From 9624ef2907b34464383f857b351144eb45afb346 Mon Sep 17 00:00:00 2001
From: "P. Christeas" <p_christ@hol.gr>
Date: Wed, 27 Oct 2010 13:24:28 +0300
Subject: [PATCH] document: ACL setup, based on ir.rules

bzr revid: p_christ@hol.gr-20101027102428-pyanpwxzhta3zqy3
---
 addons/document/document_data.xml             | 20 ++++++-------
 .../document/security/document_security.xml   | 24 ++++++++++++++-
 addons/document/security/ir.model.access.csv  |  1 +
 .../document_ftp/test/document_ftp_test5.yml  | 30 +++++++++++++++++++
 4 files changed, 64 insertions(+), 11 deletions(-)
 create mode 100644 addons/document_ftp/test/document_ftp_test5.yml

diff --git a/addons/document/document_data.xml b/addons/document/document_data.xml
index ef829b6e258..a4f546cbf83 100644
--- a/addons/document/document_data.xml
+++ b/addons/document/document_data.xml
@@ -16,13 +16,13 @@
 
     <record model="document.directory" id="dir_root">
         <field name="name">Documents</field>
-        <field name="user_id" ref="base.user_root"/>
+        <field name="user_id" eval="False"/>
         <field name="storage_id" ref="storage_default"/>
         <field name="ressource_id">0</field>
     </record>
 
     <record model="document.directory" id="dir_my_folder">
-        <field name="name">My Folder</field>
+        <field name="name">Admin Folder</field>
         <field name="parent_id" ref="dir_root"/>
         <field name="user_id" ref="base.user_root"/>
         <field name="ressource_id">0</field>
@@ -37,7 +37,7 @@
         <field name="ressource_id">0</field>
 
         <field name="ressource_type_id" search="[('model','=','res.partner.category')]" />
-        <field name="user_id" ref="base.user_root"/>
+        <field name="user_id" eval="False"/>
     </record>
 
     <record model="document.directory" id="dir_partner">
@@ -46,7 +46,7 @@
         <field name="domain">[('category_id','in',[active_id])]</field>
         <field name="ressource_type_id" search="[('model','=','res.partner')]" />
         <field name="ressource_parent_type_id" search="[('model','=','res.partner.category')]" />
-        <field name="user_id" ref="base.user_root"/>
+        <field name="user_id" eval="False"/>
         <field name="ressource_id">0</field>
 
     </record>
@@ -55,14 +55,14 @@
         <field name="name">Personal Folders</field>
         <field name="parent_id" ref="dir_root"/>
         <field name="type">ressource</field>
+        <field name="user_id" eval="False"/>
         <field name="ressource_type_id" ref="base.model_res_users" />
         <field name="ressource_id">0</field>
-
     </record>
 
     <record model="document.directory" id="dir_product">
         <field name="name">Products</field>
-        <field name="user_id" ref="base.user_root"/>
+        <field name="user_id" eval="False"/>
         <field name="parent_id" ref="dir_root"/>
         <field name="ressource_id">0</field>
 
@@ -70,7 +70,7 @@
 
     <record model="document.directory" id="dir_sale_order">
         <field name="name">Sales Order</field>
-        <field name="user_id" ref="base.user_root"/>
+        <field name="user_id" eval="False"/>
         <field name="parent_id" ref="dir_root"/>
         <field name="ressource_id">0</field>
 
@@ -78,7 +78,7 @@
 
     <record model="document.directory" id="dir_sale_order_all">
         <field name="name">All Sales Order</field>
-        <field name="user_id" ref="base.user_root"/>
+        <field name="user_id" eval="False"/>
         <field name="parent_id" ref="dir_sale_order"/>
         <field name="ressource_id">0</field>
 
@@ -86,7 +86,7 @@
 
     <record model="document.directory" id="dir_sale_order_quote">
         <field name="name">Quotations</field>
-        <field name="user_id" ref="base.user_root"/>
+        <field name="user_id" eval="False"/>
         <field name="parent_id" ref="dir_sale_order"/>
         <field name="ressource_id">0</field>
 
