6 # test group that demo user should not have
7 GROUP_TECHNICAL_FEATURES = 'base.group_no_one'
9 class TestACL(common.TransactionCase):
12 super(TestACL, self).setUp()
13 self.res_currency = self.registry('res.currency')
14 self.res_partner = self.registry('res.partner')
15 self.res_users = self.registry('res.users')
17 self.tech_group = self.registry('ir.model.data').get_object(self.cr, self.uid,
18 *(GROUP_TECHNICAL_FEATURES.split('.')))
20 def test_field_visibility_restriction(self):
21 """Check that model-level ``groups`` parameter effectively restricts access to that
22 field for users who do not belong to one of the explicitly allowed groups"""
23 # Verify the test environment first
24 original_fields = self.res_currency.fields_get(self.cr, self.demo_uid, [])
25 form_view = self.res_currency.fields_view_get(self.cr, self.demo_uid, False, 'form')
26 view_arch = etree.fromstring(form_view.get('arch'))
27 has_tech_feat = self.res_users.has_group(self.cr, self.demo_uid, GROUP_TECHNICAL_FEATURES)
28 self.assertFalse(has_tech_feat, "`demo` user should not belong to the restricted group before the test")
29 self.assertTrue('rate' in original_fields, "'rate' field must be properly visible before the test")
30 self.assertNotEquals(view_arch.xpath("//field[@name='rate']"), [],
31 "Field 'rate' must be found in view definition before the test")
33 # Restrict access to the field and check it's gone
34 self.res_currency._columns['rate'].groups = GROUP_TECHNICAL_FEATURES
35 fields = self.res_currency.fields_get(self.cr, self.demo_uid, [])
36 form_view = self.res_currency.fields_view_get(self.cr, self.demo_uid, False, 'form')
37 view_arch = etree.fromstring(form_view.get('arch'))
38 self.assertFalse('rate' in fields, "'rate' field should be gone")
39 self.assertEquals(view_arch.xpath("//field[@name='rate']"), [],
40 "Field 'rate' must not be found in view definition")
42 # Make demo user a member of the restricted group and check that the field is back
43 self.tech_group.write({'users': [(4, self.demo_uid)]})
44 has_tech_feat = self.res_users.has_group(self.cr, self.demo_uid, GROUP_TECHNICAL_FEATURES)
45 fields = self.res_currency.fields_get(self.cr, self.demo_uid, [])
46 form_view = self.res_currency.fields_view_get(self.cr, self.demo_uid, False, 'form')
47 view_arch = etree.fromstring(form_view.get('arch'))
48 #import pprint; pprint.pprint(fields); pprint.pprint(form_view)
49 self.assertTrue(has_tech_feat, "`demo` user should now belong to the restricted group")
50 self.assertTrue('rate' in fields, "'rate' field must be properly visible again")
51 self.assertNotEquals(view_arch.xpath("//field[@name='rate']"), [],
52 "Field 'rate' must be found in view definition again")
55 self.tech_group.write({'users': [(3, self.demo_uid)]})
56 self.res_currency._columns['rate'].groups = False
58 def test_field_crud_restriction(self):
59 "Read/Write RPC access to restricted field should be forbidden"
60 # Verify the test environment first
61 has_tech_feat = self.res_users.has_group(self.cr, self.demo_uid, GROUP_TECHNICAL_FEATURES)
62 self.assertFalse(has_tech_feat, "`demo` user should not belong to the restricted group")
63 self.assert_(self.res_partner.read(self.cr, self.demo_uid, [1], ['bank_ids']))
64 self.assert_(self.res_partner.write(self.cr, self.demo_uid, [1], {'bank_ids': []}))
66 # Now restrict access to the field and check it's forbidden
67 self.res_partner._columns['bank_ids'].groups = GROUP_TECHNICAL_FEATURES
68 # FIXME TODO: enable next tests when access rights checks per field are implemented
69 # from openerp.osv.orm import except_orm
70 # with self.assertRaises(except_orm):
71 # self.res_partner.read(self.cr, self.demo_uid, [1], ['bank_ids'])
72 # with self.assertRaises(except_orm):
73 # self.res_partner.write(self.cr, self.demo_uid, [1], {'bank_ids': []})
75 # Add the restricted group, and check that it works again
76 self.tech_group.write({'users': [(4, self.demo_uid)]})
77 has_tech_feat = self.res_users.has_group(self.cr, self.demo_uid, GROUP_TECHNICAL_FEATURES)
78 self.assertTrue(has_tech_feat, "`demo` user should now belong to the restricted group")
79 self.assert_(self.res_partner.read(self.cr, self.demo_uid, [1], ['bank_ids']))
80 self.assert_(self.res_partner.write(self.cr, self.demo_uid, [1], {'bank_ids': []}))
83 self.tech_group.write({'users': [(3, self.demo_uid)]})
84 self.res_partner._columns['bank_ids'].groups = False
86 if __name__ == '__main__':
89 # vim:expandtab:smartindent:tabstop=4:softtabstop=4:shiftwidth=4: