[T-7772][ADD] model_access_restriction

Author: Tisho99

model_access_restriction/README.rst

@@ -0,0 +1,91 @@
+========================
+Model Access Restriction
+========================
+
+.. 
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! This file is generated by oca-gen-addon-readme !!
+   !! changes will be overwritten.                   !!
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! source digest: sha256:6337b5f5fe7be747949769f4c064d9a6ca5495d905fa33e50b868be80bde4557
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
+    :target: https://odoo-community.org/page/development-status
+    :alt: Beta
+.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
+    :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
+    :alt: License: AGPL-3
+.. |badge3| image:: https://img.shields.io/badge/github-sygel--technology%2Fsy--server--backend-lightgray.png?logo=github
+    :target: https://github.com/sygel-technology/sy-server-backend/tree/15.0/model_access_restriction
+    :alt: sygel-technology/sy-server-backend
+
+|badge1| |badge2| |badge3|
+
+This module adds a new model to configure Odoo permissions, the "Model
+Access Restrictions"
+
+This model allows to restrict the access to a model for all users except
+the ones that belong to at least one group of a list of allowed groups.
+
+While Odoo's default access rules provide permissions, and having one
+already gives you access, these new rules remove them, and failing to
+comply with one restricts your access.
+
+**Table of contents**
+
+.. contents::
+   :local:
+
+Configuration
+=============
+
+To configure this module, you need to:
+
+-  Go to Settings / Technical / Security / Model Access Restrictions
+-  Create a new access restriction
+-  Select the model to restrict the access
+-  Select the operations the rule applies to. If the operation is not
+   selected the restriction won't apply to that operation which means
+   users will access the model as always.
+-  Select the groups that will have access to the model. The rest of
+   groups will have the access disabled.
+
+Known issues / Roadmap
+======================
+
+-  Read and write permissions are not implemented yet. It is commented
+   and should be easy.
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues <https://github.com/sygel-technology/sy-server-backend/issues>`_.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+`feedback <https://github.com/sygel-technology/sy-server-backend/issues/new?body=module:%20model_access_restriction%0Aversion:%2015.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+
+Do not contact contributors directly about support or help with technical issues.
+
+Credits
+=======
+
+Authors
+-------
+
+* Sygel
+
+Contributors
+------------
+
+-  Alberto Martínez [email protected]
+-  Manuel Regidor [email protected]
+-  Valentin Vinagre [email protected]
+-  Harald Panten [email protected]
+
+Maintainers
+-----------
+
+This module is part of the `sygel-technology/sy-server-backend <https://github.com/sygel-technology/sy-server-backend/tree/15.0/model_access_restriction>`_ project on GitHub.
+
+You are welcome to contribute.

model_access_restriction/__init__.py

@@ -0,0 +1,3 @@
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+
+from . import models

model_access_restriction/__manifest__.py

@@ -0,0 +1,20 @@
+# Copyright 2025 Alberto Martínez <[email protected]>
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+{
+    "name": "Model Access Restriction",
+    "summary": "New type of access rule to restrict permissions based on groups",
+    "version": "15.0.1.0.0",
+    "category": "Tools",
+    "website": "https://github.com/sygel-technology/sy-server-backend",
+    "author": "Sygel, Odoo Community Association (OCA)",
+    "license": "AGPL-3",
+    "application": False,
+    "installable": True,
+    "depends": [
+        "base",
+    ],
+    "data": [
+        "security/ir.model.access.csv",
+        "views/ir_model_access_restriction_views.xml",
+    ],
+}

