@@ -297,3 +297,77 @@ def test_04_write_uid(self):
297297 self .assertEqual (contact .id , contact_id )
298298 self .assertEqual (contact .ref , "abc" )
299299 self .assertEqual (contact .write_uid , self .admin_user )
300+
301+ def test_05_create_uid_on_transient_model (self ):
302+ """Check the create_uid of records created
303+ during an impersonated session on a transient model"""
304+ # Login as admin
305+ self .authenticate (user = "admin" , password = "admin" )
306+
307+ # Impersonate demo user and create a wizard record
308+ self ._impersonate_user (self .demo_user )
309+
310+ response = self .url_open (
311+ "/web/dataset/call_kw/mail.followers.edit/web_save" ,
312+ data = json .dumps (
313+ {
314+ "params" : {
315+ "model" : "mail.followers.edit" ,
316+ "method" : "web_save" ,
317+ "args" : [
318+ [],
319+ {
320+ "res_model" : "res.partner" ,
321+ "message" : "Hello" ,
322+ },
323+ {},
324+ ],
325+ "kwargs" : {},
326+ },
327+ }
328+ ),
329+ headers = {"Content-Type" : "application/json" },
330+ )
331+ self .assertEqual (response .status_code , 200 )
332+ data = response .json ()
333+ result = data ["result" ]
334+ settings_id = result [0 ]["id" ]
335+
336+ wizard = self .env ["mail.followers.edit" ].browse (settings_id )
337+ self .assertIn ("Hello" , wizard .message )
338+ self .assertEqual (wizard .create_uid , self .demo_user )
339+
340+ def test_06_limit_access_to_admin (self ):
341+ """
342+ Test restriction on impersonating admin users
343+ with 'Administration: Settings' access rights.
344+ """
345+ config_settings = self .env ["res.config.settings" ].create (
346+ {"restrict_impersonate_admin_settings" : True }
347+ )
348+ config_settings .execute ()
349+
350+ config_restrict = (
351+ self .env ["ir.config_parameter" ]
352+ .sudo ()
353+ .get_param ("impersonate_login.restrict_impersonate_admin_settings" )
354+ )
355+ self .assertTrue (config_restrict )
356+
357+ admin_settings_group = self .env .ref ("base.group_system" )
358+ self .admin_user .group_ids += admin_settings_group
359+
360+ self .authenticate (user = self .demo_login , password = self .demo_password )
361+ self .assertEqual (self .session .uid , self .demo_user .id )
362+
363+ self .demo_user .group_ids += self .env .ref (
364+ "impersonate_login.group_impersonate_login"
365+ )
366+
367+ with mute_logger ("odoo.http" ):
368+ data = self ._impersonate_user (self .admin_user )
369+ self .assertEqual (
370+ data ["error" ]["data" ]["message" ],
371+ "You cannot impersonate users with "
372+ "'Administration: Settings' access rights." ,
373+ )
0 commit comments