|
| 1 | +# Part of OpenSPP. See LICENSE file for full copyright and licensing details. |
| 2 | +"""OP#1124: Registry-search create buttons must be gated on the registry |
| 3 | +create-permission roles, not generic res.partner create access.""" |
| 4 | + |
| 5 | +from odoo.tests import TransactionCase, tagged |
| 6 | + |
| 7 | + |
| 8 | +@tagged("post_install", "-at_install") |
| 9 | +class TestRegistrantCreatePermission(TransactionCase): |
| 10 | + @classmethod |
| 11 | + def setUpClass(cls): |
| 12 | + super().setUpClass() |
| 13 | + cls.ViewHistory = cls.env["spp.registry.view.history"] |
| 14 | + |
| 15 | + def _make_user(self, login, group_xmlids): |
| 16 | + groups = [] |
| 17 | + for xmlid in group_xmlids: |
| 18 | + grp = self.env.ref(xmlid, raise_if_not_found=False) |
| 19 | + if grp: |
| 20 | + groups.append(grp.id) |
| 21 | + return self.env["res.users"].create({"name": login, "login": login, "group_ids": [(6, 0, groups)]}) |
| 22 | + |
| 23 | + def test_registry_officer_can_create(self): |
| 24 | + user = self._make_user("t_1124_officer", ["base.group_user", "spp_registry.group_registry_officer"]) |
| 25 | + self.assertTrue(self.ViewHistory.with_user(user).check_registrant_create_permission()) |
| 26 | + |
| 27 | + def test_registry_manager_can_create(self): |
| 28 | + user = self._make_user("t_1124_manager", ["base.group_user", "spp_registry.group_registry_manager"]) |
| 29 | + self.assertTrue(self.ViewHistory.with_user(user).check_registrant_create_permission()) |
| 30 | + |
| 31 | + def test_partner_creator_without_registry_role_cannot_create(self): |
| 32 | + """A user with generic res.partner create access but NO registry role — |
| 33 | + like the validator in OP#1124 — must be denied. This is the crux: the |
| 34 | + old check keyed off res.partner create (which such a user passes).""" |
| 35 | + user = self._make_user("t_1124_partmgr", ["base.group_user", "base.group_partner_manager"]) |
| 36 | + # Sanity: the old, too-broad basis (res.partner create) WOULD allow this user. |
| 37 | + self.assertTrue(self.env["res.partner"].with_user(user).check_access_rights("create", raise_exception=False)) |
| 38 | + # The new, correct gate denies it (not a registry create role). |
| 39 | + self.assertFalse(self.ViewHistory.with_user(user).check_registrant_create_permission()) |
0 commit comments