[14.0][ADD] hr_holidays_security: New module

hr_holidays_security/README.rst

@@ -0,0 +1,98 @@
+====================
+HR Holidays Security
+====================
+
+.. 
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! This file is generated by oca-gen-addon-readme !!
+   !! changes will be overwritten.                   !!
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! source digest: sha256:1c52c1427940b2c6755bb73a4807a92cf62c513359e1f21dfd3d0b46495ea1c0
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
+    :target: https://odoo-community.org/page/development-status
+    :alt: Beta
+.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
+    :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
+    :alt: License: AGPL-3
+.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fhr--holidays-lightgray.png?logo=github
+    :target: https://github.com/OCA/hr-holidays/tree/14.0/hr_holidays_security
+    :alt: OCA/hr-holidays
+.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
+    :target: https://translation.odoo-community.org/projects/hr-holidays-14-0/hr-holidays-14-0-hr_holidays_security
+    :alt: Translate me on Weblate
+.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
+    :target: https://runboat.odoo-community.org/builds?repo=OCA/hr-holidays&target_branch=14.0
+    :alt: Try me on Runboat
+
+|badge1| |badge2| |badge3| |badge4| |badge5|
+
+This module extends the permissions of Time Off responsibles and
+approvers to flex their team assignments.
+
+**Table of contents**
+
+.. contents::
+   :local:
+
+Use Cases / Context
+===================
+
+In a large organization Time Off Responsible users powers can be so
+rigid, as they aren't allowed to fully approve their team's requests.
+Time Off All Approvers have a too much approval scope while Time Off
+Manager would be too powerful.
+
+This module aims to adjust those powers for each group, respecting the
+core workflow.
+
+Usage
+=====
+
+Now a Time Off Responsible and All Approvals users can view, creat,
+edit, reject, set as draft leaves and allocation from their team
+employees.
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues <https://github.com/OCA/hr-holidays/issues>`_.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+`feedback <https://github.com/OCA/hr-holidays/issues/new?body=module:%20hr_holidays_security%0Aversion:%2014.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+
+Do not contact contributors directly about support or help with technical issues.
+
+Credits
+=======
+
+Authors
+-------
+
+* Tecnativa
+* 
+
+Contributors
+------------
+
+-  `Tecnativa <https://tecnativa.com>`__
+
+   -  David Vidal
+
+Maintainers
+-----------
+
+This module is maintained by the OCA.
+
+.. image:: https://odoo-community.org/logo.png
+   :alt: Odoo Community Association
+   :target: https://odoo-community.org
+
+OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.
+
+This module is part of the `OCA/hr-holidays <https://github.com/OCA/hr-holidays/tree/14.0/hr_holidays_security>`_ project on GitHub.
+
+You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.

hr_holidays_security/__init__.py

@@ -0,0 +1 @@
+from . import models

hr_holidays_security/__manifest__.py

@@ -0,0 +1,18 @@
+# Copyright 2024 Tecnativa - David Vidal
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+{
+    "name": "HR Holidays Security",
+    "summary": "Allow time-off responsibles to fully manage their team requests",
+    "version": "14.0.1.0.0",
+    "license": "AGPL-3",
+    "category": "Human Resources",
+    "author": "Tecnativa, Odoo Community Association (OCA),",
+    "website": "https://github.com/OCA/hr-holidays",
+    "depends": ["hr_holidays"],
+    "data": [
+        "security/security.xml",
+        "views/hr_leave_views.xml",
+        "views/hr_leave_allocation_views.xml",
+    ],
+    "installable": True,
+}

hr_holidays_security/models/__init__.py

@@ -0,0 +1,3 @@
+from . import hr_leave
+from . import hr_leave_allocation
+from . import ir_actions_act_window

