From 82a2ee3e500a282dae7880dc08082025977c369c Mon Sep 17 00:00:00 2001 From: pedrambiria Date: Thu, 17 Nov 2022 15:01:01 +0000 Subject: [PATCH 1/2] [FIX] point_of_sale: load orders with archived product Before this commit: if one product in one of the previous orders is archived, it won't load the order properly for order management. opw-3035231 closes odoo/odoo#105952 Signed-off-by: Trinh Jacky (trj) --- .../OrderManagementScreen/OrderFetcher.js | 1 + addons/point_of_sale/static/src/js/db.js | 8 ++++-- addons/point_of_sale/static/src/js/models.js | 27 ++++++++++++++++--- 3 files changed, 31 insertions(+), 5 deletions(-) diff --git a/addons/point_of_sale/static/src/js/Screens/OrderManagementScreen/OrderFetcher.js b/addons/point_of_sale/static/src/js/Screens/OrderManagementScreen/OrderFetcher.js index 57a0263567b2c..810d108d547bf 100644 --- a/addons/point_of_sale/static/src/js/Screens/OrderManagementScreen/OrderFetcher.js +++ b/addons/point_of_sale/static/src/js/Screens/OrderManagementScreen/OrderFetcher.js @@ -133,6 +133,7 @@ odoo.define('point_of_sale.OrderFetcher', function (require) { const idsNotInCache = ids.filter((id) => !(id in this.cache)); if (idsNotInCache.length > 0) { const fetchedOrders = await this._fetchOrders(idsNotInCache); + await this.comp.env.pos._loadMissingProducts(fetchedOrders); // Cache these fetched orders so that next time, no need to fetch // them again, unless invalidated. See `invalidateCache`. fetchedOrders.forEach((order) => { diff --git a/addons/point_of_sale/static/src/js/db.js b/addons/point_of_sale/static/src/js/db.js index ca0afd28a83a9..a56e660e768e9 100644 --- a/addons/point_of_sale/static/src/js/db.js +++ b/addons/point_of_sale/static/src/js/db.js @@ -363,7 +363,9 @@ var PosDB = core.Class.extend({ var list = []; if (product_ids) { for (var i = 0, len = Math.min(product_ids.length, this.limit); i < len; i++) { - list.push(this.product_by_id[product_ids[i]]); + const product = this.product_by_id[product_ids[i]]; + if (!(product.active && product.available_in_pos)) continue; + list.push(product); } } return list; @@ -385,7 +387,9 @@ var PosDB = core.Class.extend({ var r = re.exec(this.category_search_string[category_id]); if(r){ var id = Number(r[1]); - results.push(this.get_product_by_id(id)); + const product = this.get_product_by_id(id); + if (!(product.active && product.available_in_pos)) continue; + results.push(product); }else{ break; } diff --git a/addons/point_of_sale/static/src/js/models.js b/addons/point_of_sale/static/src/js/models.js index 100596d5ea809..74197f907dba1 100644 --- a/addons/point_of_sale/static/src/js/models.js +++ b/addons/point_of_sale/static/src/js/models.js @@ -428,7 +428,7 @@ exports.PosModel = Backbone.Model.extend({ model: 'product.product', fields: ['display_name', 'lst_price', 'standard_price', 'categ_id', 'pos_categ_id', 'taxes_id', 'barcode', 'default_code', 'to_weight', 'uom_id', 'description_sale', 'description', - 'product_tmpl_id','tracking', 'write_date', 'available_in_pos', 'attribute_line_ids'], + 'product_tmpl_id','tracking', 'write_date', 'available_in_pos', 'attribute_line_ids', 'active'], order: _.map(['sequence','default_code','name'], function (name) { return {name: name}; }), domain: function(self){ var domain = ['&', '&', ['sale_ok','=',true],['available_in_pos','=',true],'|',['company_id','=',self.config.company_id[0]],['company_id','=',false]]; @@ -777,8 +777,9 @@ exports.PosModel = Backbone.Model.extend({ * Second load all orders belonging to the same config but from other sessions, * Only if tho order has orderlines. */ - load_orders: function(){ + load_orders: async function(){ var jsons = this.db.get_unpaid_orders(); + await this._loadMissingProducts(jsons); var orders = []; for (var i = 0; i < jsons.length; i++) { @@ -810,7 +811,27 @@ exports.PosModel = Backbone.Model.extend({ this.get('orders').add(orders); } }, - + async _loadMissingProducts(orders) { + const missingProductIds = new Set([]); + for (const order of orders) { + for (const line of order.lines) { + const productId = line[2].product_id; + if (missingProductIds.has(productId)) continue; + if (!this.db.get_product_by_id(productId)) { + missingProductIds.add(productId); + } + } + } + const productModel = _.find(this.models, function(model){return model.model === 'product.product';}); + const fields = productModel.fields; + const products = await this.rpc({ + model: 'product.product', + method: 'read', + args: [[...missingProductIds], fields], + context: Object.assign(this.session.user_context, { display_default_code: false }), + }); + productModel.loaded(this, products); + }, set_start_order: function(){ var orders = this.get('orders').models; From 73abcc1effff87d29a040ff17142045326fa4a0b Mon Sep 17 00:00:00 2001 From: anhe-odoo Date: Fri, 28 Jan 2022 14:36:54 +0000 Subject: [PATCH 2/2] [FIX] hr: Hide 'delete' and 'change password' actions on own profile Expected Behaviour When a user goes to his own profile, he has two ways to change his