model_access_restriction/i18n/es.po

@@ -0,0 +1,163 @@
+# Translation of Odoo Server.
+# This file contains the translation of the following modules:
+# 	* model_access_restriction
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: Odoo Server 15.0+e\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2025-04-10 08:12+0000\n"
+"PO-Revision-Date: 2025-04-10 10:13+0200\n"
+"Last-Translator: \n"
+"Language-Team: \n"
+"Language: es\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: \n"
+"X-Generator: Poedit 3.0.1\n"
+
+#. module: model_access_restriction
+#: model_terms:ir.ui.view,arch_db:model_access_restriction.view_model_access_restrictions_form
+msgid ""
+"<i class=\"fa fa-info fa-3x text-info float-left\" role=\"img\" aria-"
+"label=\"Info\" title=\"Info\"/>"
+msgstr ""
+
+#. module: model_access_restriction
+#: model_terms:ir.ui.view,arch_db:model_access_restriction.view_model_access_restrictions_form
+msgid "Access Rights"
+msgstr "Permisos de acceso"
+
+#. module: model_access_restriction
+#: model:ir.model.fields,field_description:model_access_restriction.field_ir_model_access_restriction__active
+msgid "Active"
+msgstr "Activo"
+
+#. module: model_access_restriction
+#: model:ir.model.fields,field_description:model_access_restriction.field_ir_model_access_restriction__groups
+#: model_terms:ir.ui.view,arch_db:model_access_restriction.view_model_access_restrictions_form
+msgid "Allowed Groups"
+msgstr "Grupos permitidos"
+
+#. module: model_access_restriction
+#: model:ir.model.fields,field_description:model_access_restriction.field_ir_model_access_restriction__perm_create
+msgid "Apply for Create"
+msgstr "Aplicar para creación"
+
+#. module: model_access_restriction
+#: model:ir.model.fields,field_description:model_access_restriction.field_ir_model_access_restriction__perm_unlink
+msgid "Apply for Delete"
+msgstr "Aplicar para eliminación"
+
+#. module: model_access_restriction
+#: model_terms:ir.ui.view,arch_db:model_access_restriction.view_model_access_restrictions_search
+msgid "Archived"
+msgstr "Archivado"
+
+#. module: model_access_restriction
+#: model:ir.model,name:model_access_restriction.model_base
+msgid "Base"
+msgstr "Base"
+
+#. module: model_access_restriction
+#: model_terms:ir.ui.view,arch_db:model_access_restriction.view_model_access_restrictions_search
+msgid "Create Access Right"
+msgstr "Permiso de acceso de creacion"
+
+#. module: model_access_restriction
+#: model:ir.model.fields,field_description:model_access_restriction.field_ir_model_access_restriction__create_uid
+msgid "Created by"
+msgstr ""
+
+#. module: model_access_restriction
+#: model:ir.model.fields,field_description:model_access_restriction.field_ir_model_access_restriction__create_date
+msgid "Created on"
+msgstr ""
+
+#. module: model_access_restriction
+#: model_terms:ir.ui.view,arch_db:model_access_restriction.view_model_access_restrictions_search
+msgid "Delete Access Right"
+msgstr "Permiso de acceso de eliminación"
+
+#. module: model_access_restriction
+#: model:ir.model.fields,field_description:model_access_restriction.field_ir_model_access_restriction__display_name
+msgid "Display Name"
+msgstr "Nombre mostrado"
+
+#. module: model_access_restriction
+#: model_terms:ir.ui.view,arch_db:model_access_restriction.view_model_access_restrictions_form
+msgid "General"
+msgstr "General"
+
+#. module: model_access_restriction
+#: model_terms:ir.ui.view,arch_db:model_access_restriction.view_model_access_restrictions_search
+msgid "Group By"
+msgstr "Agrupar por"
+
+#. module: model_access_restriction
+#: model:ir.model.fields,field_description:model_access_restriction.field_ir_model_access_restriction__id
+msgid "ID"
+msgstr ""
+
+#. module: model_access_restriction
+#: model_terms:ir.ui.view,arch_db:model_access_restriction.view_model_access_restrictions_form
+msgid "Interaction between access records"
+msgstr "Interacciones entre registros de acceso"
+
+#. module: model_access_restriction
+#: model:ir.model.fields,field_description:model_access_restriction.field_ir_model_access_restriction____last_update
+msgid "Last Modified on"
+msgstr ""
+
+#. module: model_access_restriction
+#: model:ir.model.fields,field_description:model_access_restriction.field_ir_model_access_restriction__write_uid
+msgid "Last Updated by"
+msgstr ""
+
+#. module: model_access_restriction
+#: model:ir.model.fields,field_description:model_access_restriction.field_ir_model_access_restriction__write_date
+msgid "Last Updated on"
+msgstr ""
+
+#. module: model_access_restriction
+#: model:ir.model.fields,field_description:model_access_restriction.field_ir_model_access_restriction__model_id
+#: model_terms:ir.ui.view,arch_db:model_access_restriction.view_model_access_restrictions_search
+msgid "Model"
+msgstr "Modelo"
+
+#. module: model_access_restriction
+#: model:ir.actions.act_window,name:model_access_restriction.action_model_access_restrictions
+#: model:ir.ui.menu,name:model_access_restriction.menu_action_model_access_restrictions
+#: model_terms:ir.ui.view,arch_db:model_access_restriction.view_model_access_restrictions_form
+#: model_terms:ir.ui.view,arch_db:model_access_restriction.view_model_access_restrictions_search
+msgid "Model Access Restrictions"
+msgstr "Restricciones de acceso a modelos"
+
+#. module: model_access_restriction
+#: model:ir.model,name:model_access_restriction.model_ir_model_access_restriction
+msgid "Model Access Restrictions. Not having one will disable access."
+msgstr ""
+"Restricciones de acceso a modelos. No cumplir una deshabilitará el acceso."
+
+#. module: model_access_restriction
+#: model:ir.model.fields,field_description:model_access_restriction.field_ir_model_access_restriction__name
+msgid "Name"
+msgstr "Nombre"
+
+#. module: model_access_restriction
+#: model_terms:ir.ui.view,arch_db:model_access_restriction.view_model_access_restrictions_form
+msgid ""
+"Normal access records give permissions. Access restriction records removes "
+"permissions, if a user does not have one group of a resctriction the access "
+"will be forbidden."
+msgstr ""
+"Los registros de acceso normales otorgan permisos. Los registros de "
+"restricción de acceso los eliminan. Si un usuario no tiene un grupo de "
+"restricción, se le prohibirá el acceso."
+
+#. module: model_access_restriction
+#: code:addons/model_access_restriction/models/ir_model_access_restriction.py:0
+#, python-format
+msgid "Restrictions must have at least one group"
+msgstr "Las restricciones deben tener al menos un grupo"

