[T-7772][ADD] model_access_restriction

Author: Tisho99

model_access_restriction/README.rst

@@ -0,0 +1,103 @@
+========================
+Model Access Restriction
+========================
+
+.. 
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! This file is generated by oca-gen-addon-readme !!
+   !! changes will be overwritten.                   !!
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! source digest: sha256:6337b5f5fe7be747949769f4c064d9a6ca5495d905fa33e50b868be80bde4557
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
+    :target: https://odoo-community.org/page/development-status
+    :alt: Beta
+.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
+    :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
+    :alt: License: AGPL-3
+.. |badge3| image:: https://img.shields.io/badge/github-sygel--technology%2Fsy--server--backend-lightgray.png?logo=github
+    :target: https://github.com/sygel-technology/sy-server-backend/tree/15.0/model_access_restriction
+    :alt: sygel-technology/sy-server-backend
+
+|badge1| |badge2| |badge3|
+
+[ This file must be max 2-3 paragraphs, and is required. ]
+
+This module extends the functionality of ... to support ... and to allow
+you to ...
+
+**Table of contents**
+
+.. contents::
+   :local:
+
+Configuration
+=============
+
+[ This file is optional, it should explain how to configure the module
+before using it; it is aimed at advanced users. ]
+
+To configure this module, you need to:
+
+-  Go to ...
+
+|alternative description|../static/description/image.png)
+
+https://raw.githubusercontent.com/sygel-technology/sy-server-backend/15.0/model_access_restriction/.https://raw.githubusercontent.com/sygel-technology/sy-server-backend/15.0/model_access_restriction/.https://raw.githubusercontent.com/sygel-technology/sy-server-backend/15.0/model_access_restriction/ https://raw.githubusercontent.com/sygel-technology/sy-server-backend/15.0/model_access_restriction/|https://raw.githubusercontent.com/sygel-technology/sy-server-backend/15.0/model_access_restriction/ahttps://raw.githubusercontent.com/sygel-technology/sy-server-backend/15.0/model_access_restriction/lhttps://raw.githubusercontent.com/sygel-technology/sy-server-backend/15.0/model_access_restriction/thttps://raw.githubusercontent.com/sygel-technology/sy-server-backend/15.0/model_access_restriction/ehttps://raw.githubusercontent.com/sygel-technology/sy-server-backend/15.0/model_access_restriction/rhttps://raw.githubusercontent.com/sygel-technology/sy-server-backend/15.0/model_access_restriction/nhttps://raw.githubusercontent.com/sygel-technology/sy-server-backend/15.0/model_access_restriction/ahttps://raw.githubusercontent.com/sygel-technology/sy-server-backend/15.0/model_access_restriction/thttps://raw.githubusercontent.com/sygel-technology/sy-server-backend/15.0/model_access_restriction/ihttps://raw.githubusercontent.com/sygel-technology/sy-server-backend/15.0/model_access_restriction/vhttps://raw.githubusercontent.com/sygel-technology/sy-server-backend/15.0/model_access_restriction/ehttps://raw.githubusercontent.com/sygel-technology/sy-server-backend/15.0/model_access_restriction/ https://raw.githubusercontent.com/sygel-technology/sy-server-backend/15.0/model_access_restriction/dhttps://raw.githubusercontent.com/sygel-technology/sy-server-backend/15.0/model_access_restriction/ehttps://raw.githubusercontent.com/sygel-technology/sy-server-backend/15.0/model_access_restriction/shttps://raw.githubusercontent.com/sygel-technology/sy-server-backend/15.0/model_access_restriction/chttps://raw.githubusercontent.com/sygel-technology/sy-server-backend/15.0/model_access_restriction/rhttps://raw.githubusercontent.com/sygel-technology/sy-server-backend/15.0/model_access_restriction/ihttps://raw.githubusercontent.com/sygel-technology/sy-server-backend/15.0/model_access_restriction/phttps://raw.githubusercontent.com/sygel-technology/sy-server-backend/15.0/model_access_restriction/thttps://raw.githubusercontent.com/sygel-technology/sy-server-backend/15.0/model_access_restriction/ihttps://raw.githubusercontent.com/sygel-technology/sy-server-backend/15.0/model_access_restriction/ohttps://raw.githubusercontent.com/sygel-technology/sy-server-backend/15.0/model_access_restriction/nhttps://raw.githubusercontent.com/sygel-technology/sy-server-backend/15.0/model_access_restriction/|https://raw.githubusercontent.com/sygel-technology/sy-server-backend/15.0/model_access_restriction/ https://raw.githubusercontent.com/sygel-technology/sy-server-backend/15.0/model_access_restriction/ihttps://raw.githubusercontent.com/sygel-technology/sy-server-backend/15.0/model_access_restriction/mhttps://raw.githubusercontent.com/sygel-technology/sy-server-backend/15.0/model_access_restriction/ahttps://raw.githubusercontent.com/sygel-technology/sy-server-backend/15.0/model_access_restriction/ghttps://raw.githubusercontent.com/sygel-technology/sy-server-backend/15.0/model_access_restriction/ehttps://raw.githubusercontent.com/sygel-technology/sy-server-backend/15.0/model_access_restriction/:https://raw.githubusercontent.com/sygel-technology/sy-server-backend/15.0/model_access_restriction/:https://raw.githubusercontent.com/sygel-technology/sy-server-backend/15.0/model_access_restriction/ https://raw.githubusercontent.com/sygel-technology/sy-server-backend/15.0/model_access_restriction/
+https://raw.githubusercontent.com/sygel-technology/sy-server-backend/15.0/model_access_restriction/
+
+Usage
+=====
+
+[ This file must be present and contains the usage instructions for
+end-users. As all other rst files included in the README, it MUST NOT
+contain reStructuredText sections only body text (paragraphs, lists,
+tables, etc). Should you need a more elaborate structure to explain the
+addon, please create a Sphinx documentation (which may include this file
+as a "quick start" section). ]
+
+To use this module, you need to:
+
+1. Go to ...
+
+Known issues / Roadmap
+======================
+
+[ Enumerate known caveats and future potential improvements. It is
+mostly intended for end-users, and can also help potential new
+contributors discovering new features to implement. ]
+
+-  ...
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues <https://github.com/sygel-technology/sy-server-backend/issues>`_.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+`feedback <https://github.com/sygel-technology/sy-server-backend/issues/new?body=module:%20model_access_restriction%0Aversion:%2015.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+
+Do not contact contributors directly about support or help with technical issues.
+
+Credits
+=======
+
+Authors
+-------
+
+* Sygel
+
+Contributors
+------------
+
+-  Alberto Martínez [email protected]
+-  Valentin Vinagre [email protected]
+-  Harald Panten [email protected]
+
+Maintainers
+-----------
+
+This module is part of the `sygel-technology/sy-server-backend <https://github.com/sygel-technology/sy-server-backend/tree/15.0/model_access_restriction>`_ project on GitHub.
+
+You are welcome to contribute.

