[FIX] mail: ease activities management through documents

This commit improve the daily use of activities by delegating activities management to the document. Activities are already managed on document through the UI either in form view or in kanban view.

[FIX] mail: ease activities management through documents
53ad585b · Thibault Delavallée · 928a284b · 53ad585b · 53ad585b · 53ad585b
Commit 53ad585b authored 7 years ago by Thibault Delavallée
--- a/addons/mail/models/mail_activity.py
+++ b/addons/mail/models/mail_activity.py
@@ -3,7 +3,7 @@

 from datetime import date, datetime, timedelta

-from odoo import api, fields, models
+from odoo import api, exceptions, fields, models, _


 class MailActivityType(models.Model):
@@ -102,20 +102,65 @@ class MailActivity(models.Model):
                self.summary = self.activity_type_id.summary
            self.date_deadline = (datetime.now() + timedelta(days=self.activity_type_id.days))

+    @api.multi
+    def _check_access(self, operation):
+        """ Rule to access activities
+
+         * create: check write rights on related document;
+         * write: rule OR write rights on document;
+         * unlink: rule OR write rights on document;
+        """
+        self.check_access_rights(operation, raise_exception=True)  # will raise an AccessError
+
+        if operation in ('write', 'unlink'):
+            try:
+                self.check_access_rule(operation)
+            except exceptions.AccessError:
+                pass
+            else:
+                return
+
+        doc_operation = 'read' if operation == 'read' else 'write'
+        activity_to_documents = dict()
+        for activity in self.sudo():
+            activity_to_documents.setdefault(activity.res_model, list()).append(activity.res_id)
+        for model, res_ids in activity_to_documents.items():
+            self.env[model].check_access_rights(doc_operation, raise_exception=True)
+            try:
+                self.env[model].browse(res_ids).check_access_rule(doc_operation)
+            except exceptions.AccessError:
+                raise exceptions.AccessError(
+                    _('The requested operation cannot be completed due to security restrictions. Please contact your system administrator.\n\n(Document type: %s, Operation: %s)') %
+                    (self._description, operation))
+
    @api.model
    def create(self, values):
-        activity = super(MailActivity, self).create(values)
-        self.env[activity.res_model].browse(activity.res_id).message_subscribe(partner_ids=[activity.user_id.partner_id.id])
-        return activity
+        # already compute default values to be sure those are computed using the current user
+        values_w_defaults = self.default_get(self._fields.keys())
+        values_w_defaults.update(values)
+
+        # continue as sudo because activities are somewhat protected
+        activity = super(MailActivity, self.sudo()).create(values_w_defaults)
+        activity_user = activity.sudo(self.env.user)
+        activity_user._check_access('create')
+        self.env[activity_user.res_model].browse(activity_user.res_id).message_subscribe(partner_ids=[activity_user.user_id.partner_id.id])
+        return activity_user

    @api.multi
    def write(self, values):
-        res = super(MailActivity, self).write(values)
+        self._check_access('write')
+        res = super(MailActivity, self.sudo()).write(values)
+
        if values.get('user_id'):
            for activity in self:
                self.env[activity.res_model].browse(activity.res_id).message_subscribe(partner_ids=[activity.user_id.partner_id.id])
        return res

+    @api.multi
+    def unlink(self):
+        self._check_access('unlink')
+        return super(MailActivity, self.sudo()).unlink()
+
    @api.multi
    def action_done(self):
        message = self.env['mail.message']

--- a/addons/mail/security/ir.model.access.csv
+++ b/addons/mail/security/ir.model.access.csv
@@ -34,7 +34,7 @@ access_mail_template_system,mail.template_system,model_mail_template,base.group_
 access_mail_shortcode,mail.shortcode,model_mail_shortcode,base.group_user,1,1,1,1
 access_mail_shortcode_portal,mail.shortcode.portal,model_mail_shortcode,base.group_portal,1,0,0,0
 access_mail_test_all,mail.test.all,model_mail_test,base.group_user,1,1,1,1
-access_mail_activity_all,mail.activity.all,model_mail_activity,,1,0,0,0
+access_mail_activity_all,mail.activity.all,model_mail_activity,,0,0,0,0
 access_mail_activity_user,mail.activity.user,model_mail_activity,base.group_user,1,1,1,1
-access_mail_activity_type_all,mail.activity.type.all,model_mail_activity_type,,1,0,0,0
+access_mail_activity_type_all,mail.activity.type.all,model_mail_activity_type,,0,0,0,0
 access_mail_activity_type_user,mail.activity.type.user,model_mail_activity_type,base.group_user,1,1,1,1
\ No newline at end of file
--- a/addons/mail/security/mail_security.xml
+++ b/addons/mail/security/mail_security.xml
@@ -40,5 +40,16 @@
            <field name="groups" eval="[(4, ref('base.group_portal')), (4, ref('base.group_public'))]"/>
        </record>

+        <record id="mail_activity_rule_user" model="ir.rule">
+            <field name="name">mail.activity: user: own only</field>
+            <field name="model_id" ref="model_mail_activity"/>
+            <field name="domain_force">[('user_id', '=', user.id)]</field>
+            <field name="groups" eval="[(4, ref('base.group_user'))]"/>
+            <field name="perm_create" eval="False"/>
+            <field name="perm_read" eval="False"/>
+            <field name="perm_write" eval="True"/>
+            <field name="perm_unlink" eval="True"/>
+        </record>
+
    </data>
 </odoo>