Skip to content

Commit 92b422a

Browse files
emjay0921emjay0921
committed
fix(roles): OP#951 round-2 - tighten ACLs and gate management buttons
- Add cycle/cycle_membership read ACLs for spp_registry.group_registry_viewer so Global Registrar and CR Validator HQ can open Individual/Group forms without spp.cycle access errors. - Service Points: registry_write ACL becomes read-only; Disable/Enable buttons gated to officer/manager. Registrars see read-only form, no create/edit, no Disable. - form_controller_create.js: also hide "New" when this.canCreate === false so the form-view "New" button respects ACL on models where Odoo 19's t-if="canCreate" leaks through (e.g. service points). - Individual/Group Disable/Enable buttons gated to registry_manager only (was officer+manager). Hides for Farm User, Farm Manager, Support Manager, Registrars, Viewers. - Apply Compliance Criteria button gated to group_programs_manager. - Global Finance role: add group_programs_viewer for full Programs menu; remove group_programs_validator from program-management buttons (import/enroll eligible, verify_eligibility, create_new_cycle, copy_beneficiaries, action_prepare_entitlement, mark_ended, mark_cancelled) so Finance keeps payments/entitlement-approval scope only.
1 parent 779171e commit 92b422a

9 files changed

Lines changed: 40 additions & 23 deletions

File tree

spp_programs/data/user_roles.xml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -47,12 +47,18 @@
4747
</record>
4848

4949
<!-- Finance -->
50+
<!--
51+
Per OP#951 round-2: Finance role needs read on the full Programs menu
52+
(programs / cycles / entitlements) on top of validator rights for
53+
payment batches. group_programs_viewer is Tier-2 (gates the menu).
54+
-->
5055
<record id="spp_user_roles.global_role_finance" model="res.users.role">
5156
<field
5257
name="implied_ids"
5358
eval="
5459
[
5560
Command.link(ref('spp_programs.group_programs_validator')),
61+
Command.link(ref('spp_programs.group_programs_viewer')),
5662
]"
5763
/>
5864
</record>

spp_programs/security/ir.model.access.csv

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -107,6 +107,8 @@ access_spp_program_membership_registry_read,Program Membership Registry Read Acc
107107
access_spp_program_membership_registry_write,Program Membership Registry Write Access,spp_programs.model_spp_program_membership,spp_registry.group_registry_write,1,1,1,0
108108
access_spp_program_membership_registrar,Program Membership Registrar Access,spp_programs.model_spp_program_membership,spp_registry.group_registry_officer,1,1,1,0
109109
access_spp_cycle_membership_registrar,Cycle Membership Registrar Access,spp_programs.model_spp_cycle_membership,spp_registry.group_registry_officer,1,1,1,0
110+
access_spp_cycle_registry_viewer,Cycle Registry Viewer Read,spp_programs.model_spp_cycle,spp_registry.group_registry_viewer,1,0,0,0
111+
access_spp_cycle_membership_registry_viewer,Cycle Membership Registry Viewer Read,spp_programs.model_spp_cycle_membership,spp_registry.group_registry_viewer,1,0,0,0
110112
access_spp_entitlement_registry_read,Entitlement Registry Read Access,spp_programs.model_spp_entitlement,spp_registry.group_registry_read,1,0,0,0
111113
access_spp_entitlement_registry_write,Entitlement Registry Write Access,spp_programs.model_spp_entitlement,spp_registry.group_registry_write,1,1,1,0
112114
access_spp_entitlement_registrar,Entitlement Registrar Access,spp_programs.model_spp_entitlement,spp_registry.group_registry_officer,1,0,0,0

spp_programs/static/src/js/form_controller_create.js

Lines changed: 16 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -5,19 +5,24 @@ import {patch} from "@web/core/utils/patch";
55
import {onMounted, onPatched, onWillUnmount} from "@odoo/owl";
66

