def write(self, cr, uid, ids, vals, context=None):
employee_id = vals.get('employee_id', False)
if not self._check_state_access_right(cr, uid, vals, context):
raise AccessError(_('You cannot set a leave request as \'%s\'. Contact a human resource manager.') % vals.get('state'))
hr_holiday_id = super(hr_holidays, self).write(cr, uid, ids, vals, context=context)
self.add_follower(cr, uid, ids, employee_id, context=context)
return hr_holiday_id
def set_sale_defaults(self):
self.ensure_one()
if not self.env.user._is_admin():
raise AccessError(_("Only administrators can change the settings"))
default_picking_policy = 'one' if self.default_picking_policy else 'direct'
self.env['ir.values'].sudo().set_default('sale.order',
'picking_policy',
default_picking_policy)
res = super(SaleConfiguration, self).set_sale_defaults()
return res
def check(self, cr, uid, ids, mode, context=None, values=None):
"""Restricts the access to an ir.attachment, according to referred model
In the 'document' module, it is overriden to relax this hard rule, since
more complex ones apply there.
"""
res_ids = {}
require_employee = False
if ids:
if isinstance(ids, (int, long)):
ids = [ids]
cr.execute(
'SELECT res_model, res_id, create_uid, public FROM ir_attachment WHERE id = ANY (%s)',
(ids, ))
for rmod, rid, create_uid, public in cr.fetchall():
if public and mode == 'read':
continue
if not (rmod and rid):
if create_uid != uid:
require_employee = True
continue
res_ids.setdefault(rmod, set()).add(rid)
if values:
if values.get('res_model') and values.get('res_id'):
res_ids.setdefault(values['res_model'],
set()).add(values['res_id'])
ima = self.pool.get('ir.model.access')
for model, mids in res_ids.items():
# ignore attachments that are not attached to a resource anymore when checking access rights
# (resource was deleted but attachment was not)
if not self.pool.get(model):
require_employee = True
continue
existing_ids = self.pool[model].exists(cr, uid, mids)
if len(existing_ids) != len(mids):
require_employee = True
# For related models, check if we can write to the model, as unlinking
# and creating attachments can be seen as an update to the model
if (mode in ['unlink', 'create']):
ima.check(cr, uid, model, 'write')
else:
ima.check(cr, uid, model, mode)
self.pool[model].check_access_rule(cr,
uid,
existing_ids,
mode,
context=context)
if require_employee:
if not uid == SUPERUSER_ID and not self.pool[
'res.users'].has_group(cr, uid, 'base.group_user'):
raise AccessError(
_("Sorry, you are not allowed to access this document."))
def set_technical_features(self):
""" Map boolean field value to group membership, but checking
access """
group = self.env.ref(
'base_technical_features.group_technical_features')
for user in self:
if self.env.ref('base.group_no_one') not in user.groups_id:
raise AccessError(
_('The user does not have access to technical '
'features.'))
if user.technical_features:
self.sudo().write({'groups_id': [(4, group.id)]})
else:
self.sudo().write({'groups_id': [(3, group.id)]})
def create(self, cr, uid, values, context=None):
""" Override to avoid automatic logging of creation """
if context is None:
context = {}
employee_id = values.get('employee_id', False)
context = dict(context, mail_create_nolog=True, mail_create_nosubscribe=True)
if not self._check_state_access_right(cr, uid, values, context):
raise AccessError(_('You cannot set a leave request as \'%s\'. Contact a human resource manager.') % values.get('state'))
if not values.get('name'):
employee_name = self.pool['hr.employee'].browse(cr, uid, employee_id, context=context).name
holiday_type = self.pool['hr.holidays.status'].browse(cr, uid, values.get('holiday_status_id'), context=context).name
values['name'] = _("%s on %s") % (employee_name, holiday_type)
hr_holiday_id = super(hr_holidays, self).create(cr, uid, values, context=context)
self.add_follower(cr, uid, [hr_holiday_id], employee_id, context=context)
return hr_holiday_id
def force_storage(self, cr, uid, context=None):
"""Force all attachments to be stored in the currently configured storage"""
if not self.pool['res.users']._is_admin(cr, uid, [uid]):
raise AccessError(
_('Only administrators can execute this action.'))
