[IMP] impersonate_login: restrict impersonate admins

Author: pcastelovigo

impersonate_login/README.rst

@@ -1,7 +1,3 @@
-.. image:: https://odoo-community.org/readme-banner-image
-   :target: https://odoo-community.org/get-involved?utm_source=readme
-   :alt: Odoo Community Association
-
 =================
 Impersonate Login
 =================
@@ -11,13 +7,13 @@ Impersonate Login
    !! This file is generated by oca-gen-addon-readme !!
    !! changes will be overwritten.                   !!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-   !! source digest: sha256:7a065218446f1a1c3d7c8df01e153960f15c80d7fc12534272a2e700896ca757
+   !! source digest: sha256:495e3835d8bd5706184290ecbbc105723329293d90630889e42c95d73e28bd09
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 
 .. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
     :target: https://odoo-community.org/page/development-status
     :alt: Beta
-.. |badge2| image:: https://img.shields.io/badge/license-AGPL--3-blue.png
+.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
     :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
     :alt: License: AGPL-3
 .. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
@@ -44,10 +40,11 @@ following measures are in place:
 - Mails and messages are sent from the original user.
 - Impersonated logins are logged and can be consulted through the
   Settings -> Technical menu.
-- 
-
-There is an alternative module to allow logins as another user
-(auth_admin_passkey), but it does not support these security mechanisms.
+- You can optionally forbid impersonation of users with "Administration:
+  Settings" rights by enabling the related option in the settings. There
+  is an alternative module to allow logins as another user
+  (auth_admin_passkey), but it does not support these security
+  mechanisms.
 
 **Table of contents**
 
@@ -59,6 +56,10 @@ Configuration
 
 The impersonating user must belong to group "Impersonate Users".
 
+If you want to prevent impersonation of users with the *Administration:
+Settings* rights, enable the *Restrict Impersonation of "Administration:
+Settings" Users* option in the settings.
+
 Usage
 =====
 

impersonate_login/__manifest__.py

@@ -20,6 +20,7 @@
     "data": [
         "security/group.xml",
         "security/ir.model.access.csv",
+        "views/res_config_settings.xml",
         "views/res_users.xml",
         "views/impersonate_log.xml",
     ],

impersonate_login/models/__init__.py

@@ -4,3 +4,4 @@
 from . import mail_message
 from . import impersonate_log
 from . import model
+from . import res_config_settings

impersonate_login/models/res_config_settings.py

@@ -0,0 +1,15 @@
+from odoo import fields, models
+
+
+class ResConfigSettings(models.TransientModel):
+    _inherit = "res.config.settings"
+
+    restrict_impersonate_admin_settings = fields.Boolean(
+        string="Restrict Impersonation of 'Administration: Settings' Users",
+        config_parameter="impersonate_login.restrict_impersonate_admin_settings",
+        help=(
+            "If enabled, users with the 'Administration: Settings' access right"
+            " cannot be impersonated."
+        ),
+        default=False,
+    )

impersonate_login/models/res_users.py

@@ -24,6 +24,20 @@ def _is_impersonate_user(self):
 
     def impersonate_login(self):
         if request:
+            config_restrict = (
+                self.env["ir.config_parameter"]
+                .sudo()
+                .get_param("impersonate_login.restrict_impersonate_admin_settings")
+            )
+            if config_restrict:
+                admin_settings_group = self.env.ref("base.group_system")
+                if admin_settings_group in self.groups_id:
+                    raise UserError(
+                        self.env._(
+                            "You cannot impersonate users with"
+                            " 'Administration: Settings' access rights."
+                        )
+                    )
             if request.session.impersonate_from_uid:
                 if self.id == request.session.impersonate_from_uid:
                     return self.back_to_origin_login()

impersonate_login/readme/CONFIGURE.md

@@ -1 +1,5 @@
 The impersonating user must belong to group "Impersonate Users".
+
+If you want to prevent impersonation of users with the *Administration: Settings*
+rights, enable the *Restrict Impersonation of "Administration: Settings" Users*
+option in the settings.

impersonate_login/readme/DESCRIPTION.md

@@ -6,6 +6,7 @@ To ensure that any abuse of this feature will not go unnoticed, the following me
 * In the chatter, it is displayed who is the user that is logged as another user.
 * Mails and messages are sent from the original user.
 * Impersonated logins are logged and can be consulted through the Settings -> Technical menu.
-* 
+* You can optionally forbid impersonation of users with "Administration: Settings"
+  rights by enabling the related option in the settings.
 There is an alternative module to allow logins as another user (auth_admin_passkey),
 but it does not support these security mechanisms.

impersonate_login/static/description/index.html

@@ -3,7 +3,7 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
 <meta name="generator" content="Docutils: https://docutils.sourceforge.io/" />
-<title>README.rst</title>
+<title>Impersonate Login</title>
 <style type="text/css">
 
 /*
@@ -360,21 +360,16 @@
 </style>
 </head>
 <body>
-<div class="document">
+<div class="document" id="impersonate-login">
+<h1 class="title">Impersonate Login</h1>
 
-
-<a class="reference external image-reference" href="https://odoo-community.org/get-involved?utm_source=readme">
-<img alt="Odoo Community Association" src="https://odoo-community.org/readme-banner-image" />
-</a>
-<div class="section" id="impersonate-login">
-<h1>Impersonate Login</h1>
 <!-- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !! This file is generated by oca-gen-addon-readme !!
 !! changes will be overwritten.                   !!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-!! source digest: sha256:7a065218446f1a1c3d7c8df01e153960f15c80d7fc12534272a2e700896ca757
+!! source digest: sha256:495e3835d8bd5706184290ecbbc105723329293d90630889e42c95d73e28bd09
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
-<p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/license-AGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/server-auth/tree/18.0/impersonate_login"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/server-auth-18-0/server-auth-18-0-impersonate_login"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/server-auth&amp;target_branch=18.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
+<p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/server-auth/tree/18.0/impersonate_login"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/server-auth-18-0/server-auth-18-0-impersonate_login"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/server-auth&amp;target_branch=18.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
 <p>This module allows one user (for example, a member of the support team)
 to log in as another user. The impersonation session can be exited by
 clicking on the button “Back to Original User”.</p>
@@ -386,10 +381,12 @@ <h1>Impersonate Login</h1>
 <li>Mails and messages are sent from the original user.</li>
 <li>Impersonated logins are logged and can be consulted through the
 Settings -&gt; Technical menu.</li>
-<li></li>
+<li>You can optionally forbid impersonation of users with “Administration:
+Settings” rights by enabling the related option in the settings. There
+is an alternative module to allow logins as another user
+(auth_admin_passkey), but it does not support these security
+mechanisms.</li>
 </ul>
-<p>There is an alternative module to allow logins as another user
-(auth_admin_passkey), but it does not support these security mechanisms.</p>
 <p><strong>Table of contents</strong></p>
 <div class="contents local topic" id="contents">
 <ul class="simple">
@@ -405,11 +402,14 @@ <h1>Impersonate Login</h1>
 </ul>
 </div>
 <div class="section" id="configuration">
-<h2><a class="toc-backref" href="#toc-entry-1">Configuration</a></h2>
+<h1><a class="toc-backref" href="#toc-entry-1">Configuration</a></h1>
 <p>The impersonating user must belong to group “Impersonate Users”.</p>
+<p>If you want to prevent impersonation of users with the <em>Administration:
+Settings</em> rights, enable the <em>Restrict Impersonation of “Administration:
+Settings” Users</em> option in the settings.</p>
 </div>
 <div class="section" id="usage">
-<h2><a class="toc-backref" href="#toc-entry-2">Usage</a></h2>
+<h1><a class="toc-backref" href="#toc-entry-2">Usage</a></h1>
 <ol class="arabic simple">
 <li>In the menu that is displayed when clicking on the user avatar on the
 top right corner, or in the res.users list, click “Switch Login” to
@@ -419,23 +419,23 @@ <h2><a class="toc-backref" href="#toc-entry-2">Usage</a></h2>
 </ol>
 </div>
 <div class="section" id="bug-tracker">
-<h2><a class="toc-backref" href="#toc-entry-3">Bug Tracker</a></h2>
+<h1><a class="toc-backref" href="#toc-entry-3">Bug Tracker</a></h1>
 <p>Bugs are tracked on <a class="reference external" href="https://github.com/OCA/server-auth/issues">GitHub Issues</a>.
 In case of trouble, please check there if your issue has already been reported.
 If you spotted it first, help us to smash it by providing a detailed and welcomed
 <a class="reference external" href="https://github.com/OCA/server-auth/issues/new?body=module:%20impersonate_login%0Aversion:%2018.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**">feedback</a>.</p>
 <p>Do not contact contributors directly about support or help with technical issues.</p>
 </div>
 <div class="section" id="credits">
-<h2><a class="toc-backref" href="#toc-entry-4">Credits</a></h2>
+<h1><a class="toc-backref" href="#toc-entry-4">Credits</a></h1>
 <div class="section" id="authors">
-<h3><a class="toc-backref" href="#toc-entry-5">Authors</a></h3>
+<h2><a class="toc-backref" href="#toc-entry-5">Authors</a></h2>
 <ul class="simple">
 <li>Akretion</li>
 </ul>
 </div>
 <div class="section" id="contributors">
-<h3><a class="toc-backref" href="#toc-entry-6">Contributors</a></h3>
+<h2><a class="toc-backref" href="#toc-entry-6">Contributors</a></h2>
 <ul class="simple">
 <li>Kévin Roche &lt;<a class="reference external" href="mailto:kevin.roche&#64;akretion.com">kevin.roche&#64;akretion.com</a>&gt;</li>
 <li><a class="reference external" href="https://www.360erp.com">360ERP</a>:<ul>
@@ -445,7 +445,7 @@ <h3><a class="toc-backref" href="#toc-entry-6">Contributors</a></h3>
 </ul>
 </div>
 <div class="section" id="maintainers">
-<h3><a class="toc-backref" href="#toc-entry-7">Maintainers</a></h3>
+<h2><a class="toc-backref" href="#toc-entry-7">Maintainers</a></h2>
 <p>This module is maintained by the OCA.</p>
 <a class="reference external image-reference" href="https://odoo-community.org">
 <img alt="Odoo Community Association" src="https://odoo-community.org/logo.png" />
@@ -460,6 +460,5 @@ <h3><a class="toc-backref" href="#toc-entry-7">Maintainers</a></h3>
 </div>
 </div>
 </div>
-</div>
 </body>
 </html>

impersonate_login/tests/test_impersonate_login.py

@@ -302,3 +302,38 @@ def test_05_create_uid_on_transient_model(self):
         wizard = self.env["mail.wizard.invite"].browse(settings_id)
         self.assertIn("Hello", wizard.message)
         self.assertEqual(wizard.create_uid, self.demo_user)
+
+    def test_06_limit_access_to_admin(self):
+        """
+        Test restriction on impersonating admin users
+        with 'Administration: Settings' access rights.
+        """
+        config_settings = self.env["res.config.settings"].create(
+            {"restrict_impersonate_admin_settings": True}
+        )
+        config_settings.execute()
+
+        config_restrict = (
+            self.env["ir.config_parameter"]
+            .sudo()
+            .get_param("impersonate_login.restrict_impersonate_admin_settings")
+        )
+        self.assertTrue(config_restrict)
+
+        admin_settings_group = self.env.ref("base.group_system")
+        self.admin_user.groups_id += admin_settings_group
+
+        self.authenticate(user="demo", password="demo")
+        self.assertEqual(self.session.uid, self.demo_user.id)
+
+        self.demo_user.groups_id += self.env.ref(
+            "impersonate_login.group_impersonate_login"
+        )
+
+        with mute_logger("odoo.http"):
+            data = self._impersonate_user(self.admin_user)
+        self.assertEqual(
+            data["error"]["data"]["message"],
+            "You cannot impersonate users with "
+            "'Administration: Settings' access rights.",
+        )

impersonate_login/views/res_config_settings.xml

@@ -0,0 +1,20 @@
+<odoo>
+    <record id="view_res_config_settings_impersonate" model="ir.ui.view">
+        <field name="name">res.config.settings.impersonate</field>
+        <field name="model">res.config.settings</field>
+        <field name="inherit_id" ref="base_setup.res_config_settings_view_form" />
+        <field name="arch" type="xml">
+            <block id="user_default_rights" position="after">
+                <block title="Impersonation Login" id="impersonate_login">
+                    <setting
+                        id="restrict_impersonate_admin_settings"
+                        title="Restrict Impersonation of 'Administration: Settings' Users"
+                        help="Prevents impersonating users that have the 'Administration: Settings' access rights."
+                    >
+                        <field name="restrict_impersonate_admin_settings" />
+                    </setting>
+                </block>
+            </block>
+        </field>
+    </record>
+</odoo>