diff --git a/addons/portal_project/security/portal_security.xml b/addons/portal_project/security/portal_security.xml index f6adf6b1391..b35c8be87d5 100644 --- a/addons/portal_project/security/portal_security.xml +++ b/addons/portal_project/security/portal_security.xml @@ -16,12 +16,17 @@ Project: portal users: public, portal or following - ['|', - ('privacy_visibility', 'in', ['public', 'portal']), - '&', - ('privacy_visibility', '=', 'followers'), - ('message_follower_ids', 'in', [user.partner_id.id]), - ] + [ + '|', + '|', + ('privacy_visibility', '=', 'public'), + '&', + ('privacy_visibility', '=', 'portal'), + ('message_follower_ids', 'child_of', [user.partner_id.commercial_partner_id.id]), + '&', + ('privacy_visibility', '=', 'followers'), + ('message_follower_ids', 'in', [user.partner_id.id]) + ] @@ -34,26 +39,38 @@ Project/Task: employees: public, portal, employee or (followers and following) - ['|', - ('project_id.privacy_visibility', 'in', ['public', 'portal', 'employees']), - '&', - ('project_id.privacy_visibility', '=', 'followers'), - ('message_follower_ids', 'in', [user.partner_id.id]), - ] + [ + '|', + ('project_id.privacy_visibility', 'in', ['public', 'portal', 'employees']), + '|', + '&', + ('project_id.privacy_visibility', '=', 'followers'), + ('project_id.message_follower_ids', 'in', [user.partner_id.id]), + '|', + ('message_follower_ids', 'in', [user.partner_id.id]), + ('user_id', '=', user.id) + ] Project/Task: portal users: public or (portal and colleagues following) or (followers and following) - ['|', '|', - ('project_id.privacy_visibility', 'in', ['public']), - '&', - ('project_id.privacy_visibility', '=', 'portal'), - ('message_follower_ids', 'child_of', [user.partner_id.commercial_partner_id.id]), - '&', - ('project_id.privacy_visibility', '=', 'followers'), - ('message_follower_ids', 'in', [user.partner_id.id]), - ] + [ + '|', + '|', + '|', + ('project_id.privacy_visibility', '=', 'public'), + '&', + ('project_id.privacy_visibility', '=', 'portal'), + ('project_id.message_follower_ids', 'child_of', [user.partner_id.commercial_partner_id.id]), + '&', + ('project_id.privacy_visibility', '=', 'followers'), + ('project_id.message_follower_ids', 'in', [user.partner_id.id]), + '&', + # on employee project can receive messages but not access the object + ('project_id.privacy_visibility', '!=', 'employees'), + ('message_follower_ids', 'in', [user.partner_id.id]) + ] diff --git a/addons/portal_project/tests/test_access_rights.py b/addons/portal_project/tests/test_access_rights.py index e36df90b652..a4f29735a69 100644 --- a/addons/portal_project/tests/test_access_rights.py +++ b/addons/portal_project/tests/test_access_rights.py @@ -149,15 +149,11 @@ class TestPortalProject(TestPortalProjectBase): self.assertRaises(AccessError, self.project_task.search, cr, self.user_none_id, [('project_id', '=', pigs_id)]) # Data: task follower + self.project_project.message_subscribe_users(cr, self.user_manager_id, [pigs_id], [self.user_portal_id]) self.project_task.message_subscribe_users(cr, self.user_projectuser_id, [self.task_1_id, self.task_3_id], [self.user_portal_id]) - # Do: Chell reads project -> ok (portal ok public) + # Do: Chell reads project -> ok (portal ok portal) self.project_project.read(cr, self.user_portal_id, [pigs_id], ['state']) - # Test: only followed project tasks visible + assigned - task_ids = self.project_task.search(cr, self.user_portal_id, [('project_id', '=', pigs_id)]) - test_task_ids = set([self.task_1_id, self.task_3_id, self.task_5_id]) - self.assertEqual(set(task_ids), test_task_ids, - 'access rights: portal user should see the followed tasks of a portal project') # Do: Donovan reads project -> ko (public ko portal) self.assertRaises(except_orm, self.project_project.read, cr, self.user_public_id, [pigs_id], ['state']) @@ -197,6 +193,12 @@ class TestPortalProject(TestPortalProjectBase): task_ids = self.project_task.search(cr, self.user_public_id, [('project_id', '=', pigs_id)]) self.assertFalse(task_ids, 'access rights: public user