model_access_restriction/__init__.py

@@ -0,0 +1,3 @@
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+
+from . import models

model_access_restriction/__manifest__.py

@@ -0,0 +1,20 @@
+# Copyright 2025 Alberto Martínez <[email protected]>
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+{
+    "name": "Model Access Restriction",
+    "summary": "Module summary",
+    "version": "15.0.1.0.0",
+    "category": "Tools",
+    "website": "https://github.com/sygel-technology/sy-server-backend",
+    "author": "Sygel, Odoo Community Association (OCA)",
+    "license": "AGPL-3",
+    "application": False,
+    "installable": True,
+    "depends": [
+        "base",
+    ],
+    "data": [
+        "security/ir.model.access.csv",
+        "views/ir_model_access_restriction_views.xml",
+    ],
+}

model_access_restriction/models/__init__.py

@@ -0,0 +1,4 @@
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+
+from . import ir_model_access_restriction
+from . import models

model_access_restriction/models/ir_model_access_restriction.py

@@ -0,0 +1,74 @@
+# Copyright 2025 Alberto Martínez <[email protected]>
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+
+from odoo import _, api, exceptions, fields, models
+
+
+class IrModelAccessRestriction(models.Model):
+    _name = "ir.model.access.restriction"
+    _description = "Model Access Restrictions. Not having one will disable access."
+
+    _order = "model_id,name,id"
+
+    name = fields.Char(index=True)
+    active = fields.Boolean(
+        default=True,
+    )
+    model_id = fields.Many2one(
+        "ir.model", string="Model", index=True, required=True, ondelete="cascade"
+    )
+    groups = fields.Many2many(
+        comodel_name="res.groups",
+        relation="model_access_restriction_group_rel",
+        column1="model_access_restriction_id",
+        column2="group_id",
+        ondelete="restrict",
+    )
+    # perm_read = fields.Boolean(string='Apply for Read', default=True)
+    # perm_write = fields.Boolean(string='Apply for Write', default=True)
+    perm_create = fields.Boolean(string="Apply for Create", default=True)
+    perm_unlink = fields.Boolean(string="Apply for Delete", default=True)
+
+    def _get_model_restrictions(self, model, operation):
+        query = """ SELECT r.id
+                    FROM ir_model_access_restriction r JOIN ir_model m ON (r.model_id=m.id)
+                    WHERE m.model='{model}' AND r.active AND r.perm_{operation}
+                    ORDER BY r.id
+                """.format(
+            model=model, operation=operation
+        )
+        self._cr.execute(query)
+        return self.browse(row[0] for row in self._cr.fetchall()).exists()
+
+    def _get_passed_restrictions(self, model, operation):
+        query = """ SELECT r.id
+                    FROM ir_model_access_restriction r
+                        JOIN ir_model m ON (r.model_id=m.id)
+                    WHERE m.model='{model}' AND r.active AND r.perm_{operation}
+                    AND (r.id IN (
+                        SELECT model_access_restriction_id FROM model_access_restriction_group_rel rg
+                        JOIN res_groups_users_rel gu ON (rg.group_id=gu.gid)
+                        WHERE gu.uid={uid})
+                    )
+                    ORDER BY r.id
+                """.format(
+            model=model, operation=operation, uid=self._uid
+        )
+        self._cr.execute(query)
+        return self.browse(row[0] for row in self._cr.fetchall()).exists()
+
+    def check_restrictions(self, model, operation):
+        if operation not in ["create", "unlink"]:
+            return True
+        model_restrictions = self._get_model_restrictions(model, operation)
+        return not model_restrictions or not (
+            model_restrictions - self._get_passed_restrictions(model, operation)
+        )
+
+    @api.constrains("groups")
+    def _check_groups(self):
+        for rec in self:
+            if not any(rec.groups):
+                raise exceptions.ValidationError(
+                    _("Restrictions must have at least one group")
+                )

model_access_restriction/models/models.py

@@ -0,0 +1,17 @@
+# Copyright 2025 Alberto Martínez <[email protected]>
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+
+from odoo import api, models
+
+
+class Base(models.AbstractModel):
+    _inherit = "base"
+
+    @api.model
+    def check_access_rights(self, operation, raise_exception=True):
+        not_access_restrictions = self.env[
+            "ir.model.access.restriction"
+        ].check_restrictions(self._name, operation)
+        return not_access_restrictions and super().check_access_rights(
+            operation, raise_exception
+        )

model_access_restriction/readme/CONFIGURE.md

@@ -0,0 +1,8 @@
+[ This file is optional, it should explain how to configure
+  the module before using it; it is aimed at advanced users. ]
+
+To configure this module, you need to:
+
+- Go to ...
+
+![alternative description]()../static/description/image.png)

model_access_restriction/readme/CONTRIBUTORS.md

@@ -0,0 +1,3 @@
+- Alberto Martínez <[email protected]>
+- Valentin Vinagre <[email protected]>
+- Harald Panten <[email protected]>

model_access_restriction/readme/DESCRIPTION.md

@@ -0,0 +1,5 @@
+[ This file must be max 2-3 paragraphs, and is required. ]
+
+This module extends the functionality of ... to support ...
+and to allow you to ...
+

model_access_restriction/readme/ROADMAP.md

@@ -0,0 +1,5 @@
+[ Enumerate known caveats and future potential improvements.
+  It is mostly intended for end-users, and can also help
+  potential new contributors discovering new features to implement. ]
+
+- ...

model_access_restriction/readme/USAGE.md

@@ -0,0 +1,11 @@
+[ This file must be present and contains the usage instructions
+  for end-users. As all other rst files included in the README,
+  it MUST NOT contain reStructuredText sections
+  only body text (paragraphs, lists, tables, etc). Should you need
+  a more elaborate structure to explain the addon, please create a
+  Sphinx documentation (which may include this file as a "quick start"
+  section). ]
+
+To use this module, you need to:
+
+1. Go to ...