hr_holidays_security/models/hr_leave.py

@@ -0,0 +1,71 @@
+# Copyright 2024 Tecnativa - David Vidal
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+from odoo import _, models
+from odoo.exceptions import UserError
+
+
+class HrLeave(models.Model):
+    _inherit = "hr.leave"
+
+    def _check_approval_update(self, state):
+        """Check if target state is achievable"""
+        if (
+            not self.env.user.has_group("hr_holidays.group_hr_holidays_responsible")
+            or self.env.user.has_group("hr_holidays.group_hr_holidays_manager")
+            or self.env.is_superuser()
+        ):
+            return super()._check_approval_update(state)
+        # Do nothing
+        if state == "confirm":
+            return
+        current_employee = self.env.user.employee_id
+        is_officer = self.env.user.has_group("hr_holidays.group_hr_holidays_user")
+        is_responsible = self.env.user.has_group(
+            "hr_holidays.group_hr_holidays_responsible"
+        )
+
+        for holiday in self:
+            val_type = holiday.validation_type
+            if state != "draft":
+                if (
+                    val_type == "no_validation"
+                    and current_employee == holiday.employee_id
+                ):
+                    continue
+                # use ir.rule based first access check: department, members, ...
+                # (see security.xml)
+                holiday.check_access_rule("write")
+                # This handles states validate1 validate and refuse
+                if holiday.employee_id == current_employee:
+                    raise UserError(
+                        _(
+                            "Only a Time Off Manager can approve/refuse its own requests."
+                        )
+                    )
+                if (
+                    (state == "validate1" and val_type == "both")
+                    or (state == "validate" and val_type == "manager")
+                    and holiday.holiday_type == "employee"
+                ):
+                    if (
+                        not is_officer
+                        and self.env.user != holiday.employee_id.leave_manager_id
+                    ):
+                        raise UserError(
+                            _(
+                                "You must be either %s's manager or Time off Manager "
+                                "to approve this leave"
+                            )
+                            % (holiday.employee_id.name)
+                        )
+                if (
+                    not is_responsible
+                    and (state == "validate" and val_type == "hr")
+                    and holiday.holiday_type == "employee"
+                ):
+                    raise UserError(
+                        _(
+                            "You must either be a Time off Officer or Time off Manager "
+                            "to approve this leave"
+                        )
+                    )

hr_holidays_security/models/hr_leave_allocation.py

@@ -0,0 +1,82 @@
+# Copyright 2024 Tecnativa - David Vidal
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+from odoo import api, fields, models
+
+
+class HrLeaveAllocation(models.Model):
+    _inherit = "hr.leave.allocation"
+
+    private_name = fields.Char(groups="hr_holidays.group_hr_holidays_responsible")
+    allowed_holyday_status_ids = fields.Many2many(
+        comodel_name="hr.leave.type", compute="_compute_allowed_holyday_status_ids"
+    )
+
+    def _get_allowed_holyday_status_domain(self):
+        if self.user_has_groups("hr_holidays.group_hr_holidays_user") or (
+            self._user_is_bare_responsible()
+            and self.employee_id.user_id != self.env.user
+        ):
+            return [("valid", "=", True), ("allocation_type", "!=", "no")]
+        else:
+            return [("valid", "=", True), ("allocation_type", "=", "fixed_allocation")]
+
+    @api.depends("employee_id")
+    def _compute_allowed_holyday_status_ids(self):
+        """Responsibles can only do allocations on their team members but on
+        themselves"""
+        for allocation in self:
+            allocation.allowed_holyday_status_ids = self.env["hr.leave.type"].search(
+                allocation._get_allowed_holyday_status_domain()
+            )
+
+    @api.model
+    def _user_is_bare_responsible(self):
+        return self.env.user.has_group(
+            "hr_holidays.group_hr_holidays_responsible"
+        ) and not self.env.user.has_group("hr_holidays.group_hr_holidays_user")
+
+    def _compute_description(self):
+        self.check_access_rights("read")
+        self.check_access_rule("read")
+        if not self._user_is_bare_responsible():
+            return super()._compute_description()
+        for allocation in self:
+            if (
+                allocation.employee_id.user_id == self.env.user
+                or allocation.manager_id == self.env.user
+            ):
+                allocation.name = allocation.sudo().private_name
+            else:
+                allocation.name = "*****"
+
+    def _inverse_description(self):
+        if not self._user_is_bare_responsible():
+            return super()._inverse_description()
+        for allocation in self:
+            if (
+                allocation.employee_id.user_id == self.env.user
+                or allocation.manager_id == self.env.user
+            ):
+                allocation.sudo().private_name = allocation.name
+
+    def _search_description(self, operator, value):
+        if not self._user_is_bare_responsible():
+            return super()._search_description(operator, value)
+        domain = [("private_name", operator, value)]
+        allocations = self.sudo().search(domain)
+        return [("id", "in", allocations.ids)]
+
+    def _check_approval_update(self, state):
+        # Lift restrictions
+        if not self.env.user.has_group("hr_holidays.group_hr_holidays_responsible"):
+            return super()._check_approval_update(state)
+        current_employee = self.env.user.employee_id
+        if not current_employee:
+            return
+        for holiday in self:
+            if state == "confirm":
+                continue
+            if self.env.user == holiday.employee_id.leave_manager_id:
+                # use ir.rule based first access check: department, members, ...
+                # (see security.xml)
+                holiday.check_access_rule("write")

