File: test_security.py

package info (click to toggle)
odoo 18.0.0%2Bdfsg-2
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 878,716 kB
  • sloc: javascript: 927,937; python: 685,670; xml: 388,524; sh: 1,033; sql: 415; makefile: 26
file content (76 lines) | stat: -rw-r--r-- 3,062 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
 
# -*- coding: utf-8 -*-
# Part of Odoo. See LICENSE file for full copyright and licensing details.

from odoo.addons.mail.tests.common import mail_new_test_user
from odoo.exceptions import AccessError
from odoo.tests import tagged, common, new_test_user
from odoo.tools import mute_logger


@tagged('security')
class TestAccessRating(common.TransactionCase):

    @classmethod
    def setUpClass(cls):
        super(TestAccessRating, cls).setUpClass()

        cls.user_manager_partner = mail_new_test_user(
            cls.env, name='Jean Admin', login='user_mana', email='admin@example.com',
            groups='base.group_partner_manager,base.group_system'
        )

        cls.user_emp = mail_new_test_user(
            cls.env, name='Eglantine Employee', login='user_emp', email='employee@example.com',
            groups='base.group_user'
        )

        cls.user_portal = mail_new_test_user(
            cls.env, name='Patrick Portal', login='user_portal', email='portal@example.com',
            groups='base.group_portal'
        )

        cls.user_public = mail_new_test_user(
            cls.env, name='Pauline Public', login='user_public', email='public@example.com',
            groups='base.group_public'
        )

        cls.partner_to_rate = cls.env['res.partner'].with_user(cls.user_manager_partner).create({
            "name": "Partner to Rate :("
        })


    @mute_logger('odoo.addons.base.models.ir_model')
    def test_rating_access(self):
        """ Security test : only a employee (user group) can create and write rating object """
        # Public and portal user can't Access direclty to the ratings
        with self.assertRaises(AccessError):
            self.env['rating.rating'].with_user(self.user_portal).create({
                'res_model_id': self.env['ir.model'].sudo().search([('model', '=', 'res.partner')], limit=1).id,
                'res_model': 'res.partner',
                'res_id': self.partner_to_rate.id,
                'rating': 1
            })
        with self.assertRaises(AccessError):
            self.env['rating.rating'].with_user(self.user_public).create({
                'res_model_id': self.env['ir.model'].sudo().search([('model', '=', 'res.partner')], limit=1).id,
                'res_model': 'res.partner',
                'res_id': self.partner_to_rate.id,
                'rating': 3
            })

        # No error with employee
        ratting = self.env['rating.rating'].with_user(self.user_emp).create({
            'res_model_id': self.env['ir.model'].sudo().search([('model', '=', 'res.partner')], limit=1).id,
            'res_model': 'res.partner',
            'res_id': self.partner_to_rate.id,
            'rating': 3
        })

        with self.assertRaises(AccessError):
            ratting.with_user(self.user_portal).write({
                'feedback': 'You should not pass!'
            })
        with self.assertRaises(AccessError):
            ratting.with_user(self.user_public).write({ 
                'feedback': 'You should not pass!'
            })