Merge pull request #519 from OCA/14.0

Syncing from upstream OCA/server-auth (14.0)
brain-tec · Nov 20, 2024 · 89a2de6 · 89a2de6
2 parents 3d60fa8 + 7106f1b
commit 89a2de6
Show file tree

Hide file tree

Showing 13 changed files with 205 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -39,7 +39,7 @@ addon | version | maintainers | summary
 [auth_user_case_insensitive](auth_user_case_insensitive/) | 14.0.1.0.1 |  | Makes the user login field case insensitive
 [base_user_empty_password](base_user_empty_password/) | 14.0.1.0.0 | [![grindtildeath](https://github.com/grindtildeath.png?size=30px)](https://github.com/grindtildeath) | Allows to empty password of users
 [base_user_show_email](base_user_show_email/) | 14.0.1.0.0 |  | Untangle user login and email
-[impersonate_login](impersonate_login/) | 14.0.1.0.0 | [![Kev-Roche](https://github.com/Kev-Roche.png?size=30px)](https://github.com/Kev-Roche) | tools
+[impersonate_login](impersonate_login/) | 14.0.1.0.1 | [![Kev-Roche](https://github.com/Kev-Roche.png?size=30px)](https://github.com/Kev-Roche) | tools
 [password_security](password_security/) | 14.0.1.1.0 |  | Allow admin to set password security requirements.
 [user_log_view](user_log_view/) | 14.0.1.0.0 | [![trojikman](https://github.com/trojikman.png?size=30px)](https://github.com/trojikman) | Allow to see user's actions log
 [users_ldap_groups](users_ldap_groups/) | 14.0.1.0.1 |  | Adds user accounts to groups based on rules defined by the administrator.

diff --git a/impersonate_login/README.rst b/impersonate_login/README.rst
@@ -7,7 +7,7 @@ Impersonate Login
    !! This file is generated by oca-gen-addon-readme !!
    !! changes will be overwritten.                   !!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-   !! source digest: sha256:a9d881ab6f6e5777204c45f152c0af22753629ca4b46ac913fe8da3792573ca8
+   !! source digest: sha256:5b81c79d20d3679798c2f35fe1c7dc4cbe88abe7567ee2f21f05f63ff34c0bd2
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 
 .. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
@@ -40,7 +40,10 @@ following measures are in place:
 -  Mails and messages are sent from the original user.
 -  Impersonated logins are logged and can be consulted through the
    Settings -> Technical menu.
--
+- To prevent users with "Administration: Settings" rights from being impersonated,
+   enable the restrict_impersonate_admin_settings field in the settings.
+   This will restrict the ability to impersonate users with administrative
+   access to the settings.
 
 There is an alternative module to allow logins as another user
 (auth_admin_passkey), but it does not support these security mechanisms.
