[RFC] new api.groups decorator for function

[legalsylvain]

Hi all,

I think about a new decorator like

@api.groups('group_1', 'group_2', '...')
def function_name(self, args):
    ...

to decorate function that are call by function in a xml file like <button name='function_name' />.

The decorator will check if current user is a member of one of the defined groups, if not an access error is raised. Then, in the render view, the button is hidden if the user is not a member of the defined groups automatically

That new decorator could fix security breaches that allow user to call a function of a hidden button, by xml RPC.

In a second time we could imagine other decorators @api.add_groups or @api.remove_groups to add or remove access to a function, in a custom module that inherit a model.

Thanks for your comment.

[lasley]

I think this is a good idea - security by obscurity (hiding the buttons) doesn't work.

Question is where to put this. I made an OCA Python module that has an api.foreach implementation in it, but there wasn't much movement on the getting it into OCA front

[pedrobaeza]

I still think it's a good idea to have an OCA API library. @lasley you only need to create the repo following the method put in the OCA instance task ("Create a project") and make the PR.

About this feature, 👍 for adding it, but not with the decorators add_groups and so on. This should be handled with the inheritance: if you add any new group in the decorator on an overwritten method, then that group is added to the list. About the removal of groups, then you should use other techniques like in core (for example, another method with less groups that calls the original method).

[legalsylvain]

Hi ! Thanks for your answer. A OCA API library LGTM. Great idea !

but not with the decorators add_groups and so on

You're right, it could be simplified indeed.

About the removal of groups, then you should use other techniques like in core (for example, another method with less groups that calls the original method).

Not sure it will cover all the needs, but we'll talk about it in a specific PR against the new repo.

@lasley you only need to create the repo following the method put in the OCA instance task ("Create a project") and make the PR.

@lasley , please ping me when the repo is created, I'll began a POC then and try to finish the work in the next Open (/ Closed) Days.

[lasley]

I still think it's a good idea to have an OCA API library. @lasley you only need to create the repo following the method put in the OCA instance task ("Create a project") and make the PR.

Good point - at the time I didn't have permissions to do this. I'm not finding this process in the OCA instance though- I'll dig a bit more & report back with the new repo.

[lasley]

Hmmm ok yeah so I can't find a process for repo creation, so I was just going to go ahead and create the repo - but it seems I don't have permissions. @pedrobaeza would you mind creating a blank OCA/python-oca repo so that I can submit a PR to it?

[NL66278]

👍 For having a decorator that does this. I had the idea to create a @privileged decorator that would do the same thing and that could be imported from a new tools module in server-tools.

But having the decorator a part of a pip library might be as well. I only wonder about the name @api.groups. Would that not be confusing as this is then not coming from the odoo api python module?

[legalsylvain]

Hi @NL66278,

well, about the name space, I think that collision will not be possible, because the name will be @oca.groups and not @api.groups. (or something similar)

[NL66278]

@legalsylvain I was reacting to the first example use. Having @oca.groups would be great.

[lmignon]

@legalsylvain It's a good idea!

I'd rather keep' oca' as a namespace package available to all oca packages. We could name this new package 'oca-decorator'. This package would provide 'oca.decorator' (or oca.xyz)

from oca.decorator import groups

    @groups(..)
    def function_name():

About groups I'd prefer a more explicit name for example allowed_groups.

lmi

[pedrobaeza]

@lasley this is the task where the process for a new repository/PSC is specified: https://odoo-community.org/web#id=264&view_type=form&model=project.task&action=468&active_id=2

[lasley]

Omg thanks Pedro! For some reason I searched everything from Project to Repo, but didn't think to include "PSC". Derp!

I'll still need some additional rights in the OCA GitHub though - I don't have the new button:

[pedrobaeza]

Try again now that I have changed your role.

[lmignon]

@lasley @pedro Why python-oca? This name is meaningless. How do you plan to name the python package?

[lasley]

@lmignon - I asked for suggestions and this was the best one. The python package is similarly named.

What's you idea? I'm all ears.