@@ -94,7 +94,7 @@
 
     <record model="document.directory" id="dir_project">
         <field name="name">Projects</field>
-        <field name="user_id" ref="base.user_root"/>
+        <field name="user_id" eval="False"/>
         <field name="parent_id" ref="dir_root"/>
         <field name="ressource_id">0</field>
 
diff --git a/addons/document/security/document_security.xml b/addons/document/security/document_security.xml
index 2bf1a2adb57..e1a60165150 100644
--- a/addons/document/security/document_security.xml
+++ b/addons/document/security/document_security.xml
@@ -14,6 +14,28 @@
         <field name="groups_id" eval="[(6,0,[ref('base.group_system')])]"/>
     </record>
 
-
+    <record id="ir_rule_readpublicdirectories0" model="ir.rule">
+        <field name="model_id" ref="document.model_document_directory"/>
+        <field name="domain_force">['|',('user_id', '=', False), ('user_id', '=', user.id), '|', ('group_ids','=',False), ('group_ids','in',user.groups_id), '|', ('company_id','=',False), ('company_id','child_of',[user.company_id.id])]</field>
+        <field name="name">Read public directories</field>
+        <field eval="0" name="global"/>
+        <field eval="[(6,0,[ref('base.group_user')])]" name="groups"/>
+        <field eval="0" name="perm_unlink"/>
+        <field eval="0" name="perm_write"/>
+        <field eval="1" name="perm_read"/>
+        <field eval="0" name="perm_create"/>
+    </record>
+    
+    <record id="ir_rule_documentmodifyowndirectories0" model="ir.rule">
+        <field name="model_id" ref="document.model_document_directory"/>
+        <field name="domain_force">[('user_id', '=', user.id), '|', ('group_ids','=',False), ('group_ids','in',user.groups_id), '|', ('company_id','=',False), ('company_id','child_of',[user.company_id.id]) ]</field>
+        <field name="name">Document modify own directories</field>
+        <field eval="0" name="global"/>
+        <field eval="[(6,0,[ref('base.group_document_user')])]" name="groups"/>
+        <field eval="1" name="perm_unlink"/>
+        <field eval="1" name="perm_write"/>
+        <field eval="0" name="perm_read"/>
+        <field eval="1" name="perm_create"/>
+    </record>
 </data>
 </openerp>
diff --git a/addons/document/security/ir.model.access.csv b/addons/document/security/ir.model.access.csv
index 132daa1b7a6..d7aba7cbde7 100644
--- a/addons/document/security/ir.model.access.csv
+++ b/addons/document/security/ir.model.access.csv
@@ -1,6 +1,7 @@
 "id","name","model_id:id","group_id:id","perm_read","perm_write","perm_create","perm_unlink"
 "access_document_directory_all","document.directory all","model_document_directory",,1,0,0,0
 "access_document_directory_group_document_manager","document.directory document manager","model_document_directory","base.group_system",1,1,1,1
+"access_document_directory_group_knowledge","document.directory modify","model_document_directory","base.group_document_user",1,1,1,1
 "access_document_directory_group_system","document.directory group system","model_document_directory","base.group_system",1,1,1,1
 "access_document_directory_content_all","document.directory.content all","model_document_directory_content",,1,0,0,0
 "access_document_directory_content_group_document_manager","document.directory.content document manager","model_document_directory_content","base.group_system",1,1,1,1
diff --git a/addons/document_ftp/test/document_ftp_test5.yml b/addons/document_ftp/test/document_ftp_test5.yml
new file mode 100644
index 00000000000..a66f409905b
--- /dev/null
+++ b/addons/document_ftp/test/document_ftp_test5.yml
@@ -0,0 +1,30 @@
+-
+  In order to check the permissions setup and functionality of the
+  document module:
+-
+  I create a testing user for the documents
+-
+  I assign some ... group to the testing user
+-
+  I create a "group testing" user, which also belongs to the same ... group
+-
+  I create a "blocked" user.
+-
+  I create (as root) a testing folder in the document hierarchy, and
+  assign ownership to the testing user, groups to the ... group.
+-
+  I create a "private" folder inside the testing folder.
+-
+  I try to read the testing folder as the testing user
+-
+  I try to read the folder as the group user, it should fail.
+-
+  I try to read the folder as the blocked user.
+-
+  I create a "group" folder, with the ... group.
+-
+  I try to read the "group" folder as the testing user
+-
+  I try to read the "group" folder as the group user
+-
+  I try to read the "group" folder as the blocked user