TA#69961 [16.0] [IMP] admin_light_mail : mail.template security (#214)

Numigi · Nov 12, 2024 · 2f5e1f3 · 2f5e1f3
1 parent 047e825
commit 2f5e1f3
Show file tree

Hide file tree

Showing 6 changed files with 137 additions and 16 deletions.
diff --git a/admin_light_mail/__manifest__.py b/admin_light_mail/__manifest__.py
@@ -3,7 +3,7 @@
 
 {
     "name": "Admin Light Email",
-    "version": "16.0.1.0.0",
+    "version": "16.0.1.0.1",
     "author": "Numigi",
     "maintainer": "Numigi",
     "license": "LGPL-3",
@@ -18,8 +18,9 @@
         "views/mail_mail.xml",
         "views/mail_message_subtype.xml",
         "views/mail_server.xml",
-        "views/mail_template.xml",
+        "security/security.xml",
         "security/ir.model.access.csv",
+        "views/mail_template.xml",
     ],
     "installable": True,
 }
diff --git a/admin_light_mail/security/ir.model.access.csv b/admin_light_mail/security/ir.model.access.csv
@@ -5,3 +5,7 @@ access_fetchmail_server,Admin Light: fetchmail.server,mail.model_fetchmail_serve
 access_ir_cron,Admin Light: ir.cron (Required for editing incoming mail servers),base.model_ir_cron,group_email_server,1,1,0,0
 access_mail_tracking_value,Admin Light: mail.tracking.value,mail.model_mail_tracking_value,group_email_messages,1,0,0,0
 access_mail_mail,Admin Light: mail.mail (Required for accessing to incoming mail servers),mail.model_mail_mail,group_email_server,1,1,0,0
+mail.access_mail_template,mail.template,mail.model_mail_template,base.group_user,1,0,0,0
+access_mail_template,mail.template,mail.model_mail_template,group_email_template,1,1,1,1
+access_ir_model,ir.model.access,base.model_ir_model,group_email_template,1,0,0,0
+access_ir_mail_server_user_template,Admin Light (User Template group): ir.mail.server,base.model_ir_mail_server,group_email_template,1,0,0,0
diff --git a/admin_light_mail/security/security.xml b/admin_light_mail/security/security.xml
@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<odoo>
+
+    <record id="mail.access_mail_template_editor" model="ir.model.access">
+        <field name="active" eval="False"/>
+    </record>
+
+    <record id="group_email_template" model="res.groups">
+        <field name="name">Email Templates</field>
+        <field name="category_id" ref="admin_light_base.module_category_admin" />
+        <field name="implied_ids" eval="[(4, ref('admin_light_base.group_admin'))]" />
+    </record>
+
+    <record id="rule_mail_template_edit_own" model="ir.rule">
+        <field name="name">Users can only change their own templates</field>
+        <field name="model_id" ref="mail.model_mail_template"/>
+        <field name="domain_force">[('create_uid', '=', user.id)]</field>
+        <field name="groups" eval="[Command.link(ref('admin_light_mail.group_email_template'))]"/>
+        <field name="perm_create" eval="True"/>
+        <field name="perm_read" eval="False"/>
+        <field name="perm_write" eval="True"/>
+        <field name="perm_unlink" eval="True"/>
+    </record>
+
+    <function name="write" model="ir.model.data">
+        <value model="ir.model.data" search="[('module', '=', 'mail'), ('name', '=', 'mail_template_editor_rule')]"/>
+        <value eval="{'noupdate': False}"/>
+    </function>
+
+    <record id="mail.mail_template_editor_rule" model="ir.rule">
+        <field name="groups" eval="[(3, ref('mail.group_mail_template_editor'))]"/>
+    </record>
+
+    <function name="write" model="ir.model.data">
+        <value model="ir.model.data" search="[('module', '=', 'mail'), ('name', '=', 'mail_template_editor_rule')]"/>
+        <value eval="{'noupdate': True}"/>
+    </function>
+
+</odoo>
diff --git a/admin_light_mail/tests/__init__.py b/admin_light_mail/tests/__init__.py
@@ -0,0 +1,4 @@
+# Copyright 2024 Numigi (tm) and all its contributors (https://bit.ly/numigiens)
+# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl).
+
+from . import test_mail_template_access
diff --git a/admin_light_mail/tests/test_mail_template_access.py b/admin_light_mail/tests/test_mail_template_access.py
