[FIX] Browse mrp.bom as current user

sudo is not required since mrp.bom are readable to groups with access to the qty_x fields on a product. Moreover using sudo to retrive the bom will ignore the company_id defined on the bom
2025-01-21 14:27:28 +02:00 · 2015-11-18 18:23:32 +01:00
parent e13f22c1ca
commit 92de1c7455
4 changed files with 72 additions and 4 deletions
--- a/stock_available_mrp/README.rst
+++ b/stock_available_mrp/README.rst
@@ -65,6 +65,7 @@ Contributors
 * Loïc Bellier (Numérigraphe) <lb@numerigraphe.com>
 * Lionel Sausin (Numérigraphe) <ls@numerigraphe.com>
 * many thanks to Graeme Gellatly for his advice and code review
+* Laurent Mignon <laurent.mignon@acsone.eu>

 Maintainer
 ----------
--- a/stock_available_mrp/openerp.py
+++ b/stock_available_mrp/openerp.py
@@ -4,9 +4,13 @@
 {
    'name': 'Consider the production potential is available to promise',
    'version': '8.0.3.0.0',
-    "author": u"Numérigraphe,Odoo Community Association (OCA)",
+    "author": u"Numérigraphe,"
+              u"Odoo Community Association (OCA)",
    'category': 'Hidden',
-    'depends': ['stock_available', 'mrp'],
+    'depends': [
+        'stock_available',
+        'mrp'
+    ],
    'data': [
        'views/product_template_view.xml',
    ],
--- a/stock_available_mrp/models/product_product.py
+++ b/stock_available_mrp/models/product_product.py
@@ -32,8 +32,7 @@ class ProductProduct(models.Model):
    @api.multi
    def _get_potential_qty(self):
        """Compute the potential qty based on the available components."""
-        # Browse the BOMs as superuser to bypass access rights
-        bom_obj = self.env['mrp.bom'].sudo()
+        bom_obj = self.env['mrp.bom']

        for product in self:
            bom_id = bom_obj._bom_find(product_id=product.id)
--- a/stock_available_mrp/tests/test_potential_qty.py
+++ b/stock_available_mrp/tests/test_potential_qty.py
@@ -3,6 +3,7 @@
 # License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).

 from openerp.tests.common import TransactionCase
+from openerp.osv.expression import TRUE_LEAF


 class TestPotentialQty(TransactionCase):
@@ -72,6 +73,69 @@ class TestPotentialQty(TransactionCase):
            self.product_wo_bom, 0.0,
            "The potential without a BoM should be 0")

+    def test_potential_qty_no_bom_for_company(self):
+        # Receive 1000x CPUa8s
+        inventory = self.env['stock.inventory'].create(
+            {'name': 'Receive CPUa8',
+             'location_id': self.wh_ch.lot_stock_id.id,
+             'filter': 'none'})
+        inventory.prepare_inventory()
+        self.env['stock.inventory.line'].create({
+            'inventory_id': inventory.id,
+            'product_id': self.ref('product.product_product_23'),
+            'location_id': self.wh_ch.lot_stock_id.id,
+            'product_qty': 1000.0})
+        inventory.action_done()
+
+        # Receive enough RAM-SR3 to make 1000x the 1st variant in main WH
+        inventory = self.env['stock.inventory'].create(
+            {'name': 'components for 1st variant',
+             'location_id': self.wh_ch.lot_stock_id.id,
+             'filter': 'none'})
+        inventory.prepare_inventory()
+        self.env['stock.inventory.line'].create({
+            'inventory_id': inventory.id,
+            'product_id': self.ref('product.product_product_15'),
+            'location_id': self.wh_ch.lot_stock_id.id,
+            'product_qty': 1000.0})
+        inventory.action_done()
+        self.assertPotentialQty(
+            self.tmpl, 1000.0,
+            "Wrong template potential after receiving components")
+
+        test_user = self.env['res.users'].create({
+            'name': 'test_demo',
+            'login': 'test_demo',
+            'company_id': self.ref('base.main_company'),
+            'company_ids': [(4, self.ref('base.main_company'))],
+            'groups_id': [(4, self.ref('stock.group_stock_user'))]})
+
+        bom = self.env['mrp.bom'].search(
+            [('product_tmpl_id', '=', self.tmpl.id)])
+
+        test_user_tmpl = self.tmpl.sudo(test_user)
+        self.assertPotentialQty(
+            test_user_tmpl, 1000.0,
+            "Simple user can access to the potential_qty")
+
+        # set the bom on the main company (visible to members of the main comp
+        # and all products without company (visible to all)
+        # and the demo user on Chicago (child of main company)
+        self.env['product.product'].search([
+            TRUE_LEAF]).write({'company_id': False})
+        chicago_id = self.ref('stock.res_company_1')
+        test_user.write({'company_id': chicago_id,
+                         'company_ids': [(4, chicago_id)]})
+        test_user = test_user.sudo(test_user)
+        bom.company_id = self.ref('base.main_company')
+        self.assertPotentialQty(
+            test_user_tmpl, 0,
+            "The bom should not be visible to non members of the bom's "
+            "company or company child of the bom's company")
+        bom.company_id = chicago_id
+        self.assertPotentialQty(
+            test_user_tmpl, 1000.0, '')
+
    def test_potential_qty(self):
        for i in [self.tmpl, self.var1, self.var2]:
            self.assertPotentialQty(