model_access_restriction/models/__init__.py

@@ -0,0 +1,4 @@
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+
+from . import ir_model_access_restriction
+from . import models

model_access_restriction/models/ir_model_access_restriction.py

@@ -0,0 +1,80 @@
+# Copyright 2025 Alberto Martínez <[email protected]>
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+
+from odoo import _, api, exceptions, fields, models
+
+
+class IrModelAccessRestriction(models.Model):
+    _name = "ir.model.access.restriction"
+    _description = "Model Access Restrictions. Not having one will disable access."
+
+    _order = "model_id,name,id"
+
+    name = fields.Char(index=True)
+    active = fields.Boolean(
+        default=True,
+    )
+    model_id = fields.Many2one(
+        string="Model",
+        comodel_name="ir.model",
+        index=True,
+        required=True,
+        ondelete="cascade",
+    )
+    groups = fields.Many2many(
+        string="Allowed Groups",
+        comodel_name="res.groups",
+        relation="model_access_restriction_group_rel",
+        column1="model_access_restriction_id",
+        column2="group_id",
+        ondelete="restrict",
+    )
+    # perm_read = fields.Boolean(string='Apply for Read', default=True)
+    # perm_write = fields.Boolean(string='Apply for Write', default=True)
+    perm_create = fields.Boolean(string="Apply for Create", default=True)
+    perm_unlink = fields.Boolean(string="Apply for Delete", default=True)
+
+    def _get_model_restrictions(self, model, operation):
+        query = """ SELECT r.id
+                    FROM ir_model_access_restriction r JOIN ir_model m ON (r.model_id=m.id)
+                    WHERE m.model=%s AND r.active AND r.perm_{operation}
+                    ORDER BY r.id
+                """.format(
+            operation=operation
+        )
+        self._cr.execute(query, (model,))
+        return self.browse(row[0] for row in self._cr.fetchall()).exists()
+
+    def _get_passed_restrictions(self, model, operation):
+        query = """ SELECT r.id
+                    FROM ir_model_access_restriction r
+                        JOIN ir_model m ON (r.model_id=m.id)
+                    WHERE m.model=%s AND r.active AND r.perm_{operation}
+                    AND (r.id IN (
+                        SELECT model_access_restriction_id
+                        FROM model_access_restriction_group_rel rg
+                        JOIN res_groups_users_rel gu ON (rg.group_id=gu.gid)
+                        WHERE gu.uid=%s)
+                    )
+                    ORDER BY r.id
+                """.format(
+            operation=operation
+        )
+        self._cr.execute(query, (model, self._uid))
+        return self.browse(row[0] for row in self._cr.fetchall()).exists()
+
+    def check_restrictions(self, model, operation):
+        if operation not in ["create", "unlink"]:
+            return True
+        model_restrictions = self._get_model_restrictions(model, operation)
+        return not model_restrictions or not (
+            model_restrictions - self._get_passed_restrictions(model, operation)
+        )
+
+    @api.constrains("groups")
+    def _check_groups(self):
+        for rec in self:
+            if not any(rec.groups):
+                raise exceptions.ValidationError(
+                    _("Restrictions must have at least one group")
+                )

model_access_restriction/models/models.py

@@ -0,0 +1,17 @@
+# Copyright 2025 Alberto Martínez <[email protected]>
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+
+from odoo import api, models
+
+
+class Base(models.AbstractModel):
+    _inherit = "base"
+
+    @api.model
+    def check_access_rights(self, operation, raise_exception=True):
+        not_access_restrictions = self.env[
+            "ir.model.access.restriction"
+        ].check_restrictions(self._name, operation)
+        return not_access_restrictions and super().check_access_rights(
+            operation, raise_exception
+        )

model_access_restriction/readme/CONFIGURE.md

@@ -0,0 +1,7 @@
+To configure this module, you need to:
+
+- Go to Settings / Technical / Security / Model Access Restrictions
+- Create a new access restriction
+- Select the model to restrict the access
+- Select the operations the rule applies to. If the operation is not selected the restriction won't apply to that operation which means users will access the model as always.
+- Select the groups that will have access to the model. The rest of groups will have the access disabled.

model_access_restriction/readme/CONTRIBUTORS.md

@@ -0,0 +1,4 @@
+- Alberto Martínez <[email protected]>
+- Manuel Regidor <[email protected]>
+- Valentin Vinagre <[email protected]>
+- Harald Panten <[email protected]>