hr_holidays_security/models/ir_actions_act_window.py

@@ -0,0 +1,46 @@
+# Copyright 2024 Tecnativa - David Vidal
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+from odoo import models
+
+
+class IrActionsActWindow(models.Model):
+    _inherit = "ir.actions.act_window"
+
+    def _compute_views(self):
+        # HACK: Not a very nice override but negative groups don't work right in this
+        # case as they don't trigger the necessary compute changes in the views. So we
+        # want to use a different view for this
+        res = super()._compute_views()
+        leave_action = self.filtered(
+            lambda x: x
+            == self.env.ref("hr_holidays.hr_leave_action_action_approve_department")
+        )
+        allocation_action = self.filtered(
+            lambda x: x
+            == self.env.ref("hr_holidays.hr_leave_allocation_action_approve_department")
+        )
+        if leave_action or allocation_action:
+            bare_responsible = self.env.user.has_group(
+                "hr_holidays.group_hr_holidays_responsible"
+            ) and not self.env.user.has_group("hr_holidays.group_hr_holidays_user")
+            if bare_responsible and leave_action:
+                bare_responsible_form = self.env.ref(
+                    "hr_holidays_security.hr_leave_view_form_responsible"
+                )
+                leave_action.views = [
+                    (view, view_type)
+                    if view_type != "form"
+                    else (bare_responsible_form.id, view_type)
+                    for view, view_type in leave_action.views
+                ]
+            if bare_responsible and allocation_action:
+                bare_responsible_form = self.env.ref(
+                    "hr_holidays_security.hr_leave_allocation_view_form_manager"
+                )
+                allocation_action.views = [
+                    (view, view_type)
+                    if view_type != "form"
+                    else (bare_responsible_form.id, view_type)
+                    for view, view_type in allocation_action.views
+                ]
+        return res

hr_holidays_security/readme/CONTEXT.md

@@ -0,0 +1,5 @@
+In a large organization Time Off Responsible users powers can be so rigid, as they
+aren't allowed to fully approve their team's requests. Time Off All Approvers have a
+too much approval scope while Time Off Manager would be too powerful.
+
+This module aims to adjust those powers for each group, respecting the core workflow.

hr_holidays_security/readme/CONTRIBUTORS.md

@@ -0,0 +1,2 @@
+- [Tecnativa](https://tecnativa.com)
+    - David Vidal

hr_holidays_security/readme/DESCRIPTION.md

@@ -0,0 +1,2 @@
+This module extends the permissions of Time Off responsibles and approvers to flex
+their team assignments.

hr_holidays_security/readme/USAGE.md

@@ -0,0 +1,2 @@
+Now a Time Off Responsible and All Approvals users can view, creat, edit, reject, set as
+draft leaves and allocation from their team employees.

hr_holidays_security/security/security.xml

@@ -0,0 +1,9 @@
+<?xml version='1.0' encoding='UTF-8' ?>
+<odoo>
+    <record id="hr_holidays.hr_leave_allocation_rule_officer_update" model="ir.rule">
+        <field
+            name="groups"
+            eval="[(4, ref('hr_holidays.group_hr_holidays_responsible'))]"
+        />
+    </record>
+</odoo>