Merge PR #205 into 16.0

Signed-off-by dreispt

base_group_backend/README.rst

@@ -0,0 +1,181 @@
+=============
+Group backend
+=============
+
+.. 
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! This file is generated by oca-gen-addon-readme !!
+   !! changes will be overwritten.                   !!
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! source digest: sha256:879007f368a0b75ad5da7f5d3e3d1d6ae386da26d27df7fc4dec1a6865cf0233
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+.. |badge1| image:: https://img.shields.io/badge/maturity-Alpha-red.png
+    :target: https://odoo-community.org/page/development-status
+    :alt: Alpha
+.. |badge2| image:: https://img.shields.io/badge/licence-LGPL--3-blue.png
+    :target: http://www.gnu.org/licenses/lgpl-3.0-standalone.html
+    :alt: License: LGPL-3
+.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--backend-lightgray.png?logo=github
+    :target: https://github.com/OCA/server-backend/tree/16.0/base_group_backend
+    :alt: OCA/server-backend
+.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
+    :target: https://translation.odoo-community.org/projects/server-backend-16-0/server-backend-16-0-base_group_backend
+    :alt: Translate me on Weblate
+.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
+    :target: https://runboat.odoo-community.org/builds?repo=OCA/server-backend&target_branch=16.0
+    :alt: Try me on Runboat
+
+|badge1| |badge2| |badge3| |badge4| |badge5|
+
+This module was written to extend the standard functionality regarding users
+and groups management by adding a new `Backend user` group that only gives access
+to odoo backend (`/web`):
+
+* minimal default access:
+  * users and partners (this is necessary to access your own data)
+  * mail activity, notification and channel
+  * presence
+* minimal default menu
+  * notification
+  * activities
+* minimal default access rules
+
+The problem with the `Internal user` is when you want to gives access to the
+backend to a really thin part of your business to some users, it's quite hard
+to properly maintain those roles over the project life, a lot of models use
+that group (`base.group_user`) by default which makes hard to maintains.
+
+So that helps creating well-defined user groups with more controls.
+
+This modules does 3 things:
+* It hijack the has_group method of res.users by returning True for group_backend users when the requested group is group_user (The need for this needs to be investigated)
+* It sets the res_users.share to False for group_backend users. This allows those users to access the backend.
+* It sets the bare minimum permission in the ir.model.access.csv to display the backend
+
+We suggest to use this module with its compagnon `base_user_role`
+
+
+Here is an example where a backend ui user can only access and use the dummy app. No other application are available to this user. You may define your own application instead of the dummy one.
+
+.. figure:: https://raw.githubusercontent.com/OCA/server-backend/16.0/base_group_backend/static/description/dummy_app.png
+    :alt: Dummy app for demo
+
+
+
+Limitations
+~~~~~~~~~~~
+
+At the time of writing, Odoo uses `res.users.share == False` to give the
+backend access.
+However to be able to access the backend without any errors some basic rights are necessary.
+This module change the way `res.users.share` is computed to allow `group_backend users` to use the backend.
+
+This avoids to write a lot of overwrite in different controllers from
+different modules ('portal', 'web', 'base', 'website') with hard coded statements
+that check if user is part of the `base.group_user` or `share == False` group.
+
+.. warning::
+
+    Using this module and grant a user with `group_backend`'s group is
+    equivalent to grant `group_user`'s group everywhere `has_group`
+    has been used.
+
+.. IMPORTANT::
+   This is an alpha version, the data model and design can change at any time without warning.
+   Only for development or testing purpose, do not use in production.
+   `More details on development status <https://odoo-community.org/page/development-status>`_
+
+**Table of contents**
+
+.. contents::
+   :local:
+
+Configuration
+=============
+
+To allow `group_backend` to interact with a model you can either add access rules to the group
+or you can add `implied_ids` to `group_backend`.
+
+.. note::
+
+   Be aware users can only belong to one group from the user type category
+   (`base.module_category_user_type`). So your other groups can't inherit both
+   internal users and backend users.
+
+Usage
+=====
+
+To use this module, you need to:
+
+#. Go to Configuration / Users / Users, choose a user and set the user type.
+
+You get a users that is only able to access to the Odoo backend which you
+can attach other groups that not implies other kind of users (`portal`,
+`internal users`)
+
+.. figure:: https://raw.githubusercontent.com/OCA/server-backend/16.0/base_group_backend/static/description/backend_ui.png
+    :alt: Backend UI user
+
+Known issues / Roadmap
+======================
+
+Current module depends on `base_install_request` instead of `base`.
+
+We don't need `base_install_request` auto install module but we must override it to set a security group on `App` menu.
+
+This dependency should be remove if possible in future versions.
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-backend/issues>`_.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+`feedback <https://github.com/OCA/server-backend/issues/new?body=module:%20base_group_backend%0Aversion:%2016.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+
+Do not contact contributors directly about support or help with technical issues.
+
+Credits
+=======
+
+Authors
+~~~~~~~
+
+* Pierre Verkest
+
+Contributors
+~~~~~~~~~~~~
+
+* Pierre Verkest <pierreverkest84@gmail.com>
+* François Poizat <francois.poizat@gmail.com>
+
+Do not contact contributors directly about support or help with technical issues.
+
+Maintainers
+~~~~~~~~~~~
+
+This module is maintained by the OCA.
+
+.. image:: https://odoo-community.org/logo.png
+   :alt: Odoo Community Association
+   :target: https://odoo-community.org
+
+OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.
+
+.. |maintainer-FranzPoize| image:: https://github.com/FranzPoize.png?size=40px
+    :target: https://github.com/FranzPoize
+    :alt: FranzPoize
+.. |maintainer-bealdav| image:: https://github.com/bealdav.png?size=40px
+    :target: https://github.com/bealdav
+    :alt: bealdav
+
+Current `maintainers <https://odoo-community.org/page/maintainer-role>`__:
+
+|maintainer-FranzPoize| |maintainer-bealdav| 
+
+This module is part of the `OCA/server-backend <https://github.com/OCA/server-backend/tree/16.0/base_group_backend>`_ project on GitHub.
+
+You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.

