Merge pull request #739 from KolushovAlexandr/11.0-base_attendance-se…

…curity_issues

🚑 errors on some actions of attendance manager

base_attendance/__manifest__.py

@@ -7,7 +7,7 @@
     "category": "Extra Tools",
     # "live_test_url": "",
     "images": [],
-    "version": "11.0.1.1.0",
+    "version": "11.0.1.1.1",
     "application": False,
 
     "author": "IT-Projects LLC, Kolushov Alexandr",

base_attendance/doc/changelog.rst

@@ -1,3 +1,8 @@
+`1.1.1`
+-------
+
+- **Fix:** Security issues for ``Attendance Manager`` group on opening the **Kiosk Mode**
+
 `1.1.0`
 -------
 

base_attendance/doc/index.rst

@@ -17,8 +17,9 @@ In order to set access rights for users
 
     * ``Read-Only`` may see only *Attendances* menu
     * ``Manual Attendance`` may create and update partner attendances, but not delete
-    * ``Officer`` may also delete partners attendances, has access to *Partners*, *Reports* menus and *Kiosk Mode*
-    * ``Manager`` like Officer, but also has access to *Configuration* menu
+    * ``Manager`` may also delete partners attendances, has access to *Partners*, *Reports* menus and *Kiosk Mode*
+
+* In order to get access to ``Configuration`` menu user has to have **Administration** ``Settings`` rights
 
 Barcode
 -------

base_attendance/models/res_config.py

@@ -24,7 +24,7 @@ def set_values(self):
         config_parameters = self.env["ir.config_parameter"].sudo()
         for record in self:
             config_parameters.set_param("base_attendance.shift_autocheckout",
-                                                      record.shift_autocheckout or '0')
+                                        record.shift_autocheckout or '0')
             config_parameters.set_param("base_attendance.hex_scanner_is_used", record.hex_scanner_is_used)
         self.checkout_shifts()
 

base_attendance/security/ir.model.access.csv

@@ -1,5 +1,5 @@
 id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
 access_hr_attendance_readonly_attendance,res.partner.attendance.user,model_res_partner_attendance,base_attendance.group_res_attendance,1,0,0,0
 access_hr_attendance_manual_attendance,res.partner.attendance.user,model_res_partner_attendance,base_attendance.group_manual_attendance,1,1,1,0
-access_hr_attendance_officer,res.partner.attendance.user,model_res_partner_attendance,base_attendance.group_hr_attendance_user,1,1,1,1
+access_hr_attendance_officer,res.partner.attendance.user,model_res_partner_attendance,base_attendance.group_hr_attendance_manager,1,1,1,1
 access_hr_attendance_attendance,res.partner.attendance.user,model_res_partner_attendance,,0,0,0,0

base_attendance/security/res_attendance_security.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!-- Copyright (c) 2004-2015 Odoo S.A.
-     Copyright 2018 Kolushov Alexandr <https://it-projects.info/team/KolushovAlexandr>
+     Copyright 2018-2019 Kolushov Alexandr <https://it-projects.info/team/KolushovAlexandr>
      License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).-->
 <odoo>
     <record model="ir.module.category" id="module_category_attendance">
@@ -22,16 +22,10 @@
         <field name="comment">The user will gain access to manage partners attendance.</field>
     </record>
 
-    <record id="group_hr_attendance_user" model="res.groups">
-        <field name="name">Officer</field>
-        <field name="category_id" ref="module_category_attendance"/>
-        <field name="implied_ids" eval="[(4, ref('group_manual_attendance'))]"/>
-    </record>
-
     <record id="group_hr_attendance_manager" model="res.groups">
         <field name="name">Manager</field>
         <field name="category_id" ref="module_category_attendance"/>
-        <field name="implied_ids" eval="[(4, ref('base_attendance.group_hr_attendance_user'))]"/>
+        <field name="implied_ids" eval="[(4, ref('group_manual_attendance'))]"/>
         <field name="users" eval="[(4, ref('base.user_root'))]"/>
     </record>
 