@@ -81,6 +84,8 @@ Contributors
 - Kévin Roche <[email protected]>
 - [360ERP](https://www.360erp.com):
   - Andrea Stirpe
+- `Ooops404 <https://www.ooops404.com/>`_:
+  - Eduard Brahas <[email protected]>
 
 Maintainers
 ~~~~~~~~~~~

diff --git a/impersonate_login/__manifest__.py b/impersonate_login/__manifest__.py
@@ -5,7 +5,7 @@
 {
     "name": "Impersonate Login",
     "summary": "tools",
-    "version": "14.0.1.0.0",
+    "version": "14.0.1.0.1",
     "category": "Tools",
     "website": "https://github.com/OCA/server-auth",
     "author": "Akretion, Odoo Community Association (OCA)",
@@ -21,6 +21,7 @@
         "views/assets.xml",
         "views/res_users.xml",
         "views/impersonate_log.xml",
+        "views/res_config_settings.xml",
         "security/group.xml",
         "security/ir.model.access.csv",
     ],

diff --git a/impersonate_login/i18n/impersonate_login.pot b/impersonate_login/i18n/impersonate_login.pot
@@ -18,6 +18,11 @@ msgstr ""
 msgid "Base"
 msgstr ""
 
+#. module: impersonate_login
+#: model:ir.model,name:impersonate_login.model_res_config_settings
+msgid "Config Settings"
+msgstr ""
+
 #. module: impersonate_login
 #: model:ir.model.fields,field_description:impersonate_login.field_mail_mail__body
 #: model:ir.model.fields,field_description:impersonate_login.field_mail_message__body
@@ -39,6 +44,7 @@ msgstr ""
 #: model:ir.model.fields,field_description:impersonate_login.field_ir_http__display_name
 #: model:ir.model.fields,field_description:impersonate_login.field_mail_message__display_name
 #: model:ir.model.fields,field_description:impersonate_login.field_mail_thread__display_name
+#: model:ir.model.fields,field_description:impersonate_login.field_res_config_settings__display_name
 #: model:ir.model.fields,field_description:impersonate_login.field_res_users__display_name
 msgid "Display Name"
 msgstr ""
@@ -63,10 +69,18 @@ msgstr ""
 #: model:ir.model.fields,field_description:impersonate_login.field_ir_http__id
 #: model:ir.model.fields,field_description:impersonate_login.field_mail_message__id
 #: model:ir.model.fields,field_description:impersonate_login.field_mail_thread__id
+#: model:ir.model.fields,field_description:impersonate_login.field_res_config_settings__id
 #: model:ir.model.fields,field_description:impersonate_login.field_res_users__id
 msgid "ID"
 msgstr ""
 
+#. module: impersonate_login
+#: model:ir.model.fields,help:impersonate_login.field_res_config_settings__restrict_impersonate_admin_settings
+msgid ""
+"If enabled, users with the 'Administration: Settings' access right cannot be"
+" impersonated."
+msgstr ""
+
 #. module: impersonate_login
 #: model:ir.actions.act_window,name:impersonate_login.impersonate_log_action
 msgid "Impersonate Login Logs"
@@ -93,6 +107,11 @@ msgstr ""
 msgid "Impersonated Logs"
 msgstr ""
 
+#. module: impersonate_login
+#: model_terms:ir.ui.view,arch_db:impersonate_login.view_res_config_settings_impersonate
+msgid "Impersonation Login"
+msgstr ""
+
 #. module: impersonate_login
 #: code:addons/impersonate_login/models/res_users.py:0
 #, python-format
@@ -104,6 +123,7 @@ msgstr ""
 #: model:ir.model.fields,field_description:impersonate_login.field_ir_http____last_update
 #: model:ir.model.fields,field_description:impersonate_login.field_mail_message____last_update
 #: model:ir.model.fields,field_description:impersonate_login.field_mail_thread____last_update
+#: model:ir.model.fields,field_description:impersonate_login.field_res_config_settings____last_update
 #: model:ir.model.fields,field_description:impersonate_login.field_res_users____last_update
 msgid "Last Modified on"
 msgstr ""
@@ -135,6 +155,17 @@ msgstr ""
 msgid "Message"
 msgstr ""
 
+#. module: impersonate_login
+#: model_terms:ir.ui.view,arch_db:impersonate_login.view_res_config_settings_impersonate
+msgid "Restrict Impersonation Login"
+msgstr ""
+
+#. module: impersonate_login
+#: model:ir.model.fields,field_description:impersonate_login.field_res_config_settings__restrict_impersonate_admin_settings
+#: model_terms:ir.ui.view,arch_db:impersonate_login.view_res_config_settings_impersonate
+msgid "Restrict Impersonation of 'Administration: Settings' Users"
+msgstr ""
+
 #. module: impersonate_login
 #: model:ir.model.fields,field_description:impersonate_login.field_impersonate_log__date_start
 msgid "Start Date"
@@ -164,6 +195,13 @@ msgstr ""
 msgid "You are already Logged as another user."
 msgstr ""
 
+#. module: impersonate_login
+#: code:addons/impersonate_login/models/res_users.py:0
+#, python-format
+msgid ""
+"You cannot impersonate users with 'Administration: Settings' access rights."