should not see tasks of an employees project') + # Do: project user is employee and can create a task + tmp_task_id = self.project_task.create(cr, self.user_projectuser_id, { + 'name': 'Pigs task', 'project_id': pigs_id + }, {'mail_create_nolog': True}) + self.project_task.unlink(cr, self.user_projectuser_id, [tmp_task_id]) + # ---------------------------------------- # CASE4: followers project # ---------------------------------------- @@ -214,7 +216,8 @@ class TestPortalProject(TestPortalProjectBase): # Do: Bert reads project -> crash, no group self.assertRaises(AccessError, self.project_project.read, cr, self.user_none_id, [pigs_id], ['state']) - # Do: Chell reads project -> ko (portal ko employee) + # Do: Chell reads project -> ko (portal ko followers) + self.project_project.message_unsubscribe_users(cr, self.user_portal_id, [pigs_id], [self.user_portal_id]) self.assertRaises(except_orm, self.project_project.read, cr, self.user_portal_id, [pigs_id], ['state']) # Test: no project task visible task_ids = self.project_task.search(cr, self.user_portal_id, [('project_id', '=', pigs_id)]) @@ -234,19 +237,25 @@ class TestPortalProject(TestPortalProjectBase): # Do: Alfred reads project -> ok (follower ok followers) self.project_project.read(cr, self.user_projectuser_id, [pigs_id], ['state']) - # Test: followed + assigned tasks visible - task_ids = self.project_task.search(cr, self.user_projectuser_id, [('project_id', '=', pigs_id)]) - test_task_ids = set([self.task_1_id, self.task_3_id, self.task_4_id]) - self.assertEqual(set(task_ids), test_task_ids, - 'access rights: employee user should not see followed + assigned tasks of a follower project') # Do: Chell reads project -> ok (follower ok follower) self.project_project.read(cr, self.user_portal_id, [pigs_id], ['state']) - # Test: followed + assigned tasks visible - task_ids = self.project_task.search(cr, self.user_portal_id, [('project_id', '=', pigs_id)]) - test_task_ids = set([self.task_1_id, self.task_3_id, self.task_5_id]) - self.assertEqual(set(task_ids), test_task_ids, - 'access rights: employee user should not see followed + assigned tasks of a follower project') # Do: Donovan reads project -> ko (public ko follower even if follower) self.assertRaises(except_orm, self.project_project.read, cr, self.user_public_id, [pigs_id], ['state']) + + # Do: project user is follower of the project and can create a task + self.project_task.create(cr, self.user_projectuser_id, { + 'name': 'Pigs task', 'project_id': pigs_id + }, {'mail_create_nolog': True}) + + # not follower user should not be able to create a task + self.project_project.message_unsubscribe_users(cr, self.user_projectuser_id, [pigs_id], [self.user_projectuser_id]) + self.assertRaises(except_orm, + self.project_task.create, cr, self.user_projectuser_id, {'name': 'Pigs task', 'project_id': pigs_id}, {'mail_create_nolog': True} + ) + + # Do: project user can create a task without project + self.project_task.create(cr, self.user_projectuser_id, { + 'name': 'Pigs task', 'project_id': False + }, {'mail_create_nolog': True}) diff --git a/addons/project/security/project_security.xml b/addons/project/security/project_security.xml index 444a9d03b40..e1c2a8f997a 100644 --- a/addons/project/security/project_security.xml +++ b/addons/project/security/project_security.xml @@ -79,14 +79,18 @@ Project/Task: employees: public or employee or (followers and following) - ['|', - ('project_id.privacy_visibility', 'in', ['public', 'employees']), - '&', - '|', - ('project_id', '=', False), - ('project_id.privacy_visibility', '=', 'followers'), - ('message_follower_ids', 'in', [user.partner_id.id]), - ] + [ + '|', + ('project_id.privacy_visibility', 'in', ['public', 'employees']), + '|', + '&', + ('project_id.privacy_visibility', '=', 'followers'), + ('project_id.message_follower_ids', 'in', [user.partner_id.id]), + '|', + ('message_follower_ids', 'in', [user.partner_id.id]), + # to subscribe check access to the record, follower is not enough at creation + ('user_id', '=', user.id) + ]