[14.0][FIX][IMP] base_user_role_profile : add the missing swiching widget, add new options to further improve the usability

base_user_role_profile/README.rst

@@ -7,7 +7,7 @@ User profiles
    !! This file is generated by oca-gen-addon-readme !!
    !! changes will be overwritten.                   !!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-   !! source digest: sha256:7f308b13d03b7b0e6850750c99b22d6402ac11c6dffc22e98b902f25d888360b
+   !! source digest: sha256:f0a35c3f15b1acf7c8ebc040651638e87cb2ded68c502f1d0260f48498d10330
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 
 .. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
@@ -31,13 +31,20 @@ User profiles
 Extending the base_user_role module, this one adds the notion of profiles. Effectively profiles act as an additional filter to how the roles are used.
 
 This allows users to switch their permission groups dynamically. This can be useful for example to:
- - finer grain control on menu and model permissions (with record rules this becomes very flexible)
- - break down complicated menus into simpler ones
- - easily restrict users accidentally editing or creating records in O2M fields and in general misusing the interface, instead of excessively explaining things to them
+
+  * finer grain control on menu and model permissions (with record rules this becomes very flexible)
+  * break down complicated menus into simpler ones
+  * easily restrict users accidentally editing or creating records in O2M fields and in general misusing the interface, instead of excessively explaining things to them
 
 When you define a role, you have the possibility to link it to a profile. Roles are applied to users in the following way:
-  - Apply user's roles without profiles in any case
-  - Apply user's roles that are linked to the currently selected profile
+
+  * Apply user's roles without profiles in any case
+  * Apply user's roles that are linked to the currently selected profile
+
+In addition you can:
+
+  * Add a 'no profile' profile to the user's choice of profile, to allow him to select a specific profile which enables only the roles without a profile.
+  * Restrict the user to change it's profile, which can be usefull in a security emergency.
 
 **Table of contents**
 
@@ -47,12 +54,24 @@ When you define a role, you have the possibility to link it to a profile. Roles
 Configuration
 =============
 
-Go to Configuration / Users / Profiles and create a profile. Go to Configuration / Users / Roles and define some role lines with profiles.
+To configure this module, you need to go to *Configuration / Users / Profiles*,
+and create a new profile.
+
+Then go to *Configuration / Users / Roles* and set some roles with a profile.
+
+Then go to *Configuration / Users / Users* and add some roles if not already done. The allowed profiles will computes automatically.
+
+In addition you can:
+
+  * Check the "Include Default Profile" box to have the default profile as an allowed profile.
+  * Change the current profile if needed.
+  * Check the "Restrict Profile Switching" to restrict the user to change it's profile, in that case you can still change it from the user's settings form.
 
 Usage
 =====
 
-Once you have set up at least one profile for a user, use the widget in the top bar to switch user profiles. Note that it is possible to use no profile; in this case, the user will only get the roles that always apply (i.e the ones with no profile_id).
+Once you have set up at least one profile for a user, use the widget in the top bar to switch user profiles.
+Note that it is possible to use no profile; in this case, the user will only get the roles that always apply (i.e the ones with no profile_id).
 