+msgstr ""
+
 #. module: impersonate_login
 #. openerp-web
 #: code:addons/impersonate_login/static/src/xml/user_menu.xml:0

diff --git a/impersonate_login/i18n/it.po b/impersonate_login/i18n/it.po
@@ -21,6 +21,11 @@ msgstr ""
 msgid "Base"
 msgstr "Base"
 
+#. module: impersonate_login
+#: model:ir.model,name:impersonate_login.model_res_config_settings
+msgid "Config Settings"
+msgstr ""
+
 #. module: impersonate_login
 #: model:ir.model.fields,field_description:impersonate_login.field_mail_mail__body
 #: model:ir.model.fields,field_description:impersonate_login.field_mail_message__body
@@ -42,6 +47,7 @@ msgstr "Creato il"
 #: model:ir.model.fields,field_description:impersonate_login.field_ir_http__display_name
 #: model:ir.model.fields,field_description:impersonate_login.field_mail_message__display_name
 #: model:ir.model.fields,field_description:impersonate_login.field_mail_thread__display_name
+#: model:ir.model.fields,field_description:impersonate_login.field_res_config_settings__display_name
 #: model:ir.model.fields,field_description:impersonate_login.field_res_users__display_name
 msgid "Display Name"
 msgstr "Nome visualizzato"
@@ -66,10 +72,18 @@ msgstr "Instradamento HTTP"
 #: model:ir.model.fields,field_description:impersonate_login.field_ir_http__id
 #: model:ir.model.fields,field_description:impersonate_login.field_mail_message__id
 #: model:ir.model.fields,field_description:impersonate_login.field_mail_thread__id
+#: model:ir.model.fields,field_description:impersonate_login.field_res_config_settings__id
 #: model:ir.model.fields,field_description:impersonate_login.field_res_users__id
 msgid "ID"
 msgstr "ID"
 
+#. module: impersonate_login
+#: model:ir.model.fields,help:impersonate_login.field_res_config_settings__restrict_impersonate_admin_settings
+msgid ""
+"If enabled, users with the 'Administration: Settings' access right cannot be "
+"impersonated."
+msgstr ""
+
 #. module: impersonate_login
 #: model:ir.actions.act_window,name:impersonate_login.impersonate_log_action
 msgid "Impersonate Login Logs"
@@ -96,6 +110,11 @@ msgstr "Imita autore"
 msgid "Impersonated Logs"
 msgstr "Imita registri"
 
+#. module: impersonate_login
+#: model_terms:ir.ui.view,arch_db:impersonate_login.view_res_config_settings_impersonate
+msgid "Impersonation Login"
+msgstr ""
+
 #. module: impersonate_login
 #: code:addons/impersonate_login/models/res_users.py:0
 #, python-format
@@ -107,6 +126,7 @@ msgstr "Sei tu."
 #: model:ir.model.fields,field_description:impersonate_login.field_ir_http____last_update
 #: model:ir.model.fields,field_description:impersonate_login.field_mail_message____last_update
 #: model:ir.model.fields,field_description:impersonate_login.field_mail_thread____last_update
+#: model:ir.model.fields,field_description:impersonate_login.field_res_config_settings____last_update
 #: model:ir.model.fields,field_description:impersonate_login.field_res_users____last_update
 msgid "Last Modified on"
 msgstr "Ultima modifica il"
@@ -128,7 +148,6 @@ msgstr "Registrato come"
 
 #. module: impersonate_login
 #: code:addons/impersonate_login/models/mail_message.py:0
-#: code:addons/impersonate_login/models/mail_message.py:0
 #, python-format
 msgid "Logged in as {}"
 msgstr "Registrato come {}"
@@ -138,6 +157,17 @@ msgstr "Registrato come {}"
 msgid "Message"
 msgstr "Messaggio"
 
+#. module: impersonate_login
+#: model_terms:ir.ui.view,arch_db:impersonate_login.view_res_config_settings_impersonate
+msgid "Restrict Impersonation Login"
+msgstr ""
+
+#. module: impersonate_login
+#: model:ir.model.fields,field_description:impersonate_login.field_res_config_settings__restrict_impersonate_admin_settings
+#: model_terms:ir.ui.view,arch_db:impersonate_login.view_res_config_settings_impersonate
+msgid "Restrict Impersonation of 'Administration: Settings' Users"
+msgstr ""
+
 #. module: impersonate_login
 #: model:ir.model.fields,field_description:impersonate_login.field_impersonate_log__date_start
 msgid "Start Date"
@@ -167,6 +197,13 @@ msgstr "Utenti"
 msgid "You are already Logged as another user."
