[FW][FIX] website: allow publishing without relying on Restricted Editor #201029
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
|
|
This PR targets saas-18.1 and is part of the forward-port chain. Further PRs will be created up to master. More info at https://github.com/odoo/odoo/wiki/Mergebot#forward-port |
bso-odoo
force-pushed
the
saas-18.1-16.0-fix_can_publish_right-bso-417857-fw
branch
from
73589e8 to
bf124e9
Compare
bso-odoo
force-pushed
the
saas-18.1-16.0-fix_can_publish_right-bso-417857-fw
branch
from
bf124e9 to
e87a9de
Compare
The `is-ready` attribute of the website preview iframe is only set after the wysiwyg lazy assets are loaded. Because of this, the iframe is never set as ready for users who are not a least website restricted editors. This prevents tours from matching selectors inside the iframe. This commit also makes the public root ready for non-website users. runbot-114278 runbot-114279 runbot-114281 runbot-114283 runbot-114287 runbot-114289 X-original-commit: f9afe1b Part-of: odoo#200223 Signed-off-by: Quentin Smetz (qsm) <qsm@odoo.com> Signed-off-by: Benoit Socias (bso) <bso@odoo.com>
Before this commit all systray items of website were hidden for users that did not have the Restricted Editor right. This commit limits only some of the items to users having the Restricted Editor right: - Published: unrelated (but still need to be able to publish) - Mobile preview: technically unrelated, but keeping it limited to Restricted Editor only - Website switcher: unrelated (but still need multi website enabled) - + New: Restricted Editor only - Edit in backend: unrelated - Translate: Restricted Editor only - Edit: Restricted Editor only It therefore now shows the Published button only based on the result of the `_compute_can_publish` method of the `website.published.mixin`. The default implementation now checks whether the user has write access to the `website_published` field on the record. Steps to reproduce: - Install `website_crm_partner_assign`. - Connect as a user without any Website role, and in Sales, the "User: Own Documents Only" role. - Go to a partner in the `/partners` page. => "Published" button did not appear. And on the contrary: - Connect as a Restricted Editor user without Sales rights. - Go to a partner in the `/partners` page. - Click on "Published". => An access right error notification did appear. task-3175890 X-original-commit: 081e558
This commit adds tests to verify that partners can only be published by users having the correct access rights. task-3175890 X-original-commit: 99210ad
This commit defines access rights and a dedicated "Tester" role to allow for the edition of the `test.model`. The test verifies that each kind of user either has, or does not have access to each item of the systray. - Checked for: * admins * tester and restricted editor * non-tester but restricted editor * non-restricted editors but testers * neither task-3175890 X-original-commit: 0e63bb5
bso-odoo
force-pushed
the
saas-18.1-16.0-fix_can_publish_right-bso-417857-fw
branch
from
e87a9de to
3515ff7
Compare
|
@robodoo r+ |
robodoo
pushed a commit
that referenced
this pull request
Mar 13, 2025
The `is-ready` attribute of the website preview iframe is only set after the wysiwyg lazy assets are loaded. Because of this, the iframe is never set as ready for users who are not a least website restricted editors. This prevents tours from matching selectors inside the iframe. This commit also makes the public root ready for non-website users. runbot-114278 runbot-114279 runbot-114281 runbot-114283 runbot-114287 runbot-114289 X-original-commit: f9afe1b Part-of: #201029 Related: odoo/enterprise#81164 Signed-off-by: Quentin Smetz (qsm) <qsm@odoo.com> Signed-off-by: Benoit Socias (bso) <bso@odoo.com>
robodoo
pushed a commit
that referenced
this pull request
Mar 13, 2025
Before this commit all systray items of website were hidden for users that did not have the Restricted Editor right. This commit limits only some of the items to users having the Restricted Editor right: - Published: unrelated (but still need to be able to publish) - Mobile preview: technically unrelated, but keeping it limited to Restricted Editor only - Website switcher: unrelated (but still need multi website enabled) - + New: Restricted Editor only - Edit in backend: unrelated - Translate: Restricted Editor only - Edit: Restricted Editor only It therefore now shows the Published button only based on the result of the `_compute_can_publish` method of the `website.published.mixin`. The default implementation now checks whether the user has write access to the `website_published` field on the record. Steps to reproduce: - Install `website_crm_partner_assign`. - Connect as a user without any Website role, and in Sales, the "User: Own Documents Only" role. - Go to a partner in the `/partners` page. => "Published" button did not appear. And on the contrary: - Connect as a Restricted Editor user without Sales rights. - Go to a partner in the `/partners` page. - Click on "Published". => An access right error notification did appear. task-3175890 X-original-commit: 081e558 Part-of: #201029 Related: odoo/enterprise#81164 Signed-off-by: Quentin Smetz (qsm) <qsm@odoo.com> Signed-off-by: Benoit Socias (bso) <bso@odoo.com>
robodoo
pushed a commit
that referenced
this pull request
Mar 13, 2025
This commit adds tests to verify that partners can only be published by users having the correct access rights. task-3175890 X-original-commit: 99210ad Part-of: #201029 Related: odoo/enterprise#81164 Signed-off-by: Quentin Smetz (qsm) <qsm@odoo.com> Signed-off-by: Benoit Socias (bso) <bso@odoo.com>
robodoo
pushed a commit
that referenced
this pull request
Mar 13, 2025
This commit defines access rights and a dedicated "Tester" role to allow for the edition of the `test.model`. The test verifies that each kind of user either has, or does not have access to each item of the systray. - Checked for: * admins * tester and restricted editor * non-tester but restricted editor * non-restricted editors but testers * neither task-3175890 closes #201029 X-original-commit: 0e63bb5 Related: odoo/enterprise#81164 Signed-off-by: Quentin Smetz (qsm) <qsm@odoo.com> Signed-off-by: Benoit Socias (bso) <bso@odoo.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Before this commit all systray items of website were hidden for users that did not have the Restricted Editor right.
This commit limits only some of the items to users having the Restricted Editor right:
It therefore now shows the Published button only based on the result of the
_compute_can_publishmethod of thewebsite.published.mixin. The default implementation now checks whether the user has write access to thewebsite_publishedfield on the record.Steps to reproduce:
website_crm_partner_assign./partnerspage. => "Published" button did not appear.And on the contrary:
/partnerspage.task-3175890
Forward-Port-Of: #198751
Forward-Port-Of: #112421