge5|
+
+This module adds a new model to configure Odoo permissions, the "Model
+Access Restrictions"
+
+This model allows to restrict the access to a model for all users except
+the ones that belong to at least one group of a list of allowed groups.
+
+While Odoo's default access rules provide permissions, and having one
+already gives you access, these new rules remove them, and failing to
+comply with one restricts your access.
+
+**Table of contents**
+
+.. contents::
+   :local:
+
+Configuration
+=============
+
+To configure this module, you need to:
+
+-  Go to Settings / Technical / Security / Model Access Restrictions
+-  Create a new access restriction
+-  Select the model to restrict the access
+-  Select the operations the rule applies to. If the operation is not
+   selected the restriction won't apply to that operation which means
+   users will access the model as always.
+-  Select the groups that will have access to the model. The rest of
+   groups will have the access disabled.
+
+**Interaction between access records**
+
+Normal access records give permissions. Access restriction records
+remove permissions. If a user does not have one group of a restriction,
+the access will be forbidden.
+
+Detailed algorithm:
+
+1. Normal access records are combined together with a logical OR
+   operator. If a user has the group of an access record, access will be
+   granted.
+2. Access restriction records are applied before normal access, and
+   combined together with a logical AND operator. If a restriction is
+   not met, the access is forbidden.
+3. A restriction is not met if the user does not belong to any of the
+   allowed groups.
+
+Example:
+``ACCESS_1 OR ACCESS_2 AND (ACCESS_RESTRICTION_1 AND ACCESS_RESTRICTION_2)``
+
+-  ACCESS_1: Group: Internal Users
+-  ACCESS_2 Group: Administrator
+-  \***\*: Allowed Groups: Internal Users
+-  ACCESS_RESTRICTION_2 Allowed Groups: Administrator
+
+| An internal user won't have access in this example because they do not
+  meet the requirement of ACCESS_RESTRICTION_2.
+| ``TRUE OR FALSE AND (TRUE AND FALSE) = TRUE AND (FALSE) = FALSE``
+
+Known issues / Roadmap
+======================
+
+-  Read and write permissions are not implemented yet.
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-backend/issues>`_.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+`feedback <https://github.com/OCA/server-backend/issues/new?body=module:%20model_access_restriction%0Aversion:%2015.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+
+Do not contact contributors directly about support or help with technical issues.
+
+Credits
+=======
+
+Authors
+-------
+
+* Sygel
+
+Contributors
+------------
+
+-  `Sygel <https://www.sygel.es>`__:
+
+   -  Alberto Martínez
+   -  Manuel Regidor
+   -  Valentin Vinagre
+   -  Harald Panten
+
+Maintainers
+-----------
+
+This module is maintained by the OCA.
+
+.. image:: https://odoo-community.org/logo.png
+   :alt: Odoo Community Association
+   :target: https://odoo-community.org
+
+OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.
+
+.. |maintainer-tisho99| image:: https://github.com/tisho99.png?size=40px
+    :target: https://github.com/tisho99
+    :alt: tisho99
+
+Current `maintainer <https://odoo-community.org/page/maintainer-role>`__:
+
+|maintainer-tisho99| 
+
+This module is part of the `OCA/server-backend <https://github.com/OCA/server-backend/tree/15.0/model_access_restriction>`_ project on GitHub.
+
+You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.

model_access_restriction/__init__.py

@@ -0,0 +1,3 @@
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+
+from . import models

model_access_restriction/__manifest__.py

@@ -0,0 +1,21 @@
+# Copyright 2025 Alberto Martínez <[email protected]>
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+{
+    "name": "Model Access Restriction",
+    "summary": "New type of access rule to restrict permissions based on groups",
+    "version": "15.0.1.0.0",
+    "category": "Tools",
+    "website": "https://github.com/OCA/server-backend",
+    "author": "Sygel, Odoo Community Association (OCA)",
+    "maintainers": ["tisho99"],
+    "license": "AGPL-3",
+    "application": False,
+    "installable": True,
+    "depends": [
+        "base",
+    ],
+    "data": [
+        "security/ir.model.access.csv",
+        "views/ir_model_access_restriction_views.xml",
+    ],
+}