@@ -51,7 +45,7 @@
             <field name="name">attendance officer: full access</field>
             <field name="model_id" ref="model_res_partner_attendance"/>
             <field name="domain_force">[(1,'=',1)]</field>
-            <field name="groups" eval="[(4,ref('base_attendance.group_hr_attendance_user'))]"/>
+            <field name="groups" eval="[(4,ref('base_attendance.group_hr_attendance_manager'))]"/>
         </record>
 
     </data>

base_attendance/static/src/js/greeting_message.js

@@ -27,7 +27,7 @@ var GreetingMessage = Widget.extend({
         // to the (likely) appropriate menu, according to the user access rights
         if(!action.attendance) {
             this.activeBarcode = false;
-            this.getSession().user_has_group('base_attendance.group_hr_attendance_user').then(function(has_group) {
+            this.getSession().user_has_group('base_attendance.group_hr_attendance_manager').then(function(has_group) {
                 if(has_group) {
                     self.next_action = 'base_attendance.hr_attendance_action_kiosk_mode';
                 } else {

base_attendance/views/res_attendance_view.xml

@@ -130,7 +130,7 @@
         <field name="model_id" ref="model_res_partner_attendance"/>
         <field name="state">code</field>
         <field name="code">
-hex_scanner_is_used = model.env["ir.config_parameter"].get_param("base_attendance.hex_scanner_is_used",default=False)
+hex_scanner_is_used = model.env["ir.config_parameter"].sudo().get_param("base_attendance.hex_scanner_is_used",default=False)
 action = {
     'type': 'ir.actions.client',
     'tag': 'base_attendance_kiosk_mode',
@@ -273,11 +273,11 @@ action = {
 
     <menuitem id="menu_hr_attendance_view_attendances" name="Attendances" parent="menu_hr_attendance_manage_attendances" sequence="10" groups="base_attendance.group_res_attendance" action="hr_attendance_action"/>
 
-    <menuitem id="menu_hr_attendance_view_partners_kanban" name="Partners" parent="menu_hr_attendance_manage_attendances" sequence="15" groups="base_attendance.group_hr_attendance_user" action="base.action_partner_form"/>
+    <menuitem id="menu_hr_attendance_view_partners_kanban" name="Partners" parent="menu_hr_attendance_manage_attendances" sequence="15" groups="base_attendance.group_hr_attendance_manager" action="base.action_partner_form"/>
 
-    <menuitem id="menu_hr_attendance_kiosk_mode" name="Kiosk Mode" parent="menu_hr_attendance_manage_attendances" sequence="20" groups="base_attendance.group_hr_attendance_user" action="hr_attendance_action_kiosk_mode"/>
+    <menuitem id="menu_hr_attendance_kiosk_mode" name="Kiosk Mode" parent="menu_hr_attendance_manage_attendances" sequence="20" groups="base_attendance.group_hr_attendance_manager" action="hr_attendance_action_kiosk_mode"/>
 
-    <menuitem id="menu_hr_attendance_report" name="Reports" parent="menu_base_attendance_root" sequence="30" groups="base_attendance.group_hr_attendance_user" action="hr_attendance_action_graph"/>
+    <menuitem id="menu_hr_attendance_report" name="Reports" parent="menu_base_attendance_root" sequence="30" groups="base_attendance.group_hr_attendance_manager" action="hr_attendance_action_graph"/>
 
     <!--IR CRON-->
 

base_attendance/views/res_config_view.xml

@@ -31,5 +31,5 @@
     </record>
 
     <menuitem id="base_attendance.menu_hr_attendance_settings" name="Configuration" parent="menu_base_attendance_root"
-        sequence="99" action="action_hr_attendance_settings" groups="base_attendance.group_hr_attendance_manager"/>
+        sequence="99" action="action_hr_attendance_settings" groups="base.group_system"/>
 </odoo>