[14.0] group_backend: new module #116
Conversation
|
This depends on odoo/odoo#68106 with |
| makes hard to maintain proper access right according your business. | ||
| """ | ||
| res = super(Users, self).has_group(group_ext_id) | ||
| if not res and group_ext_id == "base.group_user": |
There was a problem hiding this comment.
I think this is a smart hack avoiding a lot of mess in the code.
However it makes the behavior of this module unpredictable in long term. At anytime, the native code of Odoo could be changed to rely on has_group to grant additional access and then we would loose control again on what the users of that group could or could not do. And since this is touching security, this is one of the few things that might change within the same major version of Odoo.
It seems that web module only relies one time on self.env.user.has_group('base.group_user') and for base module there are 5 cases of usage (some might not be easy to override). And it might be acceptable to not override all cases, because overriding would only make sense if you want to give the permission which might not be needed for this very special user type. So overriding only the few necessary places could make sense.
I don't think portal module is necessary to take into consideration as it is not really "core" (it's not auto_install anymore in v14).
In my opinion, the code of this PR could:
- stay as it is if highlighting more the risk
OR - add the code to override wherever necessary
To highlight the risk:
- the content of this docstring can be added as a Limitation in the Readme
- a warning log could alert that we are bypassing the expected behavior of has_group.
if not res and group_ext_id == "base.group_user":
has_group_backend = super(Users, self).has_group("group_backend.group_backend")
if has_group_backend:
logging.waning("Forcing has_group to return True for group_backend")
return has_group_backend
There was a problem hiding this comment.
Thanks a lot for your feed backs.
I've fist had a try to override the code in different parts but was no very confident as behavior would change according module dependency tree if portal or website are installed this would make difficult to predict which one will be called last (thinking Home._login_redirect or Home.index methods) and I don't want to depends on such modules.
So I think it's very good Idea to add a warning log and prevent against risk in README limitation.
I'll do that first.
As a developer we have to keep in mind using this module and grant a user with 's group is equivalent to grant 's group everywhere has been used.
|
To follow the name conventions being used, i think the module name should be |
Co-authored-by: Jean-Charles Drubay <[email protected]>
apply typo review suggestion Co-authored-by: Jean-Charles Drubay <[email protected]>
Thanks for suggestion I will adding that in my todo list ! |
|
There hasn't been any activity on this pull request in the past 4 months, so it has been marked as stale and it will be closed automatically if no further activity occurs in the next 30 days. |
github-actions
bot
added
the
stale
|
see 16.0 version of the module #205 |
Syncing from upstream OCA/server-backend (14.0)
Parts of the module description
This module was written to extend the standard functionality regarding users
and groups management by adding a new
Backend usergroup that only gives accessto odoo backend (
/web):The problem with the
Internal useris when you want to gives access to thebackend to a really thin part of your business to some users, it's quite hard
to properly maintain those roles over the project life, a lot of models use
that group (
base.group_user) by default which makes hardto maintains.
So that helps creating well-defined user groups with more controls.