base_group_backend/__init__.py

@@ -0,0 +1,2 @@
+from . import models
+from . import demo

base_group_backend/__manifest__.py

@@ -0,0 +1,30 @@
+# Copyright 2021 Pierre Verkest <pierreverkest84@gmail.com>
+# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
+{
+    "name": "Group backend",
+    "version": "16.0.1.0.0",
+    "development_status": "Alpha",
+    "category": "Tools",
+    "author": "Pierre Verkest, Odoo Community Association (OCA)",
+    "license": "LGPL-3",
+    "website": "https://github.com/OCA/server-backend",
+    "depends": [
+        "base",
+        "base_install_request",  # weird module, we need to survive with it
+        "mail",
+    ],
+    "maintainers": ["FranzPoize", "bealdav"],
+    "demo": [
+        "demo/test-model.xml",
+        "demo/ir.model.access.csv",
+        "demo/backend_dummy_model.xml",
+        "demo/res_partners.xml",
+        "demo/res_users.xml",
+    ],
+    "data": [
+        "data/res_groups.xml",
+        "data/ir_ui_menu.xml",
+        "security/ir.model.access.csv",
+    ],
+    "installable": True,
+}

base_group_backend/data/ir_ui_menu.xml

@@ -0,0 +1,8 @@
+<odoo>
+
+    <record model="ir.ui.menu" id="base.menu_management">
+        <!-- Allow to avoid to display App menu for backend users  -->
+        <field name="groups_id" eval="[(4, ref('base.group_user'), 0)]" />
+    </record>
+
+</odoo>

base_group_backend/data/res_groups.xml

@@ -0,0 +1,43 @@
+<odoo>
+
+    <record model="res.groups" id="base_group_backend">
+        <field name="name">Backend user</field>
+        <field name="category_id" ref="base.module_category_user_type" />
+        <field name="comment">
+            This group is used to gives user backend access.
+
+            While users in `base.group_user` gets a lot of default access
+            which makes hard to define properly records/rules/menu access.
+
+            So for maintainability you shouldn't linked any access right, rules,
+            menu, and so on to this group directly.
+
+            The only intent of this groups is to be able to get a session
+            to Odoo backend (`/web`).
+        </field>
+    </record>
+
+    <record model="res.groups" id="group_backend_ui_users">
+        <field name="name">Backend UI user</field>
+        <field name="category_id" ref="base.module_category_user_type" />
+        <field name="comment">
+            This group is used to gives user basic ui access.
+        </field>
+        <field
+            name="rule_groups"
+            eval="[
+                (6, 0,[
+                    ref('base.ir_default_user_rule'),
+                    ref('base.ir_filters_delete_own_rule'),
+                    ref('base.ir_filters_employee_rule'),
+                    ref('base.res_company_rule_employee'),
+                    ref('mail.ir_rule_mail_notifications_group_user'),
+                    ref('mail.ir_rule_mail_channel_member_group_user'),
+                    ref('mail.mail_activity_rule_user'),
+                    ref('mail.mail_channel_rule'),
+                ]),
+            ]"
+        />
+    </record>
+
+</odoo>

base_group_backend/demo/__init__.py

@@ -0,0 +1,4 @@
+from odoo.tools import config
+
+if not config["without_demo"]:
+    from . import backend_dummy_model

base_group_backend/demo/backend_dummy_model.py

@@ -0,0 +1,15 @@
+from odoo import fields, models
+
+
+class BackendDummyModel(models.Model):
+    _name = "backend.dummy.model"
+    _description = "Backend Dummy Model demo"
+
+    my_value = fields.Char(name="Value", required=True)
+    my_other_value = fields.Char(name="Other value", required=True)
+    date_start = fields.Datetime(
+        name="Date start", required=True, default=fields.Datetime.now
+    )
+    date_stop = fields.Datetime(
+        name="Date stop", required=True, default=fields.Datetime.now
+    )

base_group_backend/demo/backend_dummy_model.xml

@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<odoo noupdate="1">
+    <record id="backend_dummy_model_tree_view" model="ir.ui.view">
+        <field name="name">Backend dummy tree view</field>
+        <field name="model">backend.dummy.model</field>
+        <field name="arch" type="xml">
+            <tree create="false" delete="false">
+                <field name="my_value" />
+                <field name="my_other_value" groups="base.group_user" />
+            </tree>
+        </field>
+    </record>
+
+    <record id="action_dummy_list" model="ir.actions.act_window">
+        <field name="name">Dummies</field>
+        <field name="type">ir.actions.act_window</field>
+        <field name="res_model">backend.dummy.model</field>
+        <field name="view_mode">tree,form,kanban,calendar,pivot,graph,activity</field>
+        <field name="view_id" ref="backend_dummy_model_tree_view" />
+    </record>
+
+    <menuitem
+        id="menu_dummy_root"
+        name="Dummy"
+        sequence="100"
+        groups="group_backend_ui_users,base.group_user"
+    />
+    <menuitem
+        id="menu_dummy_menu"
+        name="Dummy"
+        sequence="10"
+        groups="group_backend_ui_users,base.group_user"
+        parent="menu_dummy_root"
+    />
+    <menuitem
+        id="menu_dummy_list"
+        name="Dummy list"
+        sequence="100"
+        groups="group_backend_ui_users,base.group_user"
+        parent="menu_dummy_root"
+        action="action_dummy_list"
+    />
+
+</odoo>

base_group_backend/demo/ir.model.access.csv

@@ -0,0 +1,3 @@
+"id","name","model_id:id","group_id:id","perm_read","perm_write","perm_create","perm_unlink"
+"backend_dummy_models","backend dummy.model","model_backend_dummy_model",group_backend_ui_users,1,0,0,0
+"backend_dummy_models_user_grp","backend dummy.model user grp","model_backend_dummy_model",base.group_user,1,0,0,0

base_group_backend/demo/res_partners.xml

@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<odoo noupdate="1">
+    <record id="demo_partner" model="res.partner">
+        <field name="name">Demo partner backend</field>
+    </record>
+    <record id="demo_partner1" model="res.partner">
+        <field name="name">Demo partner backend 1</field>
+    </record>
+    <record id="demo_partner2" model="res.partner">
+        <field name="name">Demo partner backend 2</field>
+    </record>
+</odoo>

base_group_backend/demo/res_users.xml

@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<odoo noupdate="1">
+    <record id="user_demo" model="res.users">
+        <field name="login">demo backend user</field>
+        <field name="groups_id" eval="[Command.set([ref('base.group_user')])]" />
+        <field name="partner_id" ref="base_group_backend.demo_partner" />
+    </record>
+    <record id="user_demo_external" model="res.users">
+        <field name="login">demo backend user 1</field>
+        <field name="groups_id" eval="[Command.set([ref('base.group_portal')])]" />
+        <field name="partner_id" ref="base_group_backend.demo_partner1" />
+    </record>
+    <record id="user_demo_external_with_ui" model="res.users">
+        <field name="login">demo backend user 2</field>
+        <field
+            name="groups_id"
+            eval="[Command.set([ref('base_group_backend.group_backend_ui_users')])]"
+        />
+        <field name="partner_id" ref="base_group_backend.demo_partner2" />
+    </record>
+</odoo>

base_group_backend/demo/test-model.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<odoo noupdate="1">
+    <record model="backend.dummy.model" id="dummy_model_1">
+        <field name="my_value">hello</field>
+        <field name="my_other_value">hello</field>
+    </record>
+</odoo>

base_group_backend/models/__init__.py

@@ -0,0 +1 @@
+from . import res_users

base_group_backend/models/res_users.py

@@ -0,0 +1,50 @@
+import logging
+
+from odoo import api, models
+
+_logger = logging.getLogger(__name__)
+
+
+class Users(models.Model):
+    _inherit = "res.users"
+
+    @api.model
+    def has_group(self, group_ext_id):
+        """While ensuring a user is part of `base.group_user` this code will
+        try if user is in the `base_group_backend.group_backend` group to let access
+        to the odoo backend.
+
+        This code avoid to overwrite a lot of places in controllers from
+        different modules ('portal', 'web', 'base') with hardcoded statement
+        that check if user is part of `base.group_user` group.
+
+        As far `base.group_user` have a lot of default permission this
+        makes hard to maintain proper access right according your business.
+        """
+        res = super().has_group(group_ext_id)
+        if not res and (group_ext_id == "base.group_user"):
+            has_base_group_backend = super().has_group(
+                "base_group_backend.base_group_backend"
+            ) or super().has_group("base_group_backend.group_backend_ui_users")
+            if has_base_group_backend:
+                _logger.warning(
+                    "Forcing has_group to return True"
+                    + " for group_backend and base_group_backend_ui_users"
+                )
+            return has_base_group_backend
+        return res
+
+    @api.depends("groups_id")
+    def _compute_share(self):
+        res = super()._compute_share()
+        backend_user_group_id = self.env["ir.model.data"]._xmlid_to_res_id(
+            "base_group_backend.base_group_backend"
+        )
+        backend_ui_user_group_id = self.env["ir.model.data"]._xmlid_to_res_id(
+            "base_group_backend.group_backend_ui_users"
+        )
+        internal_users = self.filtered_domain(
+            [("groups_id", "in", [backend_user_group_id, backend_ui_user_group_id])]
+        )
+        internal_users.share = False
+        return res

base_group_backend/readme/CONFIGURE.rst

@@ -0,0 +1,8 @@
+To allow `group_backend` to interact with a model you can either add access rules to the group
+or you can add `implied_ids` to `group_backend`.
+
+.. note::
+
+   Be aware users can only belong to one group from the user type category
+   (`base.module_category_user_type`). So your other groups can't inherit both
+   internal users and backend users.

base_group_backend/readme/CONTRIBUTORS.rst

@@ -0,0 +1,4 @@
+* Pierre Verkest <pierreverkest84@gmail.com>
+* François Poizat <francois.poizat@gmail.com>
+
+Do not contact contributors directly about support or help with technical issues.