password : 1. through the 'Account security' tab 2. through the 'Actions' > 'Change password' menu in list/form view Both option should let the user change its password, or one of the two should not be present Observed behaviour While the first one works as expected, the second option gives an error as the user doesn't have the admin rights Reproducibility This bug can be reproduced following these steps: 0. Make sure to have the "Employees" app installed 1. Connect as an employee (e.g. demo/demo on runbot) 2. Click on your name at the top right, go to 'My Profile' 3. Click 'Action' then 'Change password' Problem Root Cause There is an override of field_view_get for the res.users model in the hr module which elevates the user with sudo so that the user may modify their own user in some capacity. The problem is that by elevating the ACLs of the user, fields_view_get will also return actions that are not normally available to the user (e.g. deletion of user profile) Related Issues/PR - opw-2735671 closes odoo/odoo#83577 Signed-off-by: Yannick Tivisse (yti) --- addons/hr/models/res_users.py | 16 ++++++++++++--- addons/hr/tests/test_self_user_access.py | 26 ++++++++++++++++++++++++ addons/hr/views/res_users.xml | 1 + 3 files changed, 40 insertions(+), 3 deletions(-) diff --git a/addons/hr/models/res_users.py b/addons/hr/models/res_users.py index 91eaeadf78bea..9472143e51d4f 100644 --- a/addons/hr/models/res_users.py +++ b/addons/hr/models/res_users.py @@ -1,7 +1,7 @@ # -*- coding: utf-8 -*- # Part of Odoo. See LICENSE file for full copyright and licensing details. -from odoo import api, models, fields, _, SUPERUSER_ID +from odoo import api, models, fields, _ from odoo.exceptions import AccessError @@ -146,9 +146,19 @@ def fields_view_get(self, view_id=None, view_type='form', toolbar=False, submenu # Note: limit the `sudo` to the only action of "editing own profile" action in order to # avoid breaking `groups` mecanism on res.users form view. profile_view = self.env.ref("hr.res_users_view_form_profile") + original_user = self.env.user if profile_view and view_id == profile_view.id: - self = self.with_user(SUPERUSER_ID) - return super(User, self).fields_view_get(view_id=view_id, view_type=view_type, toolbar=toolbar, submenu=submenu) + self = self.sudo() + result = super(User, self).fields_view_get(view_id=view_id, view_type=view_type, toolbar=toolbar, submenu=submenu) + # Due to using the SUPERUSER the result will contain action that the user may not have access too + # here we filter out actions that requires special implicit rights to avoid having unusable actions + # in the dropdown menu. + if toolbar and self.env.user != original_user: + self = self.with_user(original_user.id) + if not self.user_has_groups("base.group_erp_manager"): + change_password_action = self.env.ref("base.change_password_wizard_action") + result['toolbar']['action'] = [act for act in result['toolbar']['action'] if act['id'] != change_password_action.id] + return result def write(self, vals): """ diff --git a/addons/hr/tests/test_self_user_access.py b/addons/hr/tests/test_self_user_access.py index 37aa30e00b1fa..baf5793550afe 100644 --- a/addons/hr/tests/test_self_user_access.py +++ b/addons/hr/tests/test_self_user_access.py @@ -76,6 +76,32 @@ def test_profile_view_fields(self): # Compare both self.assertEqual(full_fields.keys(), fields.keys(), "View fields should not depend on user's groups") + def test_access_my_profile_toolbar(self): + """ A simple user shouldn't have the possibilities to see the 'Change Password' action""" + james = new_test_user(self.env, login='jam', groups='base.group_user', name='Simple employee', email='jam@example.com') + james = james.with_user(james) + self.env['hr.employee'].create({ + 'name': 'James', + 'user_id': james.id, + }) + view = self.env.ref('hr.res_users_view_form_profile') + available_actions = james.fields_view_get(view_id=view.id, toolbar=True)['toolbar']['action'] + change_password_action = self.env.ref("base.change_password_wizard_action") + + self.assertFalse(any(x['id'] == change_password_action.id for x in available_actions)) + + """ An ERP manager should have the possibilities to see the 'Change Password' """ + john = new_test_user(self.env, login='joh', groups='base.group_erp_manager', name='ERP Manager', email='joh@example.com') + john = john.with_user(john) + self.env['hr.employee'].create({ + 'name': 'John', + 'user_id': john.id, + }) + view = self.env.ref('hr.res_users_view_form_profile') + available_actions = john.fields_view_get(view_id=view.id, toolbar=True)['toolbar']['action'] + self.assertTrue(any(x['id'] == change_password_action.id for x in available_actions)) + + class TestSelfAccessRights(TestHrCommon): def setUp(self): diff --git a/addons/hr/views/res_users.xml b/addons/hr/views/res_users.xml index e31c03203c8bf..1ae8dbf4b2953 100644 --- a/addons/hr/views/res_users.xml +++ b/addons/hr/views/res_users.xml @@ -39,6 +39,7 @@
false + false hr_employee_profile_form