[FIX] website_sale_aplicoop: restringir acceso portal por grupo de consumo

2026-04-07 22:48:59 +02:00 · 2026-04-07 22:48:59 +02:00 · 6a748ca308
commit 6a748ca308
parent 7d11a95344
2 changed files with 65 additions and 5 deletions
--- a/website_sale_aplicoop/security/record_rules.xml
+++ b/website_sale_aplicoop/security/record_rules.xml
@ -1,13 +1,14 @@
 <?xml version="1.0" encoding="utf-8"?>
 <odoo>
-    <data noupdate="1">
+    <data>

        <!-- Record Rule: Users can read only their company orders -->
        <!-- Record Rule: Internal users (no specific group) - restrict to company + groups -->
        <record id="rule_group_order_user_company_read_internal" model="ir.rule">
            <field name="name">group.order: internal users company access read</field>
            <field name="model_id" ref="model_group_order"/>
-            <field name="domain_force">[('company_id','in', user.company_ids.ids)]</field>
+            <field name="groups" eval="[(4, ref('base.group_user'))]"/>
+            <field name="domain_force">[('company_id', 'in', user.company_ids.ids)] if not user.share else [(0, '=', 1)]</field>
            <field name="perm_read">1</field>
            <field name="perm_write">0</field>
            <field name="perm_create">0</field>
@ -50,12 +51,12 @@
            <field name="perm_unlink">1</field>
        </record>

-        <!-- Record Rule: Portal users can read only their company orders -->
+        <!-- Record Rule: Portal users can read only orders from their company and assigned consumer groups -->
        <record id="rule_group_order_portal_read" model="ir.rule">
-            <field name="name">group.order: portal access read (company)</field>
+            <field name="name">group.order: portal access read (company + consumer group)</field>
            <field name="model_id" ref="model_group_order"/>
            <field name="groups" eval="[(4, ref('base.group_portal'))]"/>
-            <field name="domain_force">[('company_id','=', user.company_id.id)]</field>
+            <field name="domain_force">[('company_id', '=', user.company_id.id), ('group_ids', 'in', user.partner_id.group_ids.ids)]</field>
            <field name="perm_read">1</field>
            <field name="perm_write">0</field>
            <field name="perm_create">0</field>
--- a/website_sale_aplicoop/tests/test_record_rules.py
+++ b/website_sale_aplicoop/tests/test_record_rules.py
@ -62,6 +62,7 @@ class TestGroupOrderRecordRules(TransactionCase):
        self.group1 = self.env["res.partner"].create(
            {
                "name": "Grupo Company 1",
+                "is_group": True,
                "is_company": True,
                "email": "grupo1@test.com",
                "company_id": self.company1.id,
@ -71,12 +72,56 @@ class TestGroupOrderRecordRules(TransactionCase):
        self.group2 = self.env["res.partner"].create(
            {
                "name": "Grupo Company 2",
+                "is_group": True,
                "is_company": True,
                "email": "grupo2@test.com",
                "company_id": self.company2.id,
            }
        )

+        # Crear miembro de grupo + usuario portal de Company 1
+        self.portal_member_c1 = self.env["res.partner"].create(
+            {
+                "name": "Portal Member C1",
+                "email": "portal_c1@test.com",
+                "company_id": self.company1.id,
+                "group_ids": [(6, 0, [self.group1.id])],
+            }
+        )
+
+        self.portal_user_c1 = self.env["res.users"].create(
+            {
+                "name": "Portal User C1",
+                "login": "portal_c1",
+                "password": "pass123",
+                "partner_id": self.portal_member_c1.id,
+                "company_id": self.company1.id,
+                "company_ids": [(6, 0, [self.company1.id])],
+                "groups_id": [(6, 0, [self.env.ref("base.group_portal").id])],
+            }
+        )
+
+        # Usuario portal de Company 1 sin grupo de consumo asignado
+        self.portal_member_no_group = self.env["res.partner"].create(
+            {
+                "name": "Portal Member No Group",
+                "email": "portal_no_group@test.com",
+                "company_id": self.company1.id,
+            }
+        )
+
+        self.portal_user_no_group = self.env["res.users"].create(
+            {
+                "name": "Portal User No Group",
+                "login": "portal_no_group",
+                "password": "pass123",
+                "partner_id": self.portal_member_no_group.id,
+                "company_id": self.company1.id,
+                "company_ids": [(6, 0, [self.company1.id])],
+                "groups_id": [(6, 0, [self.env.ref("base.group_portal").id])],
+            }
+        )
+
        # Crear órdenes en cada compañía
        self.order1 = self.env["group.order"].create(
            {
@ -168,3 +213,17 @@ class TestGroupOrderRecordRules(TransactionCase):
        order2_admin = self.order2.with_user(self.admin_user)
        self.assertEqual(order2_admin.name, "Pedido Company 2")
        self.assertEqual(order2_admin.company_id, self.company2)
+
+    def test_portal_user_can_read_only_assigned_consumer_group_orders(self):
+        """Portal solo debe ver órdenes de su grupo de consumo dentro de su compañía."""
+        orders = self.env["group.order"].with_user(self.portal_user_c1).search([])
+
+        self.assertIn(self.order1, orders)
+        self.assertNotIn(self.order2, orders)
+        self.assertEqual(len(orders), 1)
+
+    def test_portal_user_without_consumer_group_cannot_read_orders(self):
+        """Portal sin grupo de consumo asignado no debe ver ninguna group.order."""
+        orders = self.env["group.order"].with_user(self.portal_user_no_group).search([])
+
+        self.assertEqual(len(orders), 0)