From 3cc5a704e66bf2f90e15bb09416fda5ad5571466 Mon Sep 17 00:00:00 2001
From: Bert Van Groenendael <bert.vangroenendael@dynapps.be>
Date: Fri, 18 Nov 2022 13:46:45 +0100
Subject: [PATCH] [IMP] auditlog: dedicated security groups for model access

---
 auditlog/__manifest__.py              |  1 +
 auditlog/readme/USAGE.rst             |  6 ++++++
 auditlog/security/ir.model.access.csv | 22 +++++++++++-----------
 auditlog/security/res_groups.xml      | 24 ++++++++++++++++++++++++
 4 files changed, 42 insertions(+), 11 deletions(-)
 create mode 100644 auditlog/security/res_groups.xml

diff --git a/auditlog/__manifest__.py b/auditlog/__manifest__.py
index 1656d4e90..984ea8df9 100644
--- a/auditlog/__manifest__.py
+++ b/auditlog/__manifest__.py
@@ -10,6 +10,7 @@
     "category": "Tools",
     "depends": ["base"],
     "data": [
+        "security/res_groups.xml",
         "security/ir.model.access.csv",
         "data/ir_cron.xml",
         "views/auditlog_view.xml",
diff --git a/auditlog/readme/USAGE.rst b/auditlog/readme/USAGE.rst
index caf38fe03..05c61d882 100644
--- a/auditlog/readme/USAGE.rst
+++ b/auditlog/readme/USAGE.rst
@@ -19,3 +19,9 @@ To activate it and/or change the delay, go to the
 `Auto-vacuum audit logs` entry:
 
 .. image:: ../static/description/autovacuum.png
+
+There are two possible groups configured to which one may belong. The first
+is the Auditlog User group. This group has read-only access to the auditlogs of
+individual records through the `View Logs` action. The second group is the
+Auditlog Manager group. This group additionally has the right to configure the
+auditlog configuration rules.
diff --git a/auditlog/security/ir.model.access.csv b/auditlog/security/ir.model.access.csv
index 47c4c3f51..09bf61103 100644
--- a/auditlog/security/ir.model.access.csv
+++ b/auditlog/security/ir.model.access.csv
@@ -1,13 +1,13 @@
 id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
-access_auditlog_rule_user,auditlog_rule_user,model_auditlog_rule,base.group_user,0,0,0,0
-access_auditlog_log_user,auditlog_log_user,model_auditlog_log,base.group_user,0,0,0,0
-access_auditlog_log_line_user,auditlog_log_line_user,model_auditlog_log_line,base.group_user,0,0,0,0
-access_auditlog_http_session_user,auditlog_http_session_user,model_auditlog_http_session,base.group_user,0,0,0,0
-access_auditlog_http_request_user,auditlog_http_request_user,model_auditlog_http_request,base.group_user,0,0,0,0
+access_auditlog_rule_user,auditlog_rule_user,model_auditlog_rule,auditlog.group_auditlog_user,1,0,0,0
+access_auditlog_log_user,auditlog_log_user,model_auditlog_log,auditlog.group_auditlog_user,1,0,0,0
+access_auditlog_log_line_user,auditlog_log_line_user,model_auditlog_log_line,auditlog.group_auditlog_user,1,0,0,0
+access_auditlog_http_session_user,auditlog_http_session_user,model_auditlog_http_session,auditlog.group_auditlog_user,1,0,0,0
+access_auditlog_http_request_user,auditlog_http_request_user,model_auditlog_http_request,auditlog.group_auditlog_user,1,0,0,0
 
-access_auditlog_rule_manager,auditlog_rule_manager,model_auditlog_rule,base.group_erp_manager,1,1,1,1
-access_auditlog_log_manager,auditlog_log_manager,model_auditlog_log,base.group_erp_manager,1,1,1,1
-access_auditlog_log_line_manager,auditlog_log_line_manager,model_auditlog_log_line,base.group_erp_manager,1,1,1,1
-access_auditlog_http_session_manager,auditlog_http_session_manager,model_auditlog_http_session,base.group_erp_manager,1,1,1,1
-access_auditlog_http_request_manager,auditlog_http_request_manager,model_auditlog_http_request,base.group_erp_manager,1,1,1,1
-access_auditlog_autovacuum,access_auditlog_autovacuum,model_auditlog_autovacuum,base.group_user,1,1,1,1
+access_auditlog_rule_manager,auditlog_rule_manager,model_auditlog_rule,auditlog.group_auditlog_manager,1,1,1,1
+access_auditlog_log_manager,auditlog_log_manager,model_auditlog_log,auditlog.group_auditlog_manager,1,1,1,1
+access_auditlog_log_line_manager,auditlog_log_line_manager,model_auditlog_log_line,auditlog.group_auditlog_manager,1,1,1,1
+access_auditlog_http_session_manager,auditlog_http_session_manager,model_auditlog_http_session,auditlog.group_auditlog_manager,1,1,1,1
+access_auditlog_http_request_manager,auditlog_http_request_manager,model_auditlog_http_request,auditlog.group_auditlog_manager,1,1,1,1
+access_auditlog_autovacuum,access_auditlog_autovacuum,model_auditlog_autovacuum,auditlog.group_auditlog_user,1,1,1,1
diff --git a/auditlog/security/res_groups.xml b/auditlog/security/res_groups.xml
new file mode 100644
index 000000000..d2d6d80c0
--- /dev/null
+++ b/auditlog/security/res_groups.xml
@@ -0,0 +1,24 @@
+<odoo>
+    <record model="ir.module.category" id="security_auditlog_groups">
+        <field name="name">Auditlog Rights</field>
+    </record>
+
+    <record model="res.groups" id="group_auditlog_user">
+        <field name="name">Auditlog User</field>
+        <field name="category_id" ref="auditlog.security_auditlog_groups" />
+    </record>
+
+    <record model="res.groups" id="group_auditlog_manager">
+        <field name="name">Auditlog Manager</field>
+        <field name="category_id" ref="auditlog.security_auditlog_groups" />
+        <field name="implied_ids" eval="[(4, ref('auditlog.group_auditlog_user'))]" />
+    </record>
+
+    <record id="base.group_system" model="res.groups">
+        <field
+            name="implied_ids"
+            eval="[(4, ref('auditlog.group_auditlog_manager'))]"
+        />
+    </record>
+
+</odoo>