77
/**
8-
* Patch FormController to respect context.create = false and disable create
9-
* for specific models (entitlements).
8+
* Patch FormController to hide the form "New" button when the user lacks
9+
* create permission, or for models where create is contextually forbidden.
1010
*
11-
* In Odoo 19, the "New" button may still appear in various scenarios:
12-
* - When navigating from list to form view with context.create = false
13-
* - When expanding a dialog (creates a new action without preserving context)
11+
* In Odoo 19, `t-if="canCreate"` on the form template does not always prevent
12+
* the "New" button from rendering — notably the breadcrumb-area button can
13+
* leak through when the form arch was first loaded as a privileged user and
14+
* cached, or in some action navigation flows. This patch enforces hiding via
15+
* DOM manipulation for:
1416
*
15-
* This patch hides the New button via DOM manipulation for:
16-
* 1. Any view with context.create === false
17-
* 2. Entitlement models (should only be created from cycles)
17+
* 1. Any view with `context.create === false`.
18+
* 2. Models in MODELS_WITHOUT_CREATE (always-hide; never should be created
19+
* directly from the form, e.g. entitlements).
20+
* 3. `this.canCreate === false` — i.e. the ACL-derived archInfo.activeActions
21+
* .create is false. This is the ACL-aware path that preserves the button
22+
* for users who DO have create permission.
1823
*/
1924

20-
// Models that should never show the create button
25+
// Models that should never show the create button regardless of ACL
2126
const MODELS_WITHOUT_CREATE = [
2227
"spp.entitlement",
2328
"spp.entitlement.inkind",
@@ -33,7 +38,8 @@ patch(FormController.prototype, {
3338
const modelName = this.props.resModel;
3439
const shouldHideCreate =
3540
this.props.context?.create === false ||
36-
MODELS_WITHOUT_CREATE.includes(modelName);
41+
MODELS_WITHOUT_CREATE.includes(modelName) ||
42+
this.canCreate === false;
3743

3844
if (shouldHideCreate) {
3945
this._hideCreateObserver = null;

spp_programs/views/cycle_compliance_view.xml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@
1818
class="btn-warning"
1919
confirm="Filtering is a one-way action. Are you sure you want to apply compliance criteria?"
2020
invisible="not allow_filter_compliance_criteria or compliance_criteria_applied"
21+
groups="spp_programs.group_programs_manager"
2122
/>
2223
<field name="allow_filter_compliance_criteria" invisible="1" />
2324
<field name="compliance_criteria_applied" invisible="1" />

spp_programs/views/cycle_view.xml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -134,15 +134,15 @@ Part of OpenSPP. See LICENSE file for full copyright and licensing details.
134134
string="Copy Beneficiaries"
135135
icon="fa-copy"
136136
invisible="state != 'draft'"
137-
groups="spp_security.group_spp_admin,spp_programs.group_programs_manager,spp_programs.group_programs_officer,spp_programs.group_programs_validator"
137+
groups="spp_security.group_spp_admin,spp_programs.group_programs_manager,spp_programs.group_programs_officer"
138138
/>
139139
<button
140140
name="action_prepare_entitlement"
141141
type="object"
142142
string="Prepare Entitlements"
143143
icon="fa-list"
144144
invisible="state not in ('draft', 'to_approve') or total_entitlements_count > 0"
145-
groups="spp_security.group_spp_admin,spp_programs.group_programs_manager,spp_programs.group_programs_officer,spp_programs.group_programs_validator"
145+
groups="spp_security.group_spp_admin,spp_programs.group_programs_manager,spp_programs.group_programs_officer"
146146
/>
147147
<button
148148
name="action_submit_for_approval"
@@ -218,15 +218,15 @@ Part of OpenSPP. See LICENSE file for full copyright and licensing details.
218218
string="End Cycle"
219219
icon="fa-stop"
220220
invisible="state not in ('approved', 'distributed')"
221-
groups="spp_security.group_spp_admin,spp_programs.group_programs_manager,spp_programs.group_programs_validator"
221+
groups="spp_security.group_spp_admin,spp_programs.group_programs_manager"
222222
/>
223223
<button
224224
name="mark_cancelled"
225225
type="object"
226226
string="Cancel"
227227
icon="fa-times"
228228
invisible="state in ('ended', 'cancelled')"
229-
groups="spp_security.group_spp_admin,spp_programs.group_programs_manager,spp_programs.group_programs_validator"
229+
groups="spp_security.group_spp_admin,spp_programs.group_programs_manager"
230230
/>
231231
<field
232232
name="state"