base_group_backend/readme/DESCRIPTION.rst

@@ -0,0 +1,52 @@
+This module was written to extend the standard functionality regarding users
+and groups management by adding a new `Backend user` group that only gives access
+to odoo backend (`/web`):
+
+* minimal default access:
+  * users and partners (this is necessary to access your own data)
+  * mail activity, notification and channel
+  * presence
+* minimal default menu
+  * notification
+  * activities
+* minimal default access rules
+
+The problem with the `Internal user` is when you want to gives access to the
+backend to a really thin part of your business to some users, it's quite hard
+to properly maintain those roles over the project life, a lot of models use
+that group (`base.group_user`) by default which makes hard to maintains.
+
+So that helps creating well-defined user groups with more controls.
+
+This modules does 3 things:
+* It hijack the has_group method of res.users by returning True for group_backend users when the requested group is group_user (The need for this needs to be investigated)
+* It sets the res_users.share to False for group_backend users. This allows those users to access the backend.
+* It sets the bare minimum permission in the ir.model.access.csv to display the backend
+
+We suggest to use this module with its compagnon `base_user_role`
+
+
+Here is an example where a backend ui user can only access and use the dummy app. No other application are available to this user. You may define your own application instead of the dummy one.
+
+.. figure:: ../static/description/dummy_app.png
+    :alt: Dummy app for demo
+
+
+
+Limitations
+~~~~~~~~~~~
+
+At the time of writing, Odoo uses `res.users.share == False` to give the
+backend access.
+However to be able to access the backend without any errors some basic rights are necessary.
+This module change the way `res.users.share` is computed to allow `group_backend users` to use the backend.
+
+This avoids to write a lot of overwrite in different controllers from
+different modules ('portal', 'web', 'base', 'website') with hard coded statements
+that check if user is part of the `base.group_user` or `share == False` group.
+
+.. warning::
+
+    Using this module and grant a user with `group_backend`'s group is
+    equivalent to grant `group_user`'s group everywhere `has_group`
+    has been used.

base_group_backend/readme/ROADMAP.rst

@@ -0,0 +1,5 @@
+Current module depends on `base_install_request` instead of `base`.
+
+We don't need `base_install_request` auto install module but we must override it to set a security group on `App` menu.
+
+This dependency should be remove if possible in future versions.

base_group_backend/readme/USAGE.rst

@@ -0,0 +1,10 @@
+To use this module, you need to:
+
+#. Go to Configuration / Users / Users, choose a user and set the user type.
+
+You get a users that is only able to access to the Odoo backend which you
+can attach other groups that not implies other kind of users (`portal`,
+`internal users`)
+
+.. figure:: ../static/description/backend_ui.png
+    :alt: Backend UI user

base_group_backend/security/ir.model.access.csv

@@ -0,0 +1,33 @@
+id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
+backend_ui_users_ir_default,backend_ui_users_ir_default,base.model_ir_default,group_backend_ui_users,1,1,1,1
+backend_ui_users_ir_filters,backend_ui_users_ir_filters,base.model_ir_filters,group_backend_ui_users,1,1,1,1
+backend_ui_users_ir_model,backend_ui_users_ir_model,base.model_ir_model,group_backend_ui_users,1,0,0,0
+backend_ui_users_ir_model_fields,backend_ui_users_ir_model_fields,base.model_ir_model_fields,group_backend_ui_users,1,0,0,0
+backend_ui_users_ir_model_data,backend_ui_users_ir_model_data,base.model_ir_model_data,group_backend_ui_users,1,0,1,0
+backend_ui_users_ir_model_fields_selection,backend_ui_users_ir_model_fields_selection,base.model_ir_model_fields_selection,group_backend_ui_users,1,0,0,0
+backend_ui_users_ir_sequence,backend_ui_users_ir_sequence,base.model_ir_sequence,group_backend_ui_users,1,0,0,0
+backend_ui_users_ir_sequence_date_range,backend_ui_users_ir_sequence_date_range,base.model_ir_sequence_date_range,group_backend_ui_users,1,0,0,0
+backend_ui_users_ir_ui_menu,backend_ui_users_ir_ui_menu,base.model_ir_ui_menu,group_backend_ui_users,1,0,0,0
+backend_ui_users_ir_attachment,backend_ui_users_ir_attachment,base.model_ir_attachment,group_backend_ui_users,1,0,1,0
+backend_ui_users_res_partner,backend_ui_users_res_partner,base.model_res_partner,group_backend_ui_users,1,0,0,0
+backend_ui_users_bus_presence,backend_ui_users_bus_presence,bus.model_bus_presence,group_backend_ui_users,1,1,1,1
+backend_ui_users_mail_channel_member_public,backend_ui_users_mail_channel_member,mail.model_mail_channel_member,group_backend_ui_users,1,1,1,0
+backend_ui_users_mail_channel_public,backend_ui_users_mail_channel_member,mail.model_mail_channel,group_backend_ui_users,1,1,1,0
+backend_ui_users_mail_activity,backend_ui_users_mail_activity,mail.model_mail_activity,group_backend_ui_users,1,1,1,1
+backend_ui_users_mail_activity_type,backend_ui_users_mail_activity_type,mail.model_mail_activity_type,group_backend_ui_users,1,0,0,0
+backend_ui_users_mail_followers,backend_ui_users_mail_followers,mail.model_mail_followers,group_backend_ui_users,1,0,0,0
+backend_ui_users_mail_mail,backend_ui_users_mail_mail,mail.model_mail_mail,group_backend_ui_users,0,0,0,0
+backend_ui_users_mail_compose_message,backend_ui_users_mail_compose_message,mail.model_mail_compose_message,group_backend_ui_users,1,1,1,0
+backend_ui_users_mail_wizard_invite,backend_ui_users_mail_wizard_invite,mail.model_mail_wizard_invite,group_backend_ui_users,1,1,1,0
+backend_ui_users_mail_template,backend_ui_users_mail_template,mail.model_mail_template,group_backend_ui_users,1,0,0,0
+backend_ui_users_mail_template_preview,backend_ui_users_mail_template_preview,mail.model_mail_template_preview,group_backend_ui_users,1,0,0,0
+backend_ui_users_mail_message,backend_ui_users_mail_message,mail.model_mail_message,group_backend_ui_users,1,1,1,0
+backend_ui_users_mail_resend_message,backend_ui_users_mail_resend_message,mail.model_mail_resend_message,group_backend_ui_users,1,1,1,0
+backend_ui_users_mail_notification,backend_ui_users_mail_notification,mail.model_mail_notification,group_backend_ui_users,1,1,1,1
+backend_ui_users_mail_alias,backend_ui_users_mail_alias,mail.model_mail_alias,group_backend_ui_users,1,0,0,0
+backend_ui_users_res_groups,backend_ui_users_res_groups,base.model_res_groups,group_backend_ui_users,1,0,0,0
+backend_ui_users_res_partner_category,backend_ui_users_res_partner_category,base.model_res_partner_category,group_backend_ui_users,1,0,0,0
+backend_ui_users_res_partner_industry,backend_ui_users_res_partner_industry,base.model_res_partner_industry,group_backend_ui_users,1,0,0,0
+backend_ui_users_res_users_identitycheck,backend_ui_users_res_users_identitycheck,base.model_res_users_identitycheck,group_backend_ui_users,1,1,1,0
+backend_ui_users_res_bank,backend_ui_users_res_bank,base.model_res_bank,group_backend_ui_users,1,0,0,0
+backend_ui_users_res_partner_bank,backend_ui_users_res_partner_bank,base.model_res_partner_bank,group_backend_ui_users,1,0,0,0

base_group_backend/static/description/index.html

@@ -0,0 +1,501 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+<meta name="generator" content="Docutils: https://docutils.sourceforge.io/" />
+<title>Group backend</title>
+<style type="text/css">
+
+/*
+:Author: David Goodger (goodger@python.org)
+:Id: $Id: html4css1.css 8954 2022-01-20 10:10:25Z milde $
+:Copyright: This stylesheet has been placed in the public domain.
+
+Default cascading style sheet for the HTML output of Docutils.
+
+See https://docutils.sourceforge.io/docs/howto/html-stylesheets.html for how to
+customize this style sheet.
+*/
+
+/* used to remove borders from tables and images */
+.borderless, table.borderless td, table.borderless th {
+  border: 0 }
+
+table.borderless td, table.borderless th {
+  /* Override padding for "table.docutils td" with "! important".
+     The right padding separates the table cells. */
+  padding: 0 0.5em 0 0 ! important }
+
+.first {
+  /* Override more specific margin styles with "! important". */
+  margin-top: 0 ! important }
+
+.last, .with-subtitle {
+  margin-bottom: 0 ! important }
+
+.hidden {
+  display: none }
+
+.subscript {
+  vertical-align: sub;
+  font-size: smaller }
+
+.superscript {
+  vertical-align: super;
+  font-size: smaller }
+
+a.toc-backref {
+  text-decoration: none ;
+  color: black }
+
+blockquote.epigraph {
+  margin: 2em 5em ; }
+
+dl.docutils dd {
+  margin-bottom: 0.5em }
+
+object[type="image/svg+xml"], object[type="application/x-shockwave-flash"] {
+  overflow: hidden;
+}
+
+/* Uncomment (and remove this text!) to get bold-faced definition list terms
+dl.docutils dt {
+  font-weight: bold }
+*/
+
+div.abstract {
+  margin: 2em 5em }
+
+div.abstract p.topic-title {
+  font-weight: bold ;
+  text-align: center }
+
+div.admonition, div.attention, div.caution, div.danger, div.error,
+div.hint, div.important, div.note, div.tip, div.warning {
+  margin: 2em ;
+  border: medium outset ;
+  padding: 1em }
+
+div.admonition p.admonition-title, div.hint p.admonition-title,
+div.important p.admonition-title, div.note p.admonition-title,
+div.tip p.admonition-title {
+  font-weight: bold ;
+  font-family: sans-serif }
+
+div.attention p.admonition-title, div.caution p.admonition-title,
+div.danger p.admonition-title, div.error p.admonition-title,
+div.warning p.admonition-title, .code .error {
+  color: red ;
+  font-weight: bold ;
+  font-family: sans-serif }
+
+/* Uncomment (and remove this text!) to get reduced vertical space in
+   compound paragraphs.
+div.compound .compound-first, div.compound .compound-middle {
+  margin-bottom: 0.5em }
+
+div.compound .compound-last, div.compound .compound-middle {
+  margin-top: 0.5em }
+*/
+
+div.dedication {
+  margin: 2em 5em ;
+  text-align: center ;
+  font-style: italic }
+
+div.dedication p.topic-title {
+  font-weight: bold ;
+  font-style: normal }
+
+div.figure {
+  margin-left: 2em ;
+  margin-right: 2em }
+
+div.footer, div.header {
+  clear: both;
+  font-size: smaller }
+
+div.line-block {
+  display: block ;
+  margin-top: 1em ;
+  margin-bottom: 1em }
+
+div.line-block div.line-block {
+  margin-top: 0 ;
+  margin-bottom: 0 ;
+  margin-left: 1.5em }
+
+div.sidebar {
+  margin: 0 0 0.5em 1em ;
+  border: medium outset ;
+  padding: 1em ;
+  background-color: #ffffee ;
+  width: 40% ;
+  float: right ;
+  clear: right }
+
+div.sidebar p.rubric {
+  font-family: sans-serif ;
+  font-size: medium }
+
+div.system-messages {
+  margin: 5em }
+
+div.system-messages h1 {
+  color: red }
+
+div.system-message {
+  border: medium outset ;
+  padding: 1em }
+
+div.system-message p.system-message-title {
+  color: red ;
+  font-weight: bold }
+
+div.topic {
+  margin: 2em }
+
+h1.section-subtitle, h2.section-subtitle, h3.section-subtitle,
+h4.section-subtitle, h5.section-subtitle, h6.section-subtitle {
+  margin-top: 0.4em }
+
+h1.title {
+  text-align: center }
+
+h2.subtitle {
+  text-align: center }
+
+hr.docutils {
+  width: 75% }
+
+img.align-left, .figure.align-left, object.align-left, table.align-left {
+  clear: left ;
+  float: left ;
+  margin-right: 1em }
+
+img.align-right, .figure.align-right, object.align-right, table.align-right {
+  clear: right ;
+  float: right ;
+  margin-left: 1em }
+
+img.align-center, .figure.align-center, object.align-center {
+  display: block;
+  margin-left: auto;
+  margin-right: auto;
+}
+
+table.align-center {
+  margin-left: auto;
+  margin-right: auto;
+}
+
+.align-left {
+  text-align: left }
+
+.align-center {
+  clear: both ;
+  text-align: center }
+
+.align-right {
+  text-align: right }
+
+/* reset inner alignment in figures */
+div.align-right {
+  text-align: inherit }
+
+/* div.align-center * { */
+/*   text-align: left } */
+
+.align-top    {
+  vertical-align: top }
+
+.align-middle {
+  vertical-align: middle }
+
+.align-bottom {
+  vertical-align: bottom }
+
+ol.simple, ul.simple {
+  margin-bottom: 1em }
+
+ol.arabic {
+  list-style: decimal }
+
+ol.loweralpha {
+  list-style: lower-alpha }
+
+ol.upperalpha {
+  list-style: upper-alpha }
+
+ol.lowerroman {
+  list-style: lower-roman }
+
+ol.upperroman {
+  list-style: upper-roman }
+
+p.attribution {
+  text-align: right ;
+  margin-left: 50% }
+
+p.caption {
+  font-style: italic }
+
+p.credits {
+  font-style: italic ;
+  font-size: smaller }
+
+p.label {
+  white-space: nowrap }
+
+p.rubric {
+  font-weight: bold ;
+  font-size: larger ;
+  color: maroon ;
+  text-align: center }
+
+p.sidebar-title {
+  font-family: sans-serif ;
+  font-weight: bold ;
+  font-size: larger }
+
+p.sidebar-subtitle {
+  font-family: sans-serif ;
+  font-weight: bold }
+
