<a class="reference external image-reference" href="http://www.gnu.org/licenses/LGPL-3.0-standalone.html"><img alt="License: LGPL-3" src="https://img.shields.io/badge/licence-lgpl--3-blue.svg"> </a> <a name="cms-security"></a> <h2>CMS security</h2> <p>Implements basic security features on your model.</p> <a name="features"></a> <h3>Features</h3> <p>It provides a <code>cms.security.mixin</code> that gives your models the following security behavior:</p> <ul class="simple"> <li>only owner can edit or delete</li> <li>only owner can view if not published</li> <li>only published items are visible by other users or anonymous users</li> </ul> <p>Additionