Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 11 additions & 10 deletions impersonate_login/README.rst
Original file line number Diff line number Diff line change
@@ -1,7 +1,3 @@
.. image:: https://odoo-community.org/readme-banner-image
:target: https://odoo-community.org/get-involved?utm_source=readme
:alt: Odoo Community Association

=================
Impersonate Login
=================
Expand All @@ -11,13 +7,13 @@ Impersonate Login
!! This file is generated by oca-gen-addon-readme !!
!! changes will be overwritten. !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! source digest: sha256:7a065218446f1a1c3d7c8df01e153960f15c80d7fc12534272a2e700896ca757
!! source digest: sha256:495e3835d8bd5706184290ecbbc105723329293d90630889e42c95d73e28bd09
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
:target: https://odoo-community.org/page/development-status
:alt: Beta
.. |badge2| image:: https://img.shields.io/badge/license-AGPL--3-blue.png
.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
:target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
:alt: License: AGPL-3
.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
Expand All @@ -44,10 +40,11 @@ following measures are in place:
- Mails and messages are sent from the original user.
- Impersonated logins are logged and can be consulted through the
Settings -> Technical menu.
-

There is an alternative module to allow logins as another user
(auth_admin_passkey), but it does not support these security mechanisms.
- You can optionally forbid impersonation of users with "Administration:
Settings" rights by enabling the related option in the settings. There
is an alternative module to allow logins as another user
(auth_admin_passkey), but it does not support these security
mechanisms.

**Table of contents**

Expand All @@ -59,6 +56,10 @@ Configuration

The impersonating user must belong to group "Impersonate Users".

If you want to prevent impersonation of users with the *Administration:
Settings* rights, enable the *Restrict Impersonation of "Administration:
Settings" Users* option in the settings.

Usage
=====

Expand Down
1 change: 1 addition & 0 deletions impersonate_login/__manifest__.py
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
"data": [
"security/group.xml",
"security/ir.model.access.csv",
"views/res_config_settings.xml",
"views/res_users.xml",
"views/impersonate_log.xml",
],
Expand Down
1 change: 1 addition & 0 deletions impersonate_login/models/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,4 @@
from . import mail_message
from . import impersonate_log
from . import model
from . import res_config_settings
15 changes: 15 additions & 0 deletions impersonate_login/models/res_config_settings.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
from odoo import fields, models


class ResConfigSettings(models.TransientModel):
_inherit = "res.config.settings"

restrict_impersonate_admin_settings = fields.Boolean(
string="Restrict Impersonation of 'Administration: Settings' Users",
config_parameter="impersonate_login.restrict_impersonate_admin_settings",
help=(
"If enabled, users with the 'Administration: Settings' access right"
" cannot be impersonated."
),
default=False,
)
14 changes: 14 additions & 0 deletions impersonate_login/models/res_users.py
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,20 @@ def _is_impersonate_user(self):

def impersonate_login(self):
if request:
config_restrict = (
self.env["ir.config_parameter"]
.sudo()
.get_param("impersonate_login.restrict_impersonate_admin_settings")
)
if config_restrict:
admin_settings_group = self.env.ref("base.group_system")
if admin_settings_group in self.groups_id:
raise UserError(
self.env._(
"You cannot impersonate users with"
" 'Administration: Settings' access rights."
)
)
if request.session.impersonate_from_uid:
if self.id == request.session.impersonate_from_uid:
return self.back_to_origin_login()
Expand Down
4 changes: 4 additions & 0 deletions impersonate_login/readme/CONFIGURE.md
Original file line number Diff line number Diff line change
@@ -1 +1,5 @@
The impersonating user must belong to group "Impersonate Users".