+p.topic-title {
+  font-weight: bold }
+
+pre.address {
+  margin-bottom: 0 ;
+  margin-top: 0 ;
+  font: inherit }
+
+pre.literal-block, pre.doctest-block, pre.math, pre.code {
+  margin-left: 2em ;
+  margin-right: 2em }
+
+pre.code .ln { color: grey; } /* line numbers */
+pre.code, code { background-color: #eeeeee }
+pre.code .comment, code .comment { color: #5C6576 }
+pre.code .keyword, code .keyword { color: #3B0D06; font-weight: bold }
+pre.code .literal.string, code .literal.string { color: #0C5404 }
+pre.code .name.builtin, code .name.builtin { color: #352B84 }
+pre.code .deleted, code .deleted { background-color: #DEB0A1}
+pre.code .inserted, code .inserted { background-color: #A3D289}
+
+span.classifier {
+  font-family: sans-serif ;
+  font-style: oblique }
+
+span.classifier-delimiter {
+  font-family: sans-serif ;
+  font-weight: bold }
+
+span.interpreted {
+  font-family: sans-serif }
+
+span.option {
+  white-space: nowrap }
+
+span.pre {
+  white-space: pre }
+
+span.problematic {
+  color: red }
+
+span.section-subtitle {
+  /* font-size relative to parent (h1..h6 element) */
+  font-size: 80% }
+
+table.citation {
+  border-left: solid 1px gray;
+  margin-left: 1px }
+
+table.docinfo {
+  margin: 2em 4em }
+
+table.docutils {
+  margin-top: 0.5em ;
+  margin-bottom: 0.5em }
+
+table.footnote {
+  border-left: solid 1px black;
+  margin-left: 1px }
+
+table.docutils td, table.docutils th,
+table.docinfo td, table.docinfo th {
+  padding-left: 0.5em ;
+  padding-right: 0.5em ;
+  vertical-align: top }
+
+table.docutils th.field-name, table.docinfo th.docinfo-name {
+  font-weight: bold ;
+  text-align: left ;
+  white-space: nowrap ;
+  padding-left: 0 }
+
+/* "booktabs" style (no vertical lines) */
+table.docutils.booktabs {
+  border: 0px;
+  border-top: 2px solid;
+  border-bottom: 2px solid;
+  border-collapse: collapse;
+}
+table.docutils.booktabs * {
+  border: 0px;
+}
+table.docutils.booktabs th {
+  border-bottom: thin solid;
+  text-align: left;
+}
+
+h1 tt.docutils, h2 tt.docutils, h3 tt.docutils,
+h4 tt.docutils, h5 tt.docutils, h6 tt.docutils {
+  font-size: 100% }
+
+ul.auto-toc {
+  list-style-type: none }
+
+</style>
+</head>
+<body>
+<div class="document" id="group-backend">
+<h1 class="title">Group backend</h1>
+
+<!-- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!! This file is generated by oca-gen-addon-readme !!
+!! changes will be overwritten.                   !!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!! source digest: sha256:879007f368a0b75ad5da7f5d3e3d1d6ae386da26d27df7fc4dec1a6865cf0233
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
+<p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Alpha" src="https://img.shields.io/badge/maturity-Alpha-red.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/lgpl-3.0-standalone.html"><img alt="License: LGPL-3" src="https://img.shields.io/badge/licence-LGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/server-backend/tree/16.0/base_group_backend"><img alt="OCA/server-backend" src="https://img.shields.io/badge/github-OCA%2Fserver--backend-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/server-backend-16-0/server-backend-16-0-base_group_backend"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/server-backend&amp;target_branch=16.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
+<p>This module was written to extend the standard functionality regarding users
+and groups management by adding a new <cite>Backend user</cite> group that only gives access
+to odoo backend (<cite>/web</cite>):</p>
+<ul class="simple">
+<li>minimal default access:
+* users and partners (this is necessary to access your own data)
+* mail activity, notification and channel
+* presence</li>
+<li>minimal default menu
+* notification
+* activities</li>
+<li>minimal default access rules</li>
+</ul>
+<p>The problem with the <cite>Internal user</cite> is when you want to gives access to the
+backend to a really thin part of your business to some users, it’s quite hard
+to properly maintain those roles over the project life, a lot of models use
+that group (<cite>base.group_user</cite>) by default which makes hard to maintains.</p>
+<p>So that helps creating well-defined user groups with more controls.</p>
+<p>This modules does 3 things:
+* It hijack the has_group method of res.users by returning True for group_backend users when the requested group is group_user (The need for this needs to be investigated)
+* It sets the res_users.share to False for group_backend users. This allows those users to access the backend.
+* It sets the bare minimum permission in the ir.model.access.csv to display the backend</p>
+<p>We suggest to use this module with its compagnon <cite>base_user_role</cite></p>
+<p>Here is an example where a backend ui user can only access and use the dummy app. No other application are available to this user. You may define your own application instead of the dummy one.</p>
+<div class="figure">
+<img alt="Dummy app for demo" src="https://raw.githubusercontent.com/OCA/server-backend/16.0/base_group_backend/static/description/dummy_app.png" />
+</div>
+<div class="section" id="limitations">
+<h1>Limitations</h1>
+<p>At the time of writing, Odoo uses <cite>res.users.share == False</cite> to give the
+backend access.
+However to be able to access the backend without any errors some basic rights are necessary.
+This module change the way <cite>res.users.share</cite> is computed to allow <cite>group_backend users</cite> to use the backend.</p>
+<p>This avoids to write a lot of overwrite in different controllers from
