[14.0][FIX] user profile fix

addons/hr/models/res_users.py

@@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 # Part of Odoo. See LICENSE file for full copyright and licensing details.
 
-from odoo import api, models, fields, _, SUPERUSER_ID
+from odoo import api, models, fields, _
 from odoo.exceptions import AccessError
 
 
@@ -146,9 +146,19 @@ def fields_view_get(self, view_id=None, view_type='form', toolbar=False, submenu
         # Note: limit the `sudo` to the only action of "editing own profile" action in order to
         # avoid breaking `groups` mecanism on res.users form view.
         profile_view = self.env.ref("hr.res_users_view_form_profile")
+        original_user = self.env.user
         if profile_view and view_id == profile_view.id:
-            self = self.with_user(SUPERUSER_ID)
-        return super(User, self).fields_view_get(view_id=view_id, view_type=view_type, toolbar=toolbar, submenu=submenu)
+            self = self.sudo()
+        result = super(User, self).fields_view_get(view_id=view_id, view_type=view_type, toolbar=toolbar, submenu=submenu)
+        # Due to using the SUPERUSER the result will contain action that the user may not have access too
+        # here we filter out actions that requires special implicit rights to avoid having unusable actions
+        # in the dropdown menu.
+        if toolbar and self.env.user != original_user:
+            self = self.with_user(original_user.id)
+            if not self.user_has_groups("base.group_erp_manager"):
+                change_password_action = self.env.ref("base.change_password_wizard_action")
+                result['toolbar']['action'] = [act for act in result['toolbar']['action'] if act['id'] != change_password_action.id]
+        return result
 
     def write(self, vals):
         """

addons/hr/tests/test_self_user_access.py

@@ -76,6 +76,32 @@ def test_profile_view_fields(self):
         # Compare both
         self.assertEqual(full_fields.keys(), fields.keys(), "View fields should not depend on user's groups")
 
+    def test_access_my_profile_toolbar(self):
+        """ A simple user shouldn't have the possibilities to see the 'Change Password' action"""
+        james = new_test_user(self.env, login='jam', groups='base.group_user', name='Simple employee', email='[email protected]')
+        james = james.with_user(james)
+        self.env['hr.employee'].create({
+            'name': 'James',
+            'user_id': james.id,
+        })
+        view = self.env.ref('hr.res_users_view_form_profile')
+        available_actions = james.fields_view_get(view_id=view.id, toolbar=True)['toolbar']['action']
+        change_password_action = self.env.ref("base.change_password_wizard_action")
+
+        self.assertFalse(any(x['id'] == change_password_action.id for x in available_actions))
+
+        """ An ERP manager should have the possibilities to see the 'Change Password' """
+        john = new_test_user(self.env, login='joh', groups='base.group_erp_manager', name='ERP Manager', email='[email protected]')
+        john = john.with_user(john)
+        self.env['hr.employee'].create({
+            'name': 'John',
+            'user_id': john.id,
+        })
+        view = self.env.ref('hr.res_users_view_form_profile')
+        available_actions = john.fields_view_get(view_id=view.id, toolbar=True)['toolbar']['action']
+        self.assertTrue(any(x['id'] == change_password_action.id for x in available_actions))
+
+
 class TestSelfAccessRights(TestHrCommon):
 
     def setUp(self):

addons/hr/views/res_users.xml

@@ -39,6 +39,7 @@
             <field name="arch" type="xml">
                 <form position="attributes">
                     <attribute name="create">false</attribute>
+                    <attribute name="delete">false</attribute>
                     <attribute name="js_class">hr_employee_profile_form</attribute>
                 </form>
                 <notebook position="replace">

addons/point_of_sale/static/src/js/Screens/OrderManagementScreen/OrderFetcher.js

@@ -133,6 +133,7 @@ odoo.define('point_of_sale.OrderFetcher', function (require) {
             const idsNotInCache = ids.filter((id) => !(id in this.cache));
             if (idsNotInCache.length > 0) {
                 const fetchedOrders = await this._fetchOrders(idsNotInCache);
+                await this.comp.env.pos._loadMissingProducts(fetchedOrders);
                 // Cache these fetched orders so that next time, no need to fetch
                 // them again, unless invalidated. See `invalidateCache`.
                 fetchedOrders.forEach((order) => {

addons/point_of_sale/static/src/js/db.js

@@ -363,7 +363,9 @@ var PosDB = core.Class.extend({
         var list = [];
         if (product_ids) {
             for (var i = 0, len = Math.min(product_ids.length, this.limit); i < len; i++) {
-                list.push(this.product_by_id[product_ids[i]]);
+                const product = this.product_by_id[product_ids[i]];
+                if (!(product.active && product.available_in_pos)) continue;
+                list.push(product);
             }
         }
         return list;
@@ -385,7 +387,9 @@ var PosDB = core.Class.extend({
             var r = re.exec(this.category_search_string[category_id]);
             if(r){
                 var id = Number(r[1]);
-                results.push(this.get_product_by_id(id));
+                const product = this.get_product_by_id(id);
+                if (!(product.active && product.available_in_pos)) continue;
+                results.push(product);
             }else{
                 break;
             }

addons/point_of_sale/static/src/js/models.js

@@ -428,7 +428,7 @@ exports.PosModel = Backbone.Model.extend({
         model:  'product.product',
         fields: ['display_name', 'lst_price', 'standard_price', 'categ_id', 'pos_categ_id', 'taxes_id',
                  'barcode', 'default_code', 'to_weight', 'uom_id', 'description_sale', 'description',
-                 'product_tmpl_id','tracking', 'write_date', 'available_in_pos', 'attribute_line_ids'],
+                 'product_tmpl_id','tracking', 'write_date', 'available_in_pos', 'attribute_line_ids', 'active'],
         order:  _.map(['sequence','default_code','name'], function (name) { return {name: name}; }),
         domain: function(self){
             var domain = ['&', '&', ['sale_ok','=',true],['available_in_pos','=',true],'|',['company_id','=',self.config.company_id[0]],['company_id','=',false]];
@@ -777,8 +777,9 @@ exports.PosModel = Backbone.Model.extend({
      * Second load all orders belonging to the same config but from other sessions,
      * Only if tho order has orderlines.
      */
-    load_orders: function(){
+    load_orders: async function(){
         var jsons = this.db.get_unpaid_orders();
+        await this._loadMissingProducts(jsons);
         var orders = [];
 
         for (var i = 0; i < jsons.length; i++) {
@@ -810,7 +811,27 @@ exports.PosModel = Backbone.Model.extend({
             this.get('orders').add(orders);
         }
     },
-
+    async _loadMissingProducts(orders) {
+        const missingProductIds = new Set([]);
+        for (const order of orders) {
+            for (const line of order.lines) {
+                const productId = line[2].product_id;
+                if (missingProductIds.has(productId)) continue;
+                if (!this.db.get_product_by_id(productId)) {
+                    missingProductIds.add(productId);
+                }
+            }
+        }
+        const productModel = _.find(this.models, function(model){return model.model === 'product.product';});
+        const fields = productModel.fields;
+        const products = await this.rpc({
+            model: 'product.product',
+            method: 'read',
+            args: [[...missingProductIds], fields],
+            context: Object.assign(this.session.user_context, { display_default_code: false }),
+        });
+        productModel.loaded(this, products);
+    },
     set_start_order: function(){
         var orders = this.get('orders').models;