[IMP] better security rules

bzr revid: mat@openerp.com-20130405073205-gfcolcdv3oomlo0z

addons/gamification/plan.py

@@ -102,7 +102,7 @@ class gamification_goal_plan(osv.Model):
             string='Users',
             help="List of users to which the goal will be set"),
         'manager_id': fields.many2one('res.users', required=True,
-            string='Manager', help="The user responsible for the plan."),
+            string='Responsible', help="The user responsible for the plan."),
         'planline_ids': fields.one2many('gamification.goal.planline',
             'plan_id',
             string='Planline',

addons/gamification/plan_view.xml

@@ -68,7 +68,7 @@
 
                         <group>
                             <group colspan="4">
-                                <field name="manager_id"/>
+                                <field name="manager_id" />
                                 <field name="start_date" attrs="{'readonly':[('state','!=','draft')]}"/>
                                 <field name="period" attrs="{'readonly':[('state','!=','draft')]}"/>
                                 <field name="remind_update_delay"/>

addons/gamification/security/gamification_security.xml

@@ -13,16 +13,22 @@
         </record>
     </data>
 
-    <data noupdate="1">
+    <data noupdate="0">
         <record id="goal_user_visibility" model="ir.rule">
-            <field name="name">User can only see his/her goals</field>
+            <!-- TODO fix private for board -->
+            <field name="name">User can only see his/her goals or goal from the same plan in board visibility</field>
             <field name="model_id" ref="model_gamification_goal"/>
             <field name="groups" eval="[(4, ref('base.group_user'))]"/>
             <field name="perm_read" eval="True"/>
             <field name="perm_write" eval="True"/>
             <field name="perm_create" eval="False"/>
             <field name="perm_unlink" eval="False"/>
-            <field name="domain_force">[('user_id','=',user.id)]</field>
+            <field name="domain_force">[
+                '|',
+                    ('user_id','=',user.id),
+                    '&amp;',
+                        ('plan_id.user_ids','in',user.id),
+                        ('plan_id.visibility_mode','=','board')]</field>
         </record>
         <record id="goal_manager_visibility" model="ir.rule">
             <field name="name">Manager has all rights on user's goals</field>

addons/gamification/security/ir.model.access.csv

@@ -5,9 +5,9 @@ goal_user,"Goal User",model_gamification_goal,base.group_user,1,1,0,0
 goal_type_manager,"Goal Type Manager",model_gamification_goal_type,group_goal_manager,1,1,1,1
 goal_type_anybody,"Goal Type Anybody",model_gamification_goal_type,,1,0,0,0
 plan_manager,"Goal Plan Manager",model_gamification_goal_plan,group_goal_manager,1,1,1,1
-plan_user_anybody,"Goal Plan Anybody",model_gamification_goal_plan,,1,0,0,0
+plan_user,"Goal Plan Anybody",model_gamification_goal_plan,base.group_user,1,0,0,0
 planline_manager,"Goal Planline Manager",model_gamification_goal_planline,group_goal_manager,1,1,1,1
-planline_anybody,"Goal Planline Anybody",model_gamification_goal_planline,,1,0,0,0
+planline_user,"Goal Planline Anybody",model_gamification_goal_planline,base.group_user,1,0,0,0
 badge_manager,"Badge Manager",model_gamification_badge,group_goal_manager,1,1,1,1
 badge_user,"Badge Manager",model_gamification_badge,base.group_user,1,0,0,0
 badge_anybody,"Badge Anybody",model_gamification_badge,,1,0,0,0