[IMP] website: add a field to handle publish rights for publish mixin

Purpose
=======

The "publish/unpublish" widget is always shown on the frontend as long as the user
is a website_publisher and the object has a "website_published" field.

In some modules (namely website_slides) we need to handle a more refined level of access.

This commit adds a "can_publish" computed field that can be overridden to add some additional
access rules to the object and hide the widget if the user doesn't have the rights to
publish/unpublish.

addons/website/models/mixins.py

@@ -4,9 +4,10 @@
 import logging
 
 
-from odoo import api, fields, models
+from odoo import api, fields, models, _
 from odoo.http import request
 from odoo.osv import expression
+from odoo.exceptions import AccessError
 
 logger = logging.getLogger(__name__)
 
@@ -120,6 +121,7 @@ class WebsitePublishedMixin(models.AbstractModel):
 
     website_published = fields.Boolean('Visible on current website', related='is_published', readonly=False)
     is_published = fields.Boolean('Is published', copy=False)
+    can_publish = fields.Boolean('Can publish', compute='_compute_can_publish')
     website_url = fields.Char('Website URL', compute='_compute_website_url', help='The full URL to access the document through the website.')
 
     @api.multi
@@ -144,9 +146,40 @@ class WebsitePublishedMixin(models.AbstractModel):
             'target': 'self',
         }
 
+    @api.model_create_multi
+    def create(self, vals_list):
+        records = super(WebsitePublishedMixin, self).create(vals_list)
+
+        is_publish_modified = any('website_published' in values for values in vals_list)
+        if is_publish_modified and not all(record.can_publish for record in records):
+            raise AccessError(self._get_can_publish_error_message())
+
+        return records
+
+    @api.multi
+    def write(self, values):
+        if 'website_published' in values and not all(record.can_publish for record in self):
+            raise AccessError(self._get_can_publish_error_message())
+
+        return super(WebsitePublishedMixin, self).write(values)
+
     def create_and_get_website_url(self, **kwargs):
         return self.create(kwargs).website_url
 
+    @api.multi
+    def _compute_can_publish(self):
+        """ This method can be overridden if you need more complex rights management than just 'website_publisher'
+        The publish widget will be hidden and the user won't be able to change the 'website_published' value
+        if this method sets can_publish False """
+        for record in self:
+            record.can_publish = True
+
+    @api.model
+    def _get_can_publish_error_message(self):
+        """ Override this method to customize the error message shown when the user doesn't
+        have the rights to publish/unpublish. """
+        return _("You do not have the rights to publish/unpublish")
+
 
 class WebsitePublishedMultiMixin(WebsitePublishedMixin):
 

addons/website/views/website_navbar_templates.xml

@@ -64,7 +64,7 @@
                 </ul>
 
                 <ul class="o_menu_systray d-none d-md-block" groups="website.group_website_publisher">
-                    <li t-if="'website_published' in main_object.fields_get()" t-attf-class="js_publish_management #{main_object.website_published and 'css_published' or 'css_unpublished'}" t-att-data-id="main_object.id" t-att-data-object="main_object._name" t-att-data-controller="publish_controller">
+                    <li t-if="'website_published' in main_object.fields_get() and ('can_publish' not in main_object.fields_get() or main_object.can_publish)" t-attf-class="js_publish_management #{main_object.website_published and 'css_published' or 'css_unpublished'}" t-att-data-id="main_object.id" t-att-data-object="main_object._name" t-att-data-controller="publish_controller">
                         <label class="o_switch o_switch_danger js_publish_btn" for="id">
                             <input type="checkbox" t-att-checked="main_object.website_published" id="id"/>
                             <span/>