Update http endpoint

OpenSPP · Sep 16, 2023 · b64759a · b64759a
1 parent 95ecd6d
commit b64759a
Show file tree

Hide file tree

Showing 4 changed files with 75 additions and 1 deletion.
diff --git a/spp_dms/i18n/spp_dms.pot b/spp_dms/i18n/spp_dms.pot
@@ -21,6 +21,7 @@ msgstr ""
 
 #. module: spp_dms
 #: model:ir.model.fields,field_description:spp_dms.field_dms_directory__dms_directory_ids
+#: model:ir.model.fields,field_description:spp_dms.field_ir_http__dms_directory_ids
 msgid "DMS Directories"
 msgstr ""
 
@@ -29,6 +30,11 @@ msgstr ""
 msgid "Directory"
 msgstr ""
 
+#. module: spp_dms
+#: model:ir.model,name:spp_dms.model_ir_http
+msgid "HTTP Routing"
+msgstr ""
+
 #. module: spp_dms
 #: code:addons/spp_dms/models/directory.py:0
 #, python-format

diff --git a/spp_dms/models/__init__.py b/spp_dms/models/__init__.py
@@ -1 +1,2 @@
 from . import directory
+from . import ir_http
diff --git a/spp_dms/models/ir_http.py b/spp_dms/models/ir_http.py
@@ -0,0 +1,42 @@
+import logging
+
+from odoo import models
+
+_logger = logging.getLogger(__name__)
+
+
+class CustomIrHttp(models.AbstractModel):
+    _inherit = "ir.http"
+
+    def binary_content(
+        self,
+        xmlid=None,
+        model="ir.attachment",
+        id=None,  # pylint: disable=W0622
+        field="datas",
+        unique=False,
+        filename=None,
+        filename_field="name",
+        download=False,
+        mimetype=None,
+        default_mimetype="application/octet-stream",
+        access_token=None,
+    ):
+        _logger.debug("DEBUG: ir.http: model: %s" % model)
+        if model == "dms.file":
+            if not self.env.user.has_group("base.group_user"):
+                _logger.debug("DEBUG: ir.http: NOT ALLOWED")
+                return 404, [], None
+        return super().binary_content(
+            xmlid,
+            model,
+            id,
+            field,
+            unique,
+            filename,
+            filename_field,
+            download,
+            mimetype,
+            default_mimetype,
+            access_token,
+        )
diff --git a/spp_dms_security/models/dms_security_mixin.py b/spp_dms_security/models/dms_security_mixin.py
@@ -7,4 +7,29 @@ class DmsSecurityMixin(models.AbstractModel):
 
     @api.model
     def _get_permission_domain(self, operator, value, operation):
-        return TRUE_DOMAIN
+        if self.check_user_group(self.env.user):
+            return TRUE_DOMAIN
+        return super()._get_permission_domain(operator, value, operation)
+
+    def check_user_group(self, user):
+        # Access the 'ir.model.data' model for external IDs
+        mdl = self.env["ir.model.data"]
+
+        # List of group external IDs to check
+        group_external_ids = [
+            "g2p_registry_base.group_g2p_admin",
+            "spp_change_request.group_spp_change_request_administrator",
+            "spp_change_request.group_spp_change_request_validator",
+            "spp_change_request.group_spp_change_request_agent",
+            "spp_change_request.group_spp_change_request_hq_validator",
+            "spp_change_request.group_spp_change_request_local_validator",
+            "spp_change_request.group_spp_change_request_applicator",
+        ]
+
+        # Check if the user is in any of the groups
+        is_in_group = any(
+            mdl._xmlid_to_res_id(group_xmlid) in user.groups_id.ids
+            for group_xmlid in group_external_ids
+        )
+
+        return is_in_group