 Bug Tracker
 ===========
@@ -75,6 +94,7 @@ Authors
 Contributors
 ~~~~~~~~~~~~
 
+* Olivier Nibart <[email protected]>
 * Kevin Khao <[email protected]>
 * Sébastien Beau <[email protected]>
 
@@ -91,6 +111,14 @@ OCA, or the Odoo Community Association, is a nonprofit organization whose
 mission is to support the collaborative development of Odoo features and
 promote its widespread use.
 
+.. |maintainer-nayatec| image:: https://github.com/nayatec.png?size=40px
+    :target: https://github.com/nayatec
+    :alt: nayatec
+
+Current `maintainer <https://odoo-community.org/page/maintainer-role>`__:
+
+|maintainer-nayatec| 
+
 This module is part of the `OCA/server-backend <https://github.com/OCA/server-backend/tree/14.0/base_user_role_profile>`_ project on GitHub.
 
 You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.

base_user_role_profile/__manifest__.py

@@ -7,6 +7,7 @@
     "author": "Akretion, Odoo Community Association (OCA)",
     "license": "AGPL-3",
     "website": "https://github.com/OCA/server-backend",
+    "maintainers": ["nayatec"],
     "depends": ["base_user_role", "web"],
     "post_init_hook": "post_init_hook",
     "data": [

base_user_role_profile/models/ir_http.py

@@ -9,7 +9,12 @@ class Http(models.AbstractModel):
     def session_info(self):  # pragma: no cover
         result = super().session_info()
         user = request.env.user
-        allowed_profiles = [(profile.id, profile.name) for profile in user.profile_ids]
+        if not user.restrict_profile_switching:
+            allowed_profiles = [
+                (profile.id, profile.name) for profile in user.profile_ids
+            ]
+        else:
+            allowed_profiles = []
         if len(allowed_profiles) > 1:
             current_profile = (user.profile_id.id, user.profile_id.name)
             result["user_profiles"] = {

base_user_role_profile/models/role.py

@@ -10,6 +10,13 @@
         "Profile",
     )
 
+    def write(self, vals):
+        res = super().write(vals)
+        if "profile_id" in vals:
+            # update the user's allowed profiles
+            self.user_ids._compute_profile_ids()
+        return res
+
 
 class ResUsersRoleLine(models.Model):
     _inherit = "res.users.role.line"

base_user_role_profile/models/user.py

@@ -21,6 +21,21 @@ def _get_default_profile(self):
         string="Currently allowed profiles",
     )
 
+    restrict_profile_switching = fields.Boolean(
+        "Restrict Profile Switching",
+        help="If enabled, the user will be prevented from changing their profile. "
+        "This acts as a security measure to "
+        "lock users into their current profile.",
+    )
+
+    include_default_profile = fields.Boolean(
+        "Include Default Profile",
+        help="If enabled, the default profile ('no profile') will be added to "
+        "the user's allowed profiles. "
+        "This allows the user to select a profile that activates only the roles "
+        "not associated with any specific profile.",
+    )
+
     def _get_action_root_menu(self):
         # used JS-side. Reload the client; open the first available root menu
         menu = self.env["ir.ui.menu"].search([("parent_id", "=", False)])[:1]
@@ -31,7 +46,8 @@ def _get_action_root_menu(self):
         }
 
     def action_profile_change(self, vals):
-        self.write(vals)
+        if not self.restrict_profile_switching:
+            self.write(vals)
         return self._get_action_root_menu()
 
     @api.model
@@ -42,12 +58,15 @@ def create(self, vals):
         return new_record
 
     def write(self, vals):
-        # inspired by base/models/res_users.py l. 491
-        if self == self.env.user and vals.get("profile_id"):
+        if not self.env.su and vals.get("profile_id"):
             self.sudo().write({"profile_id": vals["profile_id"]})
             del vals["profile_id"]
         res = super().write(vals)
-        if vals.get("profile_id") or vals.get("role_line_ids"):
+        if (
+            "profile_id" in vals
+            or "role_line_ids" in vals
+            or "include_default_profile" in vals
+        ):
             self.sudo()._compute_profile_ids()
         return res
 
@@ -67,9 +86,13 @@ def _update_profile_id(self):
             self.write({"profile_id": self.profile_ids[0].id})
 
     def _compute_profile_ids(self):
+        default_profile = self._get_default_profile()
         for rec in self:
             role_lines = rec.role_line_ids
             profiles = role_lines.mapped("profile_id")
+            if rec.include_default_profile:
+                profiles = default_profile + profiles
+
             rec.profile_ids = profiles
             # set defaults in case applicable profile changes
