[FIX] pos_hr: removed the isUserLoggedIn check from isAdmin in pos_store

hyhevic · hyhevic · commit 3027a3b55671 · 2025-04-07T08:15:17.000Z
Steps to reproduce the bug: - Install point of sales app, employees app - Make a shop and enable multiple employees per session option - Add another user as a basic right user for any shop - Open a shop session (the one rights are set up for) - Log out of the current user and log in with the other user account - Open the session - The current logged-in user can close the session despite having basic rights Problem: The close session in the XML was having a condition of pos.employeeIsAdmin, and the employeeIsAdmin flag was checking if the user is having advanced rights on the shop or it is the logged-in Odoo user. So if you are the logged-in user, you will always have the close register option regardless of the access rights you have for a specific shop. opw-4575692 closes odoo#198613 Signed-off-by: Joseph Caburnay (jcb) <jcb@odoo.com>
diff --git a/addons/pos_hr/static/src/overrides/models/pos_store.js b/addons/pos_hr/static/src/overrides/models/pos_store.js
@@ -23,7 +23,7 @@ patch(PosStore.prototype, {
     },
     get employeeIsAdmin() {
         const cashier = this.get_cashier();
-        return cashier._role === "manager" || cashier.user_id?.id === this.user.id;
+        return cashier._role === "manager";
     },
     checkPreviousLoggedCashier() {
         if (this.config.module_pos_hr) {
diff --git a/addons/pos_hr/static/tests/tours/pos_hr_tour.js b/addons/pos_hr/static/tests/tours/pos_hr_tour.js
@@ -132,8 +132,14 @@ registry.category("web_tour.tours").add("CashierCannotClose", {
             Dialog.confirm("Open Register"),
             Chrome.clickMenuButton(),
             {
-                trigger: negate(".close-button"),
+                trigger: negate(`span.dropdown-item:contains("Close Register")`),
             },
             PosHr.cashierNameIs("Test Employee 3"),
+            PosHr.clickCashierName(),
+            SelectionPopup.has("Mitchell Admin", { run: "click" }),
+            Chrome.clickMenuButton(),
+            {
+                trigger: negate(`span.dropdown-item:contains("Close Register")`),
+            },
         ].flat(),
 });
diff --git a/addons/pos_hr/tests/test_frontend.py b/addons/pos_hr/tests/test_frontend.py
@@ -16,15 +16,15 @@ def setUpClass(cls):
         cls.main_pos_config.write({"module_pos_hr": True})
 
         # Admin employee
-        admin = cls.env.ref("hr.employee_admin").sudo().copy({
+        cls.admin = cls.env.ref("hr.employee_admin").sudo().copy({
             "company_id": cls.env.company.id,
             "user_id": cls.pos_admin.id,
             "name": "Mitchell Admin",
             "pin": False,
         })
 
         # User employee
-        emp1 = cls.env['hr.employee'].create({
+        cls.emp1 = cls.env['hr.employee'].create({
             'name': 'Test Employee 1',
             "company_id": cls.env.company.id,
         })
@@ -35,24 +35,24 @@ def setUpClass(cls):
             name="Pos Employee1",
             email="emp1_user@pos.com",
         )
-        emp1.write({"name": "Pos Employee1", "pin": "2580", "user_id": emp1_user.id})
+        cls.emp1.write({"name": "Pos Employee1", "pin": "2580", "user_id": emp1_user.id})
 
         # Non-user employee
-        emp2 = cls.env['hr.employee'].create({
+        cls.emp2 = cls.env['hr.employee'].create({
             'name': 'Test Employee 2',
             "company_id": cls.env.company.id,
         })
-        emp2.write({"name": "Pos Employee2", "pin": "1234"})
-        (admin + emp1 + emp2).company_id = cls.env.company
+        cls.emp2.write({"name": "Pos Employee2", "pin": "1234"})
+        (cls.admin + cls.emp1 + cls.emp2).company_id = cls.env.company
 
-        emp3 = cls.env['hr.employee'].create({
+        cls.emp3 = cls.env['hr.employee'].create({
             'name': 'Test Employee 3',
             "user_id": cls.pos_user.id,
             "company_id": cls.env.company.id,
         })
 
         cls.main_pos_config.write({
-            'basic_employee_ids': [Command.link(emp1.id), Command.link(emp2.id), Command.link(emp3.id)]
+            'basic_employee_ids': [Command.link(cls.emp1.id), Command.link(cls.emp2.id), Command.link(cls.emp3.id)]
         })
 
 
@@ -64,6 +64,7 @@ def test_01_pos_hr_tour(self):
                 (4, self.env.ref('account.group_account_invoice').id)
             ]
         })
+        self.main_pos_config.advanced_employee_ids = self.admin.ids
         self.main_pos_config.with_user(self.pos_admin).open_ui()
         self.start_pos_tour("PosHrTour", login="pos_admin")
 
@@ -90,6 +91,11 @@ def test_cashier_can_see_product_info(self):
 
     def test_basic_user_cannot_close_session(self):
         # open a session, the /pos/ui controller will redirect to it
+        self.main_pos_config.advanced_employee_ids = []
+        self.main_pos_config.basic_employee_ids = [
+            Command.link(self.emp3.id),
+            Command.link(self.admin.id)
+        ]
         self.main_pos_config.with_user(self.pos_admin).open_ui()
 
         self.start_tour(