@@ -0,0 +1,86 @@
+# Copyright 2024 Numigi (tm) and all its contributors (https://bit.ly/numigiens)
+# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl).
+
+from odoo.tests.common import TransactionCase
+from odoo.exceptions import AccessError
+
+
+class TestMailTemplateAccess(TransactionCase):
+
+    @classmethod
+    def setUpClass(cls):
+        super().setUpClass()
+
+        ref = cls.env.ref
+        cls.user1 = cls.env["res.users"].create(
+            {
+                "name": "User 1",
+                "login": "user1",
+                "groups_id": [
+                    (
+                        6,
+                        0,
+                        [
+                            ref("base.group_user").id,
+                            ref("admin_light_mail.group_email_template").id,
+                        ],
+                    )
+                ],
+            }
+        )
+        cls.user2 = cls.env["res.users"].create(
+            {
+                "name": "User 2",
+                "login": "user2",
+                "groups_id": [
+                    (
+                        6,
+                        0,
+                        [
+                            ref("base.group_user").id,
+                            ref("admin_light_mail.group_email_template").id,
+                        ],
+                    )
+                ],
+            }
+        )
+        cls.mail_template_user1 = (
+            cls.env["mail.template"]
+            .with_user(cls.user1)
+            .create(
+                {
+                    "name": "User1 Template",
+                    "subject": "Template by User1",
+                    "email_from": "[email protected]",
+                }
+            )
+        )
+
+    def test_user_own_record_access(self):
+        self.mail_template_user1.with_user(self.user1).write(
+            {"subject": "Updated by User1"}
+        )
+        self.assertEqual(self.mail_template_user1.subject, "Updated by User1")
+        self.mail_template_user1.with_user(self.user1).unlink()
+        self.assertFalse(
+            self.env["mail.template"].search([("id", "=", self.mail_template_user1.id)])
+        )
+
+    def test_other_user_access_error(self):
+        self.mail_template_user1 = (
+            self.env["mail.template"]
+            .with_user(self.user1)
+            .create(
+                {
+                    "name": "User1 Template",
+                    "subject": "Template by User1",
+                    "email_from": "[email protected]",
+                }
+            )
+        )
+        with self.assertRaises(AccessError):
+            self.mail_template_user1.with_user(self.user2).write(
+                {"subject": "Unauthorized Update by User2"}
+            )
+        with self.assertRaises(AccessError):
+            self.mail_template_user1.with_user(self.user2).unlink()
diff --git a/admin_light_mail/views/mail_template.xml b/admin_light_mail/views/mail_template.xml
@@ -1,26 +1,13 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <odoo>
 
-    <record id="group_email_template" model="res.groups">
-        <field name="name">Email Templates</field>
-        <field name="category_id" ref="admin_light_base.module_category_admin" />
-        <field name="implied_ids" eval="[(4, ref('admin_light_base.group_admin'))]" />
-    </record>
-
-    <!-- By default, Odoo allows all users to edit mail templates, 
-    we don't want this after giving admin light access to mail template -->
-
-    <record id="base.group_user" model="res.groups">
-        <field name="implied_ids" eval="[(3, ref('mail.group_mail_template_editor'))]"/>
-    </record>
-
     <menuitem
         id="menu_email_template"
         name="Email Templates"
         parent="menu_email"
         groups="group_email_template"
         action="mail.action_email_template_tree_all"
         sequence="10"
-        />
+    />
 
 </odoo>