+different modules (‘portal’, ‘web’, ‘base’, ‘website’) with hard coded statements
+that check if user is part of the <cite>base.group_user</cite> or <cite>share == False</cite> group.</p>
+<div class="admonition warning">
+<p class="first admonition-title">Warning</p>
+<p class="last">Using this module and grant a user with <cite>group_backend</cite>’s group is
+equivalent to grant <cite>group_user</cite>’s group everywhere <cite>has_group</cite>
+has been used.</p>
+</div>
+<div class="admonition important">
+<p class="first admonition-title">Important</p>
+<p class="last">This is an alpha version, the data model and design can change at any time without warning.
+Only for development or testing purpose, do not use in production.
+<a class="reference external" href="https://odoo-community.org/page/development-status">More details on development status</a></p>
+</div>
+<p><strong>Table of contents</strong></p>
+<div class="contents local topic" id="contents">
+<ul class="simple">
+<li><a class="reference internal" href="#configuration" id="toc-entry-1">Configuration</a></li>
+<li><a class="reference internal" href="#usage" id="toc-entry-2">Usage</a></li>
+<li><a class="reference internal" href="#known-issues-roadmap" id="toc-entry-3">Known issues / Roadmap</a></li>
+<li><a class="reference internal" href="#bug-tracker" id="toc-entry-4">Bug Tracker</a></li>
+<li><a class="reference internal" href="#credits" id="toc-entry-5">Credits</a></li>
+</ul>
+</div>
+<div class="section" id="configuration">
+<h2><a class="toc-backref" href="#toc-entry-1">Configuration</a></h2>
+<p>To allow <cite>group_backend</cite> to interact with a model you can either add access rules to the group
+or you can add <cite>implied_ids</cite> to <cite>group_backend</cite>.</p>
+<div class="admonition note">
+<p class="first admonition-title">Note</p>
+<p class="last">Be aware users can only belong to one group from the user type category
+(<cite>base.module_category_user_type</cite>). So your other groups can’t inherit both
+internal users and backend users.</p>
+</div>
+</div>
+<div class="section" id="usage">
+<h2><a class="toc-backref" href="#toc-entry-2">Usage</a></h2>
+<p>To use this module, you need to:</p>
+<ol class="arabic simple">
+<li>Go to Configuration / Users / Users, choose a user and set the user type.</li>
+</ol>
+<p>You get a users that is only able to access to the Odoo backend which you
+can attach other groups that not implies other kind of users (<cite>portal</cite>,
+<cite>internal users</cite>)</p>
+<div class="figure">
+<img alt="Backend UI user" src="https://raw.githubusercontent.com/OCA/server-backend/16.0/base_group_backend/static/description/backend_ui.png" />
+</div>
+</div>
+<div class="section" id="known-issues-roadmap">
+<h2><a class="toc-backref" href="#toc-entry-3">Known issues / Roadmap</a></h2>
+<p>Current module depends on <cite>base_install_request</cite> instead of <cite>base</cite>.</p>
+<p>We don’t need <cite>base_install_request</cite> auto install module but we must override it to set a security group on <cite>App</cite> menu.</p>
+<p>This dependency should be remove if possible in future versions.</p>
+</div>
+<div class="section" id="bug-tracker">
+<h2><a class="toc-backref" href="#toc-entry-4">Bug Tracker</a></h2>
+<p>Bugs are tracked on <a class="reference external" href="https://github.com/OCA/server-backend/issues">GitHub Issues</a>.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+<a class="reference external" href="https://github.com/OCA/server-backend/issues/new?body=module:%20base_group_backend%0Aversion:%2016.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**">feedback</a>.</p>
+<p>Do not contact contributors directly about support or help with technical issues.</p>
+</div>
+<div class="section" id="credits">
+<h2><a class="toc-backref" href="#toc-entry-5">Credits</a></h2>
+</div>
+</div>
+<div class="section" id="authors">
+<h1>Authors</h1>
+<ul class="simple">
+<li>Pierre Verkest</li>
+</ul>
+</div>
+<div class="section" id="contributors">
+<h1>Contributors</h1>
+<ul class="simple">
+<li>Pierre Verkest &lt;<a class="reference external" href="mailto:pierreverkest84&#64;gmail.com">pierreverkest84&#64;gmail.com</a>&gt;</li>
+<li>François Poizat &lt;<a class="reference external" href="mailto:francois.poizat&#64;gmail.com">francois.poizat&#64;gmail.com</a>&gt;</li>
+</ul>
+<p>Do not contact contributors directly about support or help with technical issues.</p>
+</div>
+<div class="section" id="maintainers">
+<h1>Maintainers</h1>
+<p>This module is maintained by the OCA.</p>
+<a class="reference external image-reference" href="https://odoo-community.org"><img alt="Odoo Community Association" src="https://odoo-community.org/logo.png" /></a>
+<p>OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.</p>
+<p>Current <a class="reference external" href="https://odoo-community.org/page/maintainer-role">maintainers</a>:</p>
+<p><a class="reference external image-reference" href="https://github.com/FranzPoize"><img alt="FranzPoize" src="https://github.com/FranzPoize.png?size=40px" /></a> <a class="reference external image-reference" href="https://github.com/bealdav"><img alt="bealdav" src="https://github.com/bealdav.png?size=40px" /></a></p>
+<p>This module is part of the <a class="reference external" href="https://github.com/OCA/server-backend/tree/16.0/base_group_backend">OCA/server-backend</a> project on GitHub.</p>
+<p>You are welcome to contribute. To learn how please visit <a class="reference external" href="https://odoo-community.org/page/Contribute">https://odoo-community.org/page/Contribute</a>.</p>
+</div>
+</div>
+</body>
+</html>

