[18.0][ADD] mail_activity_restrict: Option to make activities readonly when user is not assigend

.github/workflows/test.yml

@@ -36,17 +36,17 @@ jobs:
       matrix:
         include:
           - container: ghcr.io/oca/oca-ci/py3.10-odoo18.0:latest
-            include: "mail_post_defer"
+            include: "mail_post_defer,mail_activity_done"
             name: test with Odoo
           - container: ghcr.io/oca/oca-ci/py3.10-ocb18.0:latest
-            include: "mail_post_defer"
+            include: "mail_post_defer,mail_activity_done"
             name: test with OCB
             makepot: "true"
           - container: ghcr.io/oca/oca-ci/py3.10-odoo18.0:latest
-            exclude: "mail_post_defer"
+            exclude: "mail_post_defer,mail_activity_done"
             name: test with Odoo
           - container: ghcr.io/oca/oca-ci/py3.10-ocb18.0:latest
-            exclude: "mail_post_defer"
+            exclude: "mail_post_defer,mail_activity_done"
             name: test with OCB
             makepot: "true"
     services:

mail_activity_restrict/README.rst

@@ -0,0 +1,84 @@
+===============================
+Mail Activity Write Restriction
+===============================
+
+.. 
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! This file is generated by oca-gen-addon-readme !!
+   !! changes will be overwritten.                   !!
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! source digest: sha256:fca1d7f4b556efb27cc73e10028731aabfc09055e8de4512727b28352a6361e3
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
+    :target: https://odoo-community.org/page/development-status
+    :alt: Beta
+.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
+    :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
+    :alt: License: AGPL-3
+.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fmail-lightgray.png?logo=github
+    :target: https://github.com/OCA/mail/tree/18.0/mail_activity_restrict
+    :alt: OCA/mail
+.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
+    :target: https://translation.odoo-community.org/projects/mail-18-0/mail-18-0-mail_activity_restrict
+    :alt: Translate me on Weblate
+.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
+    :target: https://runboat.odoo-community.org/builds?repo=OCA/mail&target_branch=18.0
+    :alt: Try me on Runboat
+
+|badge1| |badge2| |badge3| |badge4| |badge5|
+
+When the activity type option "Restrict Write to Assigned User" on an
+activity type is enabled, only the assigned user can edit or mark the
+activity as done.
+
+The restriction is enforced through the activity access check, so it
+applies consistently to write and done flows.
+
+**Table of contents**
+
+.. contents::
+   :local:
+
+Usage
+=====
+
+To use this module:
+
+1. Go to Activity Types.
+2. Open the activity type you want to protect.
+3. Enable "Restrict Write to Assigned User".
+4. Save.
+
+From now on, only the assigned user can modify or complete activities of
+this type.
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues <https://github.com/OCA/mail/issues>`_.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+`feedback <https://github.com/OCA/mail/issues/new?body=module:%20mail_activity_restrict%0Aversion:%2018.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+
+Do not contact contributors directly about support or help with technical issues.
+
+Credits
+=======
+
+Maintainers
+-----------
+
+This module is maintained by the OCA.
+
+.. image:: https://odoo-community.org/logo.png
+   :alt: Odoo Community Association
+   :target: https://odoo-community.org
+
+OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.
+
+This module is part of the `OCA/mail <https://github.com/OCA/mail/tree/18.0/mail_activity_restrict>`_ project on GitHub.
+
+You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.

mail_activity_restrict/__init__.py

@@ -0,0 +1 @@
+from . import models

mail_activity_restrict/__manifest__.py

@@ -0,0 +1,16 @@
+{
+    "name": "Mail Activity Write Restriction",
+    "version": "18.0.1.0.0",
+    "category": "Productivity/Mail",
+    "license": "AGPL-3",
+    "author": "Odoo Community Association (OCA)",
+    "website": "https://github.com/OCA/mail",
+    "depends": [
+        "mail",
+    ],
+    "data": [
+        "views/mail_activity_type_views.xml",
+    ],
+    "installable": True,
+    "application": False,
+}

mail_activity_restrict/models/__init__.py

@@ -0,0 +1,2 @@
+from . import mail_activity_type
+from . import mail_activity

mail_activity_restrict/models/mail_activity.py

@@ -0,0 +1,49 @@
+"""Restrict mail.activity modifications to the assigned user."""
+
+from odoo import models
+from odoo.exceptions import AccessError
+
+
+class MailActivity(models.Model):
+    """Extend mail.activity access checks for restricted activity types."""
+
+    _inherit = "mail.activity"
+
+    def _get_can_write_restrict_allowed_activities(self):
+        """Return restricted activities the current user may modify."""
+        return self.sudo().filtered_domain([("user_id", "=", self.env.uid)])
+
+    def _make_can_write_restrict_error(self, operation: str) -> AccessError:
+        """Build the access error raised for restricted activity types."""
+        if len(self) == 1:
+            return AccessError(
+                self.env._(
+                    "You cannot %(operation)s this activity because only "
+                    "the assigned user can modify activities of this type.",
+                    operation=operation,
+                )
+            )
+        return AccessError(
+            self.env._(
+                "You cannot %(operation)s some activities because only their "
+                "assigned user can modify activities of this type.",
+                operation=operation,
+            )
+        )
+
+    def _check_access(self, operation: str) -> tuple | None:
+        """Restrict write-like operations when the activity type requires it."""
+        result = super()._check_access(operation)
+        if operation not in ("write", "unlink") or not self or self.env.su:
+            return result
+
+        restricted = self.filtered("activity_type_id.can_write_restrict")
+        forbidden = restricted - restricted._get_can_write_restrict_allowed_activities()
+        if not forbidden:
+            return result
+
+        if result and not (forbidden - result[0]):
+            return result
+
+        forbidden = result[0] | forbidden if result else forbidden
+        return forbidden, lambda: forbidden._make_can_write_restrict_error(operation)

mail_activity_restrict/models/mail_activity_type.py

@@ -0,0 +1,18 @@
+"""Extension to mail.activity.type model for write restriction."""
+
+from odoo import fields, models
+
+
+class MailActivityType(models.Model):
+    """Extend mail.activity.type with write restriction control."""
+
+    _inherit = "mail.activity.type"
+
+    can_write_restrict = fields.Boolean(
+        string="Restrict Write to Assigned User",
+        default=False,
+        help=(
+            "If checked, only the assigned user (user_id field) can write/edit "
+            "activities of this type. Other users cannot modify restricted activities."
+        ),
+    )

mail_activity_restrict/pyproject.toml

@@ -0,0 +1,3 @@
+[build-system]
+requires = ["whool"]
+build-backend = "whool.buildapi"

mail_activity_restrict/readme/DESCRIPTION.md

@@ -0,0 +1,5 @@
+When the activity type option "Restrict Write to Assigned User" on an activity type is enabled,
+only the assigned user can edit or mark the activity as done.
+
+The restriction is enforced through the activity access check, so it applies
+consistently to write and done flows.

mail_activity_restrict/readme/USAGE.md

@@ -0,0 +1,8 @@
+To use this module:
+
+1. Go to Activity Types.
+2. Open the activity type you want to protect.
+3. Enable "Restrict Write to Assigned User".
+4. Save.
+
+From now on, only the assigned user can modify or complete activities of this type.