If you want to prevent impersonation of users with the *Administration: Settings*
rights, enable the *Restrict Impersonation of "Administration: Settings" Users*
option in the settings.
3 changes: 2 additions & 1 deletion impersonate_login/readme/DESCRIPTION.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ To ensure that any abuse of this feature will not go unnoticed, the following me
* In the chatter, it is displayed who is the user that is logged as another user.
* Mails and messages are sent from the original user.
* Impersonated logins are logged and can be consulted through the Settings -> Technical menu.
*
* You can optionally forbid impersonation of users with "Administration: Settings"
rights by enabling the related option in the settings.
There is an alternative module to allow logins as another user (auth_admin_passkey),
but it does not support these security mechanisms.
41 changes: 20 additions & 21 deletions impersonate_login/static/description/index.html
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="generator" content="Docutils: https://docutils.sourceforge.io/" />
<title>README.rst</title>
<title>Impersonate Login</title>
<style type="text/css">

/*
Expand Down Expand Up @@ -360,21 +360,16 @@
</style>
</head>
<body>
<div class="document">
<div class="document" id="impersonate-login">
<h1 class="title">Impersonate Login</h1>


<a class="reference external image-reference" href="https://odoo-community.org/get-involved?utm_source=readme">
<img alt="Odoo Community Association" src="https://odoo-community.org/readme-banner-image" />
</a>
<div class="section" id="impersonate-login">
<h1>Impersonate Login</h1>
<!-- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! This file is generated by oca-gen-addon-readme !!
!! changes will be overwritten. !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! source digest: sha256:7a065218446f1a1c3d7c8df01e153960f15c80d7fc12534272a2e700896ca757
!! source digest: sha256:495e3835d8bd5706184290ecbbc105723329293d90630889e42c95d73e28bd09
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
<p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/license-AGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/server-auth/tree/18.0/impersonate_login"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/server-auth-18-0/server-auth-18-0-impersonate_login"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/server-auth&amp;target_branch=18.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
<p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/server-auth/tree/18.0/impersonate_login"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/server-auth-18-0/server-auth-18-0-impersonate_login"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/server-auth&amp;target_branch=18.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
<p>This module allows one user (for example, a member of the support team)
to log in as another user. The impersonation session can be exited by
clicking on the button “Back to Original User”.</p>
Expand All @@ -386,10 +381,12 @@ <h1>Impersonate Login</h1>
<li>Mails and messages are sent from the original user.</li>
<li>Impersonated logins are logged and can be consulted through the
Settings -&gt; Technical menu.</li>
<li></li>
<li>You can optionally forbid impersonation of users with “Administration:
Settings” rights by enabling the related option in the settings. There
is an alternative module to allow logins as another user
(auth_admin_passkey), but it does not support these security
mechanisms.</li>
</ul>
<p>There is an alternative module to allow logins as another user
(auth_admin_passkey), but it does not support these security mechanisms.</p>
<p><strong>Table of contents</strong></p>
<div class="contents local topic" id="contents">
<ul class="simple">
Expand All @@ -405,11 +402,14 @@ <h1>Impersonate Login</h1>
</ul>
</div>
<div class="section" id="configuration">
<h2><a class="toc-backref" href="#toc-entry-1">Configuration</a></h2>
<h1><a class="toc-backref" href="#toc-entry-1">Configuration</a></h1>
<p>The impersonating user must belong to group “Impersonate Users”.</p>
<p>If you want to prevent impersonation of users with the <em>Administration:
Settings</em> rights, enable the <em>Restrict Impersonation of “Administration:
Settings” Users</em> option in the settings.</p>
</div>
<div class="section" id="usage">
<h2><a class="toc-backref" href="#toc-entry-2">Usage</a></h2>
<h1><a class="toc-backref" href="#toc-entry-2">Usage</a></h1>
<ol class="arabic simple">
<li>In the menu that is displayed when clicking on the user avatar on the
top right corner, or in the res.users list, click “Switch Login” to
Expand All @@ -419,23 +419,23 @@ <h2><a class="toc-backref" href="#toc-entry-2">Usage</a></h2>
</ol>
</div>
<div class="section" id="bug-tracker">
<h2><a class="toc-backref" href="#toc-entry-3">Bug Tracker</a></h2>
<h1><a class="toc-backref" href="#toc-entry-3">Bug Tracker</a></h1>
<p>Bugs are tracked on <a class="reference external" href="https://github.com/OCA/server-auth/issues">GitHub Issues</a>.
In case of trouble, please check there if your issue has already been reported.
If you spotted it first, help us to smash it by providing a detailed and welcomed
<a class="reference external" href="https://github.com/OCA/server-auth/issues/new?body=module:%20impersonate_login%0Aversion:%2018.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**">feedback</a>.</p>
<p>Do not contact contributors directly about support or help with technical issues.</p>
</div>
<div class="section" id="credits">
<h2><a class="toc-backref" href="#toc-entry-4">Credits</a></h2>
<h1><a class="toc-backref" href="#toc-entry-4">Credits</a></h1>
<div class="section" id="authors">
<h3><a class="toc-backref" href="#toc-entry-5">Authors</a></h3>
<h2><a class="toc-backref" href="#toc-entry-5">Authors</a></h2>
<ul class="simple">
<li>Akretion</li>
</ul>
</div>
<div class="section" id="contributors">
<h3><a class="toc-backref" href="#toc-entry-6">Contributors</a></h3>
<h2><a class="toc-backref" href="#toc-entry-6">Contributors</a></h2>
<ul class="simple">
<li>Kévin Roche &lt;<a class="reference external" href="mailto:kevin.roche&#64;akretion.com">kevin.roche&#64;akretion.com</a>&gt;</li>
<li><a class="reference external" href="https://www.360erp.com">360ERP</a>:<ul>
Expand All @@ -445,7 +445,7 @@ <h3><a class="toc-backref" href="#toc-entry-6">Contributors</a></h3>
</ul>
</div>
<div class="section" id="maintainers">
<h3><a class="toc-backref" href="#toc-entry-7">Maintainers</a></h3>
<h2><a class="toc-backref" href="#toc-entry-7">Maintainers</a></h2>
<p>This module is maintained by the OCA.</p>
<a class="reference external image-reference" href="https://odoo-community.org">
<img alt="Odoo Community Association" src="https://odoo-community.org/logo.png" />
Expand All @@ -460,6 +460,5 @@ <h3><a class="toc-backref" href="#toc-entry-7">Maintainers</a></h3>
</div>
</div>
</div>
</div>
</body>
</html>
35 changes: 35 additions & 0 deletions impersonate_login/tests/test_impersonate_login.py
Original file line number Diff line number Diff line change
Expand Up @@ -302,3 +302,38 @@ def test_05_create_uid_on_transient_model(self):
wizard = self.env["mail.wizard.invite"].browse(settings_id)
self.assertIn("Hello", wizard.message)
self.assertEqual(wizard.create_uid, self.demo_user)