 msgstr "Si è già registrati come altro utente."
 
+#. module: impersonate_login
+#: code:addons/impersonate_login/models/res_users.py:0
+#, python-format
+msgid ""
+"You cannot impersonate users with 'Administration: Settings' access rights."
+msgstr ""
+
 #. module: impersonate_login
 #. openerp-web
 #: code:addons/impersonate_login/static/src/xml/user_menu.xml:0

diff --git a/impersonate_login/models/__init__.py b/impersonate_login/models/__init__.py
@@ -4,3 +4,4 @@
 from . import mail_message
 from . import impersonate_log
 from . import model
+from . import res_config_settings
diff --git a/impersonate_login/models/res_config_settings.py b/impersonate_login/models/res_config_settings.py
@@ -0,0 +1,13 @@
+from odoo import fields, models
+
+
+class ResConfigSettings(models.TransientModel):
+    _inherit = "res.config.settings"
+
+    restrict_impersonate_admin_settings = fields.Boolean(
+        string="Restrict Impersonation of 'Administration: Settings' Users",
+        config_parameter="impersonate_login.restrict_impersonate_admin_settings",
+        help="If enabled, users with the 'Administration: Settings' access right"
+        " cannot be impersonated.",
+        default=False,
+    )
diff --git a/impersonate_login/models/res_users.py b/impersonate_login/models/res_users.py
@@ -24,6 +24,22 @@ def _is_impersonate_user(self):
 
     def impersonate_login(self):
         if request:
+
+            config_restrict = (
+                self.env["ir.config_parameter"]
+                .sudo()
+                .get_param("impersonate_login.restrict_impersonate_admin_settings")
+            )
+            if config_restrict:
+                admin_settings_group = self.env.ref("base.group_system")
+                if admin_settings_group in self.groups_id:
+                    raise UserError(
+                        _(
+                            "You cannot impersonate users with"
+                            " 'Administration: Settings' access rights."
+                        )
+                    )
+
             if request.session.impersonate_from_uid:
                 if self.id == request.session.impersonate_from_uid:
                     return self.back_to_origin_login()

diff --git a/impersonate_login/readme/CONTRIBUTORS.rst b/impersonate_login/readme/CONTRIBUTORS.rst
@@ -1,3 +1,5 @@
 - Kévin Roche <[email protected]>
 - [360ERP](https://www.360erp.com):
   - Andrea Stirpe
+- `Ooops404 <https://www.ooops404.com/>`_:
+  - Eduard Brahas <[email protected]>
diff --git a/impersonate_login/readme/DESCRIPTION.rst b/impersonate_login/readme/DESCRIPTION.rst
@@ -10,7 +10,10 @@ following measures are in place:
 -  Mails and messages are sent from the original user.
 -  Impersonated logins are logged and can be consulted through the
    Settings -> Technical menu.
--
+- To prevent users with "Administration: Settings" rights from being impersonated,
+   enable the restrict_impersonate_admin_settings field in the settings.
+   This will restrict the ability to impersonate users with administrative
+   access to the settings.
 
 There is an alternative module to allow logins as another user
 (auth_admin_passkey), but it does not support these security mechanisms.
diff --git a/impersonate_login/static/description/index.html b/impersonate_login/static/description/index.html
@@ -367,7 +367,7 @@ <h1 class="title">Impersonate Login</h1>
 !! This file is generated by oca-gen-addon-readme !!