location = self._storage(cr, uid, context)
domain = {
'db': [('store_fname', '!=', False)],
'file': [('db_datas', '!=', False)],
}[location]
ids = self.search(cr, uid, domain, context=context)
for attach in self.browse(cr, uid, ids, context=context):
attach.write({'datas': attach.datas})
return True
def check_access_rule(self, cr, uid, ids, operation, context=None):
""" Add Access rules of mail.message for non-employee user:
- read:
- raise if the type is comment and subtype NULL (internal note)
"""
if uid != SUPERUSER_ID:
group_ids = self.pool.get('res.users').browse(
cr, uid, uid, context=context).groups_id
group_user_id = self.pool.get(
"ir.model.data").get_object_reference(cr, uid, 'base',
'group_public')[1]
if group_user_id in [group.id for group in group_ids]:
cr.execute(
'SELECT id FROM "%s" WHERE website_published IS FALSE AND id = ANY (%%s)'
% (self._table), (ids, ))
if cr.fetchall():
raise AccessError(
_('The requested operation cannot be completed due to security restrictions. Please contact your system administrator.\n\n(Document type: %s, Operation: %s)'
) % (self._description, operation))
return super(MailMessage, self).check_access_rule(cr,
uid,
ids=ids,
operation=operation,
context=context)
def read(self, fields=None, load='_classic_read'):
if self.search_count([('id', 'in', self._ids), ('name', '=', 'NOACCESS')]):
raise AccessError('Sorry')
return super(Category, self).read(fields=fields, load=load)
def get_actions(self,
cr,
uid,
action_slot,
model,
res_id=False,
context=None):
"""Retrieves the list of actions bound to the given model's action slot.
See the class description for more details about the various action
slots: :class:`~.ir_values`.
:param string action_slot: the action slot to which the actions should be
bound to - one of ``client_action_multi``,
``client_print_multi``, ``client_action_relate``,
``tree_but_open``.
:param string model: model name
:param int res_id: optional record id - will bind the action only to a
specific record of the model, not all records.
:return: list of action tuples of the form ``(id, name, action_def)``,
where ``id`` is the ID of the default entry, ``name`` is the
action label, and ``action_def`` is a dict containing the
action definition as obtained by calling
:meth:`~ecore.osv.osv.osv.read` on the action record.
"""
assert action_slot in ACTION_SLOTS, 'Illegal action slot value: %s' % action_slot
# use a direct SQL query for performance reasons,
# this is called very often
query = """SELECT v.id, v.name, v.value FROM ir_values v
WHERE v.key = %s AND v.key2 = %s
AND v.model = %s
AND (v.res_id = %s
OR v.res_id IS NULL
OR v.res_id = 0)
ORDER BY v.id"""
cr.execute(query, ('action', action_slot, model, res_id or None))
# map values to their corresponding action record
actions = []
for id, name, value in cr.fetchall():
if not value:
continue # skip if undefined
action_model, action_id = value.split(',')
if action_model not in self.pool:
continue # unknown model? skip it!
action = self.pool[action_model].browse(cr, uid, int(action_id),
context)
actions.append((id, name, action))
# process values and their action
user = self.pool['res.users'].browse(cr, uid, uid, context)
results = {}
for id, name, action in actions:
fields = [
field for field in action._fields
if field not in EXCLUDED_FIELDS
]
# FIXME: needs cleanup
try:
action_def = {
field: action._fields[field].convert_to_read(action[field])
for field in fields
}
if action._name in ('ir.actions.report.xml',
'ir.actions.act_window'):
if action.groups_id and not action.groups_id & user.groups_id:
if name == 'Menuitem':
raise AccessError(
_('You do not have the permission to perform this operation!!!'
))
continue
# keep only the last action registered for each action name
results[name] = (id, name, action_def)
except (AccessError, MissingError):
continue
return sorted(results.values())