From f8540501aca60feea8108691b7ad5a9afa030aa0 Mon Sep 17 00:00:00 2001
From: Martin Trigaux <mat@odoo.com>
Date: Thu, 9 Nov 2017 14:24:52 +0100
Subject: [PATCH] [FIX] hr_expense: verify the constrain server side too

The groups were set only on the view which does not prevent abuses.
The fact that users can bypass the groups on the view is not critical as the
changes are logged but this should be improved nevertheless.

In master, proper record rules should be set.

Closes #20427
---
 addons/hr_expense/models/hr_expense.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/addons/hr_expense/models/hr_expense.py b/addons/hr_expense/models/hr_expense.py
index f4cb1a69c9de..61a45a481542 100644
--- a/addons/hr_expense/models/hr_expense.py
+++ b/addons/hr_expense/models/hr_expense.py
@@ -524,6 +524,8 @@ class HrExpenseSheet(models.Model):
 
     @api.multi
     def refuse_expenses(self, reason):
+        if not self.user_has_groups('hr_expense.group_hr_expense_user'):
+            raise UserError(_("Only HR Officers can refuse expenses"))
         self.write({'state': 'cancel'})
         for sheet in self:
             body = (_("Your Expense %s has been refused.<br/><ul class=o_timeline_tracking_value_list><li>Reason<span> : </span><span class=o_timeline_tracking_value>%s</span></li></ul>") % (sheet.name, reason))
@@ -531,6 +533,8 @@ class HrExpenseSheet(models.Model):
 
     @api.multi
     def approve_expense_sheets(self):
+        if not self.user_has_groups('hr_expense.group_hr_expense_user'):
+            raise UserError(_("Only HR Officers can approve expenses"))
         self.write({'state': 'approve', 'responsible_id': self.env.user.id})
 
     @api.multi
-- 
GitLab