[FIX] allow group users

2023-02-06 18:56:27 +03:00 · 2023-02-06 18:56:27 +03:00 · 7553f530aa
parent fcaf19d858
commit 7553f530aa
3 changed files with 19 additions and 4 deletions
--- a/support_branding/models/res_company.py
+++ b/support_branding/models/res_company.py
@ -2,7 +2,7 @@
 # License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).

 from odoo import _, api, models
-from odoo.exceptions import UserError
+from odoo.exceptions import AccessError, UserError


 class ResCompany(models.Model):
@ -10,6 +10,14 @@ class ResCompany(models.Model):

    @api.model
    def get_ir_config_param_data(self, key):
+        if not self.env.user.has_group("base.group_user"):
+            raise AccessError(
+                _(
+                    "You are not allowed to access this "
+                    "functionality, please contact Admin for "
+                    "more support"
+                )
+            )
        try:
            self.env.cr.execute(
                "select value from ir_config_parameter where " "key=(%s);", (key,)
--- a/support_branding/static/src/js/res_config_edition.js
+++ b/support_branding/static/src/js/res_config_edition.js
@ -8,21 +8,21 @@ odoo.define("support_branding.ResConfigEdition", function (require) {
            var self = this;
            var def_1 = this._rpc({
                model: "res.company",
-                method: "_get_support_branding_vals",
+                method: "get_ir_config_param_data",
                args: ["support_company"],
            }).then(function (name) {
                self.support_cp_name = name;
            });
            var def_2 = this._rpc({
                model: "res.company",
-                method: "_get_support_branding_vals",
+                method: "get_ir_config_param_data",
                args: ["support_company_url"],
            }).then(function (url) {
                self.support_cp_url = url;
            });
            var def_3 = this._rpc({
                model: "res.company",
-                method: "_get_support_branding_vals",
+                method: "get_ir_config_param_data",
                args: ["support_email"],
            }).then(function (email) {
                self.support_cp_email = email;
--- a/support_branding/tests/test_support_branding.py
+++ b/support_branding/tests/test_support_branding.py
@ -12,6 +12,7 @@ class TestSupportBranding(TransactionCase):
        self.ir_config_obj = self.env["ir.config_parameter"].sudo()
        self.demo_user = self.env.ref("base.user_demo")
        self.admin_user = self.env.ref("base.user_admin")
+        self.portal_user = self.env.ref("base.demo_user0")
        self.demo_support_branding_company_name = self.env.ref(
            "support_branding.demo_config_parameter_company_name"
        )
@ -21,6 +22,12 @@ class TestSupportBranding(TransactionCase):

    def test_fetch_support_branding_vals_from_res_company(self):

+        # Check if user has the right access rights e.g. portal user not allowed
+        with self.assertRaises(AccessError):
+            self.ir_config_obj.with_user(self.portal_user).get_param(
+                self.demo_support_company_branding_url.key
+            )
+
        # Check if demo user is able to access.
        # NB: ir.config_parameter model requires admin access rights.
        with self.assertRaises(AccessError):