base_group_backend/tests/__init__.py

@@ -0,0 +1 @@
+from . import test_module

base_group_backend/tests/test_module.py

@@ -0,0 +1,31 @@
+from odoo import Command
+from odoo.tests.common import TransactionCase
+
+
+class TestResUsers(TransactionCase):
+    @classmethod
+    def setUpClass(cls):
+        super().setUpClass()
+        cls.base_group_backend = cls.env.ref("base_group_backend.base_group_backend")
+        cls.internal_user = cls.env.ref("base.user_demo")
+        cls.portal_user = cls.env.ref("base_group_backend.user_demo_external")
+        cls.portal_ui_user = cls.env.ref(
+            "base_group_backend.user_demo_external_with_ui"
+        )
+
+    def test_has_groups(self):
+        self.assertTrue(self.internal_user.has_group("base.group_user"))
+        self.assertFalse(self.portal_user.has_group("base.group_user"))
+        self.assertTrue(self.portal_ui_user.has_group("base.group_user"))
+        self.portal_user.write(
+            {"groups_id": [Command.set([self.base_group_backend.id])]}
+        )
+        self.assertTrue(self.portal_user.has_group("base.group_user"))
+
+    def test_share(self):
+        self.assertTrue(self.portal_user.share)
+        self.portal_user.write(
+            {"groups_id": [Command.set([self.base_group_backend.id])]}
+        )
+        self.assertFalse(self.portal_user.share)
+        self.assertFalse(self.portal_ui_user.share)

setup/base_group_backend/odoo/addons/base_group_backend

@@ -0,0 +1 @@
+../../../../base_group_backend

setup/base_group_backend/setup.py

@@ -0,0 +1,6 @@
+import setuptools
+
+setuptools.setup(
+    setup_requires=['setuptools-odoo'],
+    odoo_addon=True,
+)