def test_06_limit_access_to_admin(self):
"""
Test restriction on impersonating admin users
with 'Administration: Settings' access rights.
"""
config_settings = self.env["res.config.settings"].create(
{"restrict_impersonate_admin_settings": True}
)
config_settings.execute()

config_restrict = (
self.env["ir.config_parameter"]
.sudo()
.get_param("impersonate_login.restrict_impersonate_admin_settings")
)
self.assertTrue(config_restrict)

admin_settings_group = self.env.ref("base.group_system")
self.admin_user.groups_id += admin_settings_group

self.authenticate(user="demo", password="demo")
self.assertEqual(self.session.uid, self.demo_user.id)

self.demo_user.groups_id += self.env.ref(
"impersonate_login.group_impersonate_login"
)

with mute_logger("odoo.http"):
data = self._impersonate_user(self.admin_user)
self.assertEqual(
data["error"]["data"]["message"],
"You cannot impersonate users with "
"'Administration: Settings' access rights.",
)
20 changes: 20 additions & 0 deletions impersonate_login/views/res_config_settings.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
<odoo>
<record id="view_res_config_settings_impersonate" model="ir.ui.view">
<field name="name">res.config.settings.impersonate</field>
<field name="model">res.config.settings</field>
<field name="inherit_id" ref="base_setup.res_config_settings_view_form" />
<field name="arch" type="xml">
<block id="user_default_rights" position="after">
<block title="Impersonation Login" id="impersonate_login">
<setting
id="restrict_impersonate_admin_settings"
title="Restrict Impersonation of 'Administration: Settings' Users"
help="Prevents impersonating users that have the 'Administration: Settings' access rights."
>
<field name="restrict_impersonate_admin_settings" />
</setting>
</block>
</block>
</field>
</record>
</odoo>
Loading