spp_programs/views/programs_view.xml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -99,7 +99,7 @@ Part of OpenSPP. See LICENSE file for full copyright and licensing details.
9999
icon="fa-download"
100100
class="btn-secondary"
101101
invisible="state != 'active'"
102-
groups="spp_security.group_spp_admin,spp_programs.group_programs_manager,spp_programs.group_programs_officer,spp_programs.group_programs_validator"
102+
groups="spp_security.group_spp_admin,spp_programs.group_programs_manager,spp_programs.group_programs_officer"
103103
/>
104104
<button
105105
name="enroll_eligible_registrants"
@@ -108,23 +108,23 @@ Part of OpenSPP. See LICENSE file for full copyright and licensing details.
108108
icon="fa-user-plus"
109109
class="btn-primary"
110110
invisible="state != 'active'"
111-
groups="spp_security.group_spp_admin,spp_programs.group_programs_manager,spp_programs.group_programs_officer,spp_programs.group_programs_validator"
111+
groups="spp_security.group_spp_admin,spp_programs.group_programs_manager,spp_programs.group_programs_officer"
112112
/>
113113
<button
114114
name="verify_eligibility"
115115
type="object"
116116
string="Verify Eligibility"
117117
icon="fa-check-circle"
118118
invisible="state != 'active'"
119-
groups="spp_security.group_spp_admin,spp_programs.group_programs_manager,spp_programs.group_programs_officer,spp_programs.group_programs_validator"
119+
groups="spp_security.group_spp_admin,spp_programs.group_programs_manager,spp_programs.group_programs_officer"
120120
/>
121121
<button
122122
name="create_new_cycle"
123123
type="object"
124124
string="New Cycle"
125125
icon="fa-plus-circle"
126126
invisible="state != 'active' or is_one_time_distribution"
127-
groups="spp_security.group_spp_admin,spp_programs.group_programs_manager,spp_programs.group_programs_officer,spp_programs.group_programs_validator"
127+
groups="spp_security.group_spp_admin,spp_programs.group_programs_manager,spp_programs.group_programs_officer"
128128
/>
129129
<button
130130
name="deduplicate_beneficiaries"

spp_registry/views/individual_views.xml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -136,28 +136,28 @@
136136
<xpath expr="//sheet" position="replace">
137137
<sheet>
138138
<div name="button_box">
139-
<!-- Disable button - restricted to officers/managers -->
139+
<!-- Disable button - restricted to registry managers only -->
140140
<button
141141
type="action"
142142
class="oe_stat_button"
143143
icon="fa-ban"
144144
name="%(spp_registry.action_disable_registrant_wizard)d"
145145
invisible="disabled"
146-
groups="spp_registry.group_registry_officer,spp_registry.group_registry_manager"
146+
groups="spp_registry.group_registry_manager"
147147
title="Disable"
148148
>
149149
<div class="o_form_field o_stat_info">
150150
<span class="o_stat_text">Disable</span>
151151
</div>
152152
</button>
153-
<!-- Enable button - restricted to officers/managers -->
153+
<!-- Enable button - restricted to registry managers only -->
154154
<button
155155
type="object"
156156
class="oe_stat_button"
157157
icon="fa-check"
158158
name="enable_registrant"
159159
invisible="not disabled"
160-
groups="spp_registry.group_registry_officer,spp_registry.group_registry_manager"
160+
groups="spp_registry.group_registry_manager"
161161
title="Enable"
162162
>
163163
<div class="o_form_field o_stat_info">

spp_service_points/security/ir.model.access.csv

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,4 +10,4 @@ access_spp_service_point_manager,spp.service.point manager,spp_service_points.mo
1010
access_spp_service_point_user,Service Point User Access (Deprecated),spp_service_points.model_spp_service_point,spp_service_points.group_service_points_user,1,1,1,0
1111

1212
access_spp_service_point_registry_read,Service Point Registry Read Access,spp_service_points.model_spp_service_point,spp_registry.group_registry_read,1,0,0,0
13-
access_spp_service_point_registry_write,Service Point Registry Write Access,spp_service_points.model_spp_service_point,spp_registry.group_registry_write,1,1,1,0
13+
access_spp_service_point_registry_write,Service Point Registry Write Access,spp_service_points.model_spp_service_point,spp_registry.group_registry_write,1,0,0,0

spp_service_points/views/service_points_view.xml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,7 @@
5151
string="Enable Service Point"
5252
class="btn-success"
5353
invisible="not is_disabled or not id"
54+
groups="spp_service_points.group_service_points_officer,spp_service_points.group_service_points_manager"
5455
confirm="Enable this service point? It will become active again."
5556
/>
5657
<button
@@ -59,6 +60,7 @@
5960
string="Disable Service Point"
6061
class="btn-warning"
6162
invisible="is_disabled or not id"
63+
groups="spp_service_points.group_service_points_officer,spp_service_points.group_service_points_manager"
6264
confirm="Disable this service point? You will need to provide a reason."
6365
/>
6466
</header>

0 commit comments

Comments
 (0)