fix: resolve group XML IDs via ir.model.data in access check
AGENT_ACCESS_GROUPS uses XML IDs (e.g. hr_expense.group_hr_expense_user) but the check compared them against res.groups.full_name strings which never matched, denying every user access to all restricted agents. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Carlos Garcia
@@ -185,16 +185,24 @@ class MasterAgent:
|
||||
denied = []
|
||||
try:
|
||||
user_data = await self._odoo.call('res.users', 'read', [[user_id]], {'fields': ['groups_id']})
|
||||
group_ids = user_data[0].get('groups_id', []) if user_data else []
|
||||
group_rows = await self._odoo.search_read('res.groups', [['id', 'in', group_ids]], ['full_name'])
|
||||
user_group_names = {r['full_name'] for r in group_rows}
|
||||
user_group_ids = set(user_data[0].get('groups_id', [])) if user_data else set()
|
||||
except Exception as exc:
|
||||
logger.warning('Access check failed, permitting: %s', exc)
|
||||
return AccessResult(allowed=True)
|
||||
for agent_key in agents:
|
||||
required = AGENT_ACCESS_GROUPS.get(agent_key)
|
||||
if required and required not in user_group_names:
|
||||
denied.append(agent_key)
|
||||
required_xml_id = AGENT_ACCESS_GROUPS.get(agent_key)
|
||||
if not required_xml_id:
|
||||
continue
|
||||
try:
|
||||
module, name = required_xml_id.split('.', 1)
|
||||
imd = await self._odoo.search_read(
|
||||
'ir.model.data',
|
||||
[['module', '=', module], ['name', '=', name], ['model', '=', 'res.groups']],
|
||||
['res_id'])
|
||||
if not imd or imd[0]['res_id'] not in user_group_ids:
|
||||
denied.append(agent_key)
|
||||
except Exception as exc:
|
||||
logger.warning('Group lookup failed for %s, permitting: %s', required_xml_id, exc)
|
||||
if denied:
|
||||
return AccessResult(allowed=False, denied_agents=denied)
|
||||
return AccessResult(allowed=True)
|
||||
|
||||
Reference in New Issue
Block a user