[FIX] hr: restrict sudoing fields_view_get of res.users

Since d77ce4c2, the feature of editing own employee profile was added. It was complicated with the access rights point of view because the hr.employee fields are protected (groups="hr.group_hr_user"). To allow editing its own hr.employee, it was required to `sudo` the field_view_get of res.users (as the profile form view is a res.users form view, with related field from the employee). - Bug The problem is that calling `fields_view_get` as `sudo` each time breaks the `groups` mecanism on res.users views (not only form view). For instance, adding a field on the form view with a group will always make it visible as the `groups`check is done in sudo mode. - Solution This commit tries to fix this matter but reducing the `sudo` usage to - only form view (we don't want this to applied to every res.users view type) - only for internal user - only in the flow of the "self editing profile", by checking the current action - only for the current user (avoid to get the profile of other res.users by using the same action) - Side effect The `groups` mecanism is still breaking on the "my profile" form view, as the `sudo` is still applied in that case. We might tolerate this as the view should only be accessible for the current user. This is not perfect at all, but cleaning that properly might involve to redevelop this sensitive feature. Task-1916925

[FIX] hr: restrict sudoing fields_view_get of res.users
3be372cf · Jérome Maes · ea4a782f · 3be372cf
Commit 3be372cf authored 6 years ago by Jérome Maes
--- a/addons/hr/models/res_users.py
+++ b/addons/hr/models/res_users.py
@@ -116,8 +116,13 @@ class User(models.Model):
        # However, in this case, we want the user to be able to read/write its own data,
        # even if they are protected by groups.
        # We make the front-end aware of those fields by sending all field definitions.
-        if not self.env.user.share:
-            self = self.sudo()
+        # Note: limit the `sudo` to the only action of "editing own profile" action in order to
+        # avoid breaking `groups` mecanism on res.users form view.
+        context_params = self._context.get('params', {})
+        if view_type == 'form' and context_params.get('id') == self.env.user.id and not self.env.user.share:
+            action_id = self.env['ir.model.data'].xmlid_to_res_id('hr.res_users_action_my', raise_if_not_found=False)
+            if action_id and context_params.get('action') == action_id:
+                self = self.sudo()
        return super(User, self).fields_view_get(view_id=view_id, view_type=view_type, toolbar=toolbar, submenu=submenu)

    @api.multi