From 9b3f3fecfe5e5487dce6c24b1ee18a5b23faf474 Mon Sep 17 00:00:00 2001
From: Denis Ledoux <dle@odoo.com>
Date: Mon, 25 Aug 2014 14:51:03 +0200
Subject: [PATCH] [FIX] hr_holidays: employees cannot approve their holidays

Nor modify once approved

It wasn't possible for employees to approve their holidays themself, thanks to the GUI, but this was possible through xmlrpc calls, or when altering the html directly in the browser.
Besides, this was also possible to edit the holiday through the same trick once the holiday validated
---
 addons/hr_holidays/hr_holidays.py       |  4 ++++
 addons/hr_holidays/security/ir_rule.xml | 11 +++++++++++
 2 files changed, 15 insertions(+)

diff --git a/addons/hr_holidays/hr_holidays.py b/addons/hr_holidays/hr_holidays.py
index fbe72a1898c..38130149825 100644
--- a/addons/hr_holidays/hr_holidays.py
+++ b/addons/hr_holidays/hr_holidays.py
@@ -305,10 +305,14 @@ class hr_holidays(osv.osv):
         if context is None:
             context = {}
         context = dict(context, mail_create_nolog=True)
+        if values.get('state') and values['state'] not in ['draft', 'confirm', 'cancel'] and not self.pool['res.users'].has_group(cr, uid, 'base.group_hr_user'):
+            raise osv.except_osv(_('Warning!'), _('You cannot set a leave request as \'%s\'. Contact a human resource manager.') % values.get('state'))
         return super(hr_holidays, self).create(cr, uid, values, context=context)
 
     def write(self, cr, uid, ids, vals, context=None):
         check_fnct = self.pool.get('hr.holidays.status').check_access_rights
+        if vals.get('state') and vals['state'] not in ['draft', 'confirm', 'cancel'] and not self.pool['res.users'].has_group(cr, uid, 'base.group_hr_user'):
+            raise osv.except_osv(_('Warning!'), _('You cannot set a leave request as \'%s\'. Contact a human resource manager.') % vals.get('state'))
         for  holiday in self.browse(cr, uid, ids, context=context):
             if holiday.state in ('validate','validate1') and not check_fnct(cr, uid, 'write', raise_exception=False):
                 raise osv.except_osv(_('Warning!'),_('You cannot modify a leave request that has been approved. Contact a human resource manager.'))
diff --git a/addons/hr_holidays/security/ir_rule.xml b/addons/hr_holidays/security/ir_rule.xml
index ff0270026a4..3aa2d4db052 100644
--- a/addons/hr_holidays/security/ir_rule.xml
+++ b/addons/hr_holidays/security/ir_rule.xml
@@ -5,6 +5,17 @@
         <field name="name">Employee Holidays</field>
         <field model="ir.model" name="model_id" ref="model_hr_holidays"/>
         <field name="domain_force">[('employee_id.user_id','=',user.id)]</field>
+        <field name="perm_create" eval="False"/>
+        <field name="perm_write" eval="False"/>
+        <field name="perm_unlink" eval="False"/>
+        <field name="groups" eval="[(4,ref('base.group_user'))]"/>
+    </record>
+
+    <record id="property_rule_holidays_employee_write" model="ir.rule">
+        <field name="name">Employee Holidays Create, Write, Unlink</field>
+        <field model="ir.model" name="model_id" ref="model_hr_holidays"/>
+        <field name="domain_force">[('employee_id.user_id','=',user.id), ('state', 'in', ['draft', 'confirm', 'cancel'])]</field>
+        <field name="perm_read" eval="False"/>
         <field name="groups" eval="[(4,ref('base.group_user'))]"/>
     </record>