             rec._update_profile_id()

base_user_role_profile/readme/CONFIGURE.rst

@@ -1 +1,12 @@
-Go to Configuration / Users / Profiles and create a profile. Go to Configuration / Users / Roles and define some role lines with profiles.
+To configure this module, you need to go to *Configuration / Users / Profiles*,
+and create a new profile.
+
+Then go to *Configuration / Users / Roles* and set some roles with a profile.
+
+Then go to *Configuration / Users / Users* and add some roles if not already done. The allowed profiles will computes automatically.
+
+In addition you can:
+
+  * Check the "Include Default Profile" box to have the default profile as an allowed profile.
+  * Change the current profile if needed.
+  * Check the "Restrict Profile Switching" to restrict the user to change it's profile, in that case you can still change it from the user's settings form.

base_user_role_profile/readme/CONTRIBUTORS.rst

@@ -1,2 +1,3 @@
+* Olivier Nibart <[email protected]>
 * Kevin Khao <[email protected]>
 * Sébastien Beau <[email protected]>

base_user_role_profile/readme/DESCRIPTION.rst

@@ -1,10 +1,17 @@
 Extending the base_user_role module, this one adds the notion of profiles. Effectively profiles act as an additional filter to how the roles are used.
 
 This allows users to switch their permission groups dynamically. This can be useful for example to:
- - finer grain control on menu and model permissions (with record rules this becomes very flexible)
- - break down complicated menus into simpler ones
- - easily restrict users accidentally editing or creating records in O2M fields and in general misusing the interface, instead of excessively explaining things to them
+
+  * finer grain control on menu and model permissions (with record rules this becomes very flexible)
+  * break down complicated menus into simpler ones
+  * easily restrict users accidentally editing or creating records in O2M fields and in general misusing the interface, instead of excessively explaining things to them
 
 When you define a role, you have the possibility to link it to a profile. Roles are applied to users in the following way:
-  - Apply user's roles without profiles in any case
-  - Apply user's roles that are linked to the currently selected profile
+
+  * Apply user's roles without profiles in any case
+  * Apply user's roles that are linked to the currently selected profile
+
+In addition you can:
+
+  * Add a 'no profile' profile to the user's choice of profile, to allow him to select a specific profile which enables only the roles without a profile.
+  * Restrict the user to change it's profile, which can be usefull in a security emergency.

base_user_role_profile/readme/USAGE.rst

@@ -1 +1,2 @@
-Once you have set up at least one profile for a user, use the widget in the top bar to switch user profiles. Note that it is possible to use no profile; in this case, the user will only get the roles that always apply (i.e the ones with no profile_id).
+Once you have set up at least one profile for a user, use the widget in the top bar to switch user profiles.
+Note that it is possible to use no profile; in this case, the user will only get the roles that always apply (i.e the ones with no profile_id).

base_user_role_profile/static/description/index.html

@@ -366,25 +366,32 @@ <h1 class="title">User profiles</h1>
 !! This file is generated by oca-gen-addon-readme !!
 !! changes will be overwritten.                   !!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-!! source digest: sha256:7f308b13d03b7b0e6850750c99b22d6402ac11c6dffc22e98b902f25d888360b
+!! source digest: sha256:f0a35c3f15b1acf7c8ebc040651638e87cb2ded68c502f1d0260f48498d10330
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
 <p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/server-backend/tree/14.0/base_user_role_profile"><img alt="OCA/server-backend" src="https://img.shields.io/badge/github-OCA%2Fserver--backend-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/server-backend-14-0/server-backend-14-0-base_user_role_profile"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/server-backend&amp;target_branch=14.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
 <p>Extending the base_user_role module, this one adds the notion of profiles. Effectively profiles act as an additional filter to how the roles are used.</p>
-<dl class="docutils">
-<dt>This allows users to switch their permission groups dynamically. This can be useful for example to:</dt>
-<dd><ul class="first last simple">
+<p>This allows users to switch their permission groups dynamically. This can be useful for example to:</p>
+<blockquote>
+<ul class="simple">
