mirror of
https://github.com/bringout/oca-server-auth.git
synced 2026-04-19 08:12:00 +02:00
110 lines
3.4 KiB
Python
110 lines
3.4 KiB
Python
# © 2021 Florian Kantelberg - initOS GmbH
|
|
# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl).
|
|
|
|
from odoo import _, api, fields, models
|
|
|
|
|
|
class VaultRight(models.Model):
|
|
_name = "vault.right"
|
|
_description = _("Vault rights")
|
|
_inherit = ["vault.abstract"]
|
|
_order = "user_id"
|
|
|
|
vault_id = fields.Many2one(
|
|
"vault",
|
|
"Vault",
|
|
readonly=True,
|
|
required=True,
|
|
ondelete="cascade",
|
|
)
|
|
master_key = fields.Char(related="vault_id.master_key", readonly=True, store=False)
|
|
user_id = fields.Many2one(
|
|
"res.users",
|
|
"User",
|
|
domain=[("keys", "!=", False)],
|
|
required=True,
|
|
)
|
|
public_key = fields.Char(compute="_compute_public_key", readonly=True, store=False)
|
|
perm_create = fields.Boolean(
|
|
"Create",
|
|
default=lambda self: self._get_is_owner(),
|
|
help="Allow to create in the vault",
|
|
)
|
|
perm_write = fields.Boolean(
|
|
"Write",
|
|
default=lambda self: self._get_is_owner(),
|
|
help="Allow to write to the vault",
|
|
)
|
|
perm_share = fields.Boolean(
|
|
"Share",
|
|
default=lambda self: self._get_is_owner(),
|
|
help="Allow to share a vault with new users",
|
|
)
|
|
perm_delete = fields.Boolean(
|
|
"Delete",
|
|
default=lambda self: self._get_is_owner(),
|
|
help="Allow to delete a vault",
|
|
)
|
|
|
|
perm_user = fields.Many2one(related="vault_id.perm_user", store=False)
|
|
allowed_read = fields.Boolean(related="vault_id.allowed_read", store=False)
|
|
allowed_create = fields.Boolean(related="vault_id.allowed_create", store=False)
|
|
allowed_write = fields.Boolean(related="vault_id.allowed_write", store=False)
|
|
allowed_share = fields.Boolean(related="vault_id.allowed_share", store=False)
|
|
allowed_delete = fields.Boolean(related="vault_id.allowed_delete", store=False)
|
|
|
|
# Encrypted with the public key of the user
|
|
key = fields.Char()
|
|
|
|
_sql_constraints = (
|
|
("user_uniq", "UNIQUE(user_id, vault_id)", _("The user must be unique")),
|
|
)
|
|
|
|
def _get_is_owner(self):
|
|
return self.env.user == self.vault_id.user_id
|
|
|
|
@api.depends("user_id")
|
|
def _compute_public_key(self):
|
|
for rec in self:
|
|
rec.public_key = rec.user_id.active_key.public
|
|
|
|
def log_access(self):
|
|
for rec in self:
|
|
rights = ", ".join(
|
|
sorted(
|
|
["read"]
|
|
+ [
|
|
right
|
|
for right in ["create", "write", "share", "delete"]
|
|
if getattr(rec, f"perm_{right}", False)
|
|
]
|
|
)
|
|
)
|
|
|
|
rec.vault_id.log_info(
|
|
f"Grant access to user {rec.user_id.display_name}: {rights}"
|
|
)
|
|
|
|
@api.model_create_multi
|
|
def create(self, vals_list):
|
|
res = super().create(vals_list)
|
|
if not res.allowed_share and not res.env.su:
|
|
self.raise_access_error()
|
|
|
|
res.log_access()
|
|
return res
|
|
|
|
def write(self, values):
|
|
res = super().write(values)
|
|
perms = ["perm_write", "perm_delete", "perm_share", "perm_create"]
|
|
if any(x in values for x in perms):
|
|
self.log_access()
|
|
|
|
return res
|
|
|
|
def unlink(self):
|
|
for rec in self:
|
|
rec.vault_id.log_info(f"Removed user {self.user_id.display_name}")
|
|
rec.vault_id.reencrypt_required = True
|
|
|
|
return super().unlink()
|