[ADD] base_tier_validation: dedicated manager group, menu out of Technical#47
Open
bosd wants to merge 1 commit into
Open
[ADD] base_tier_validation: dedicated manager group, menu out of Technical#47bosd wants to merge 1 commit into
bosd wants to merge 1 commit into
Conversation
Contributor
|
Hi @LoisRForgeFlow, |
OCA-git-bot
added
mod:base_tier_validation
Managing tier definitions/exceptions previously required Settings > Technical access (write gated to base.group_erp_manager / base.group_system, menu nested under base.menu_custom). Giving a trusted key user that access is dangerous -- they can damage the whole system. Add a dedicated "Tier Validation Administrator" group (group_tier_validation_manager) with CRUD on tier.definition, tier.validation.exception and tier.review, and relocate the "Tier Validations" menu to a top-level entry gated by that group. base.group_system implies the new group so existing administrators keep full access and still see the (now top-level) menu. Note: an erp_manager who is not also a system admin keeps model write access via the existing access_tier_definition_settings row but loses automatic menu visibility after the relocation. Left as-is per design; flagged for reviewer input on whether base.group_erp_manager should also imply the new group.
bosd
force-pushed
the
19.0-add-base_tier_validation-manager-group-menu
branch
from
c1d04e1 to
40b95ed
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Managing tier definitions today requires giving a user access to
Settings > Technical: the Tier Validations menu is nested under
base.menu_custom,tier.definitionwrite is gated tobase.group_erp_manager, andtier.validation.exceptionwrite tobase.group_system. There is no dedicated tier-validation group.For deployments where a trusted client key user should maintain tier
definitions, the only option is granting erp-manager / Technical
access -- which lets them damage the whole system. We need a
least-privilege path.
Change
(
group_tier_validation_manager) under a new Tier Validationmodule category, so it is a clean selectable role in
Settings > Users.
ir.model.accessrows granting that group CRUD ontier.definition,tier.validation.exceptionandtier.review.Technical to a top-level menu, gated by the new group.
base.group_systemimplies the new group, so existingadministrators keep full access and still see the (now top-level)
menu. Existing
erp_manager/group_useraccess rows are leftuntouched.
security/tier_validation_groups.xmlloads before
ir.model.access.csv(which references the new group).Open question for reviewers
An
erp_managerwho is not also asystemadmin keepstier.definitionwrite via the existingaccess_tier_definition_settingsrow, but loses automatic menu visibility once the menu leaves
Technical. Left as-is per the requested design (only
group_systemimplies the new group). Happy to also add
base.group_erp_manager-> implied if reviewers prefer.Tests
test_35_manager_group_can_configure_without_technical:group_user+group_tier_validation_manager(no system / erp_manager / Technical) can create and write a
tier.definition;group_useruser getsAccessError;group_systemuser implies the manager group (back-compat).Scope
19.0 only for now. The 18.0 backport (OCA/server-ux, identical menu /
security structure) is deferred to a separate follow-up.