model_access_restriction/security/ir.model.access.csv

@@ -0,0 +1,2 @@
+id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
+access_ir_model_access_restriction,access_ir_model_access_restriction,model_ir_model_access_restriction,base.group_erp_manager,1,1,1,1

model_access_restriction/static/description/icon.png

@@ -0,0 +1,116 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!-- Copyright 2025 Alberto Martínez <[email protected]>
+     License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl). -->
+<odoo>
+
+    <record id="view_model_access_restrictions_form" model="ir.ui.view">
+        <field name="model">ir.model.access.restriction</field>
+        <field name="arch" type="xml">
+            <form string="Model Access Restrictions">
+                <sheet>
+                <group>
+                    <group string="General">
+                        <field name="name" />
+                        <field name="model_id" />
+                        <field name="active" widget="boolean_toggle" />
+                    </group>
+                    <group col="4" string="Access Rights">
+                        <!-- <field name="perm_read"/>
+                        <field name="perm_write"/> -->
+                        <field name="perm_create" />
+                        <field name="perm_unlink" />
+                    </group>
+                </group>
+                <group string="Groups">
+                    <field name="groups" nolabel="1" colspan="4" />
+                </group>
+                <i
+                        class="fa fa-info fa-3x text-info float-left"
+                        role="img"
+                        aria-label="Info"
+                        title="Info"
+                    />
+                <h3>Interaction between access records</h3>
+                <div>
+                    <p>
+                        Normal access records give permissions. Access restriction records removes permissions, if a user does not have one group of a resctriction the access will be forbidden.
+                    </p>
+                </div>
+                </sheet>
+            </form>
+        </field>
+    </record>
+
+    <record id="view_model_access_restrictions_tree" model="ir.ui.view">
+        <field name="model">ir.model.access.restriction</field>
+        <field name="arch" type="xml">
+            <tree decoration-info="not groups">
+                <field name="name" />
+                <field name="model_id" />
+                <field
+                    name="groups"
+                    widget="many2many_tags"
+                    options="{'no_create':True}"
+                />
+                <!-- <field name="perm_read"/>
+                <field name="perm_write"/> -->
+                <field name="perm_create" />
+                <field name="perm_unlink" />
+            </tree>
+        </field>
+    </record>
+
+    <record id="view_model_access_restrictions_search" model="ir.ui.view">
+        <field name="model">ir.model.access.restriction</field>
+        <field name="arch" type="xml">
+            <search string="Model Access Restrictions">
+                <field name="name" />
+                <field name="model_id" />
+                <field name="groups" />
+                <separator />
+                <!-- <filter string="Read Access Right" name="read_access_right" domain="[('perm_read', '=', True)]"/>
+                <filter string="Write Access Right" name="write_access_right" domain="[('perm_write', '=', True)]"/> -->
+                <filter
+                    string="Create Access Right"
+                    name="create_access_right"
+                    domain="[('perm_create', '=' ,True)]"
+                />
+                <filter
+                    string="Delete Access Right"
+                    name="delete_access_right"
+                    domain="[('perm_unlink', '=', True)]"
+                />
+                <separator />
+                <filter
+                    string="Archived"
+                    name="inactive"
+                    domain="[('active', '=', False)]"
+                />
+                <group string="Group By">
+                    <filter
+                        string="Model"
+                        name="group_by_object"
+                        domain="[]"
+                        context="{'group_by': 'model_id'}"
+                    />
+                </group>
+            </search>
+        </field>
+    </record>
+
+    <record id="action_model_access_restrictions" model="ir.actions.act_window">
+        <field name="name">Model Access Restrictions</field>
+        <field name="res_model">ir.model.access.restriction</field>
+        <field name="view_id" ref="view_model_access_restrictions_tree" />
+        <field name="search_view_id" ref="view_model_access_restrictions_search" />
+    </record>
+
+    <menuitem
+        action="action_model_access_restrictions"
+        id="menu_action_model_access_restrictions"
+        parent="base.menu_security"
+        sequence="4"
+    />
+
+
+</odoo>

model_access_restriction/views/ir_model_access_restriction_views.xml

@@ -0,0 +1 @@
+../../../../model_access_restriction

setup/model_access_restriction/odoo/addons/model_access_restriction

@@ -0,0 +1,6 @@
+import setuptools
+
+setuptools.setup(
+    setup_requires=['setuptools-odoo'],
+    odoo_addon=True,
+)