Skip to content

Commit

Permalink
[REV] calendar: update calendar default privacy non-admins
Browse files Browse the repository at this point in the history 
This reverts commit f226f7e.

opw-4334404
  • Loading branch information
@geflx
geflx committed Aug 22, 2024
1 parent f29c106 commit 131b043
Show file tree
Hide file tree
Showing 2 changed files with 0 additions and 86 deletions.
4 changes: 0 additions & 4 deletions addons/calendar/models/res_users.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,10 +23,6 @@ class ResUsers(models.Model):
def SELF_READABLE_FIELDS(self):
return super().SELF_READABLE_FIELDS + ['calendar_default_privacy']

@property
def SELF_WRITEABLE_FIELDS(self):
return super().SELF_READABLE_FIELDS + ['calendar_default_privacy']

def get_selected_calendars_partner_ids(self, include_user=True):
"""
Retrieves the partner IDs of the attendees selected in the calendar view.
Expand Down
82 changes: 0 additions & 82 deletions addons/calendar/tests/test_access_rights.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -161,63 +161,6 @@ def test_meeting_edit_access_notification_handle_in_odoo(self):
'stop': datetime.now() + timedelta(days=2, hours=2),
})

def test_event_default_privacy_as_private(self):
""" Check the privacy of events with owner's event default privacy as 'private'. """
# Set organizer default privacy as 'private' and create event privacies default, public, private and confidential.
self.george.with_user(self.george).calendar_default_privacy = 'private'
default_event = self.create_event(self.george)
public_event = self.create_event(self.george, privacy='public')
private_event = self.create_event(self.george, privacy='private')
confidential_event = self.create_event(self.george, privacy='confidential')

# With another user who is not an event attendee, try accessing the events.
query_default_event = self.env['calendar.event'].with_user(self.raoul).read_group([('id', '=', default_event.id)], fields=['name'], groupby='name')
query_public_event = self.env['calendar.event'].with_user(self.raoul).read_group([('id', '=', public_event.id)], fields=['name'], groupby='name')
query_private_event = self.env['calendar.event'].with_user(self.raoul).read_group([('id', '=', private_event.id)], fields=['name'], groupby='name')
query_confidential_event = self.env['calendar.event'].with_user(self.raoul).read_group([('id', '=', confidential_event.id)], fields=['name'], groupby='name')

# Ensure that each event is accessible or not according to its privacy.
self.assertFalse(query_default_event, "Event must be inaccessible because the user has default privacy as 'private'.")
self.assertTrue(query_public_event, "Public event must be accessible to other users.")
self.assertFalse(query_private_event, "Private event must be inaccessible to other users.")
self.assertTrue(query_confidential_event, "Confidential event must be accessible to other internal users.")

def test_edit_private_event_of_other_user(self):
"""
Ensure that it is not possible editing the private event of another user when the current user is not an
attendee/organizer of that event. Attendees should be able to edit it, others will receive AccessError on write.
"""
def ensure_user_can_update_event(self, event, user):
event.with_user(user).write({'name': user.name})
self.assertEqual(event.name, user.name, 'Event name should be updated by user %s' % user.name)

# Prepare events attendees/partners including organizer (john) and another user (raoul).
events_attendees = [
(0, 0, {'partner_id': self.john.partner_id.id, 'state': 'accepted'}),
(0, 0, {'partner_id': self.raoul.partner_id.id, 'state': 'accepted'})
]
events_partners = [self.john.partner_id.id, self.raoul.partner_id.id]

# Set calendar default privacy as private and create a normal event, only attendees/organizer can edit it.
self.john.with_user(self.john).calendar_default_privacy = 'private'
johns_default_privacy_event = self.create_event(self.john, name='my event with default privacy', attendee_ids=events_attendees, partner_ids=events_partners)
ensure_user_can_update_event(self, johns_default_privacy_event, self.john)
ensure_user_can_update_event(self, johns_default_privacy_event, self.raoul)
with self.assertRaises(AccessError):
self.assertEqual(len(self.john.res_users_settings_id), 1, "Res Users Settings for the user is not defined.")
self.assertEqual(self.john.res_users_settings_id.calendar_default_privacy, 'private', "Privacy field update was lost.")
johns_default_privacy_event.with_user(self.george).write({'name': 'blocked-update-by-non-attendee'})

# Set calendar default privacy as public and create a private event, only attendees/organizer can edit it.
self.john.with_user(self.john).calendar_default_privacy = 'public'
johns_private_event = self.create_event(self.john, name='my private event', privacy='private', attendee_ids=events_attendees, partner_ids=events_partners)
ensure_user_can_update_event(self, johns_private_event, self.john)
ensure_user_can_update_event(self, johns_private_event, self.raoul)
with self.assertRaises(AccessError):
self.assertEqual(len(self.john.res_users_settings_id), 1, "Res Users Settings for the user is not defined.")
self.assertEqual(self.john.res_users_settings_id.calendar_default_privacy, 'public', "Privacy field update was lost.")
johns_private_event.with_user(self.george).write({'name': 'blocked-update-by-non-attendee'})

def test_admin_cant_fetch_uninvited_private_events(self):
"""
Administrators must not be able to fetch information from private events which
Expand Down Expand Up @@ -300,28 +243,3 @@ def test_hide_sensitive_fields_private_events_from_uninvited_admins(self):
self.assertEqual(search_fetch_event['name'], "Busy", "Event name must be 'Busy', hiding the information from uninvited administrators.")
else:
self.assertFalse(search_fetch_event[field], "Field %s contains private information, it must be hidden from uninvited administrators." % field)

def test_user_update_calendar_default_privacy(self):
"""
Ensure that administrators and normal users can update their own calendar
default privacy from the 'res.users' related field without throwing any error.
Updates from others users are blocked during write (except for Default User Template from admins).
"""
default_user = self.env.ref('base.default_user', raise_if_not_found=False)

for privacy in ['public', 'private', 'confidential']:
# Update normal user and administrator 'calendar_default_privacy' simulating their own update.
self.john.with_user(self.john).write({'calendar_default_privacy': privacy})
self.admin_system_user.with_user(self.admin_system_user).write({'calendar_default_privacy': privacy})
self.assertEqual(self.john.calendar_default_privacy, privacy, 'Normal user must be able to update its calendar default privacy.')
self.assertEqual(self.admin_system_user.calendar_default_privacy, privacy, 'Admin must be able to update its calendar default privacy.')

# Update the Default User Template's 'calendar_default_privacy' as an administrator.
default_user.with_user(self.admin_system_user).write({'calendar_default_privacy': privacy})
self.assertEqual(default_user.calendar_default_privacy, privacy, 'Admin must be able to update the Default User Template calendar privacy.')

# All calendar default privacy updates (except for Default user Template) must be blocked during write.
with self.assertRaises(AccessError):
self.john.with_user(self.admin_system_user).write({'calendar_default_privacy': privacy})
with self.assertRaises(AccessError):
self.admin_system_user.with_user(self.john).write({'calendar_default_privacy': privacy})

0 comments on commit 131b043

Please sign in to comment.