 <li>finer grain control on menu and model permissions (with record rules this becomes very flexible)</li>
 <li>break down complicated menus into simpler ones</li>
 <li>easily restrict users accidentally editing or creating records in O2M fields and in general misusing the interface, instead of excessively explaining things to them</li>
 </ul>
-</dd>
-<dt>When you define a role, you have the possibility to link it to a profile. Roles are applied to users in the following way:</dt>
-<dd><ul class="first last simple">
+</blockquote>
+<p>When you define a role, you have the possibility to link it to a profile. Roles are applied to users in the following way:</p>
+<blockquote>
+<ul class="simple">
 <li>Apply user’s roles without profiles in any case</li>
 <li>Apply user’s roles that are linked to the currently selected profile</li>
 </ul>
-</dd>
-</dl>
+</blockquote>
+<p>In addition you can:</p>
+<blockquote>
+<ul class="simple">
+<li>Add a ‘no profile’ profile to the user’s choice of profile, to allow him to select a specific profile which enables only the roles without a profile.</li>
+<li>Restrict the user to change it’s profile, which can be usefull in a security emergency.</li>
+</ul>
+</blockquote>
 <p><strong>Table of contents</strong></p>
 <div class="contents local topic" id="contents">
 <ul class="simple">
@@ -401,11 +408,23 @@ <h1 class="title">User profiles</h1>
 </div>
 <div class="section" id="configuration">
 <h1><a class="toc-backref" href="#toc-entry-1">Configuration</a></h1>
-<p>Go to Configuration / Users / Profiles and create a profile. Go to Configuration / Users / Roles and define some role lines with profiles.</p>
+<p>To configure this module, you need to go to <em>Configuration / Users / Profiles</em>,
+and create a new profile.</p>
+<p>Then go to <em>Configuration / Users / Roles</em> and set some roles with a profile.</p>
+<p>Then go to <em>Configuration / Users / Users</em> and add some roles if not already done. The allowed profiles will computes automatically.</p>
+<p>In addition you can:</p>
+<blockquote>
+<ul class="simple">
+<li>Check the “Include Default Profile” box to have the default profile as an allowed profile.</li>
+<li>Change the current profile if needed.</li>
+<li>Check the “Restrict Profile Switching” to restrict the user to change it’s profile, in that case you can still change it from the user’s settings form.</li>
+</ul>
+</blockquote>
 </div>
 <div class="section" id="usage">
 <h1><a class="toc-backref" href="#toc-entry-2">Usage</a></h1>
-<p>Once you have set up at least one profile for a user, use the widget in the top bar to switch user profiles. Note that it is possible to use no profile; in this case, the user will only get the roles that always apply (i.e the ones with no profile_id).</p>
+<p>Once you have set up at least one profile for a user, use the widget in the top bar to switch user profiles.
+Note that it is possible to use no profile; in this case, the user will only get the roles that always apply (i.e the ones with no profile_id).</p>
 </div>
 <div class="section" id="bug-tracker">
 <h1><a class="toc-backref" href="#toc-entry-3">Bug Tracker</a></h1>
@@ -426,6 +445,7 @@ <h2><a class="toc-backref" href="#toc-entry-5">Authors</a></h2>
 <div class="section" id="contributors">
 <h2><a class="toc-backref" href="#toc-entry-6">Contributors</a></h2>
 <ul class="simple">
+<li>Olivier Nibart &lt;<a class="reference external" href="mailto:olivier.nibart&#64;akretion.com">olivier.nibart&#64;akretion.com</a>&gt;</li>
 <li>Kevin Khao &lt;<a class="reference external" href="mailto:kevin.khao&#64;akretion.com">kevin.khao&#64;akretion.com</a>&gt;</li>
 <li>Sébastien Beau &lt;<a class="reference external" href="mailto:sebastien.beau&#64;akretion.com">sebastien.beau&#64;akretion.com</a>&gt;</li>
 </ul>
@@ -437,6 +457,8 @@ <h2><a class="toc-backref" href="#toc-entry-7">Maintainers</a></h2>
 <p>OCA, or the Odoo Community Association, is a nonprofit organization whose
 mission is to support the collaborative development of Odoo features and
 promote its widespread use.</p>
+<p>Current <a class="reference external" href="https://odoo-community.org/page/maintainer-role">maintainer</a>:</p>
+<p><a class="reference external image-reference" href="https://github.com/nayatec"><img alt="nayatec" src="https://github.com/nayatec.png?size=40px" /></a></p>
 <p>This module is part of the <a class="reference external" href="https://github.com/OCA/server-backend/tree/14.0/base_user_role_profile">OCA/server-backend</a> project on GitHub.</p>
 <p>You are welcome to contribute. To learn how please visit <a class="reference external" href="https://odoo-community.org/page/Contribute">https://odoo-community.org/page/Contribute</a>.</p>
 </div>