[FIX] hr_expense: verify the constrain server side too

The groups were set only on the view which does not prevent abuses. The fact that users can bypass the groups on the view is not critical as the changes are logged but this should be improved nevertheless. In master, proper record rules should be set. Closes #20427

[FIX] hr_expense: verify the constrain server side too
f8540501 · Martin Trigaux · a63ecee4 · f8540501
Unverified Commit f8540501 authored 7 years ago by Martin Trigaux
--- a/addons/hr_expense/models/hr_expense.py
+++ b/addons/hr_expense/models/hr_expense.py
@@ -524,6 +524,8 @@ class HrExpenseSheet(models.Model):

    @api.multi
    def refuse_expenses(self, reason):
+        if not self.user_has_groups('hr_expense.group_hr_expense_user'):
+            raise UserError(_("Only HR Officers can refuse expenses"))
        self.write({'state': 'cancel'})
        for sheet in self:
            body = (_("Your Expense %s has been refused.<br/><ul class=o_timeline_tracking_value_list><li>Reason<span> : </span><span class=o_timeline_tracking_value>%s</span></li></ul>") % (sheet.name, reason))
@@ -531,6 +533,8 @@ class HrExpenseSheet(models.Model):

    @api.multi
    def approve_expense_sheets(self):
+        if not self.user_has_groups('hr_expense.group_hr_expense_user'):
+            raise UserError(_("Only HR Officers can approve expenses"))
        self.write({'state': 'approve', 'responsible_id': self.env.user.id})

    @api.multi