 !! changes will be overwritten.                   !!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-!! source digest: sha256:a9d881ab6f6e5777204c45f152c0af22753629ca4b46ac913fe8da3792573ca8
+!! source digest: sha256:5b81c79d20d3679798c2f35fe1c7dc4cbe88abe7567ee2f21f05f63ff34c0bd2
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
 <p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/server-auth/tree/14.0/impersonate_login"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/server-auth-14-0/server-auth-14-0-impersonate_login"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/server-auth&amp;target_branch=14.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
 <p>This module allows one user (for example, a member of the support team)
@@ -381,7 +381,13 @@ <h1 class="title">Impersonate Login</h1>
 <li>Mails and messages are sent from the original user.</li>
 <li>Impersonated logins are logged and can be consulted through the
 Settings -&gt; Technical menu.</li>
-<li></li>
+<li><dl class="first docutils">
+<dt>To prevent users with “Administration: Settings” rights from being impersonated,</dt>
+<dd>enable the restrict_impersonate_admin_settings field in the settings.
+This will restrict the ability to impersonate users with administrative
+access to the settings.</dd>
+</dl>
+</li>
 </ul>
 <p>There is an alternative module to allow logins as another user
 (auth_admin_passkey), but it does not support these security mechanisms.</p>
@@ -426,6 +432,8 @@ <h2><a class="toc-backref" href="#toc-entry-5">Contributors</a></h2>
 <li>Kévin Roche &lt;<a class="reference external" href="mailto:kevin.roche&#64;akretion.com">kevin.roche&#64;akretion.com</a>&gt;</li>
 <li>[360ERP](<a class="reference external" href="https://www.360erp.com">https://www.360erp.com</a>):
 - Andrea Stirpe</li>
+<li><a class="reference external" href="https://www.ooops404.com/">Ooops404</a>:
+- Eduard Brahas &lt;<a class="reference external" href="mailto:eduard&#64;ooops404.com">eduard&#64;ooops404.com</a>&gt;</li>
 </ul>
 </div>
 <div class="section" id="maintainers">

diff --git a/impersonate_login/tests/test_impersonate_login.py b/impersonate_login/tests/test_impersonate_login.py
@@ -261,3 +261,43 @@ def test_04_write_uid(self):
         contact.invalidate_cache()
         self.assertEqual(contact.ref, "abc")
         self.assertEqual(contact.write_uid, self.admin_user)
+
+    def test_05_limit_access_to_admin(self):
+        """
+        Test restriction on impersonating admin users
+        with 'Administration: Settings' access rights.
+        """
+        # Enable the configuration setting via ResConfigSettings
+        config_settings = self.env["res.config.settings"].create(
+            {"restrict_impersonate_admin_settings": True}
+        )
+        config_settings.execute()
+
+        # Ensure the configuration parameter is set
+        config_restrict = (
+            self.env["ir.config_parameter"]
+            .sudo()
+            .get_param("impersonate_login.restrict_impersonate_admin_settings")
+        )
+        self.assertTrue(config_restrict)
+
+        # Ensure the admin user has the 'Administration: Settings' group
+        admin_settings_group = self.env.ref("base.group_system")
+        self.admin_user.groups_id += admin_settings_group
+
+        # Login as demo user
+        self.authenticate(user="demo", password="demo")
+        self.assertEqual(self.session.uid, self.demo_user.id)
+
+        # Give demo user the impersonation group
+        self.demo_user.groups_id += self.env.ref(
+            "impersonate_login.group_impersonate_login"
+        )
+
+        with mute_logger("odoo.http"):
+            data = self._impersonate_user(self.admin_user)
+        # Validate the error message
+        self.assertEqual(
+            data["error"]["data"]["message"],
+            "You cannot impersonate users with 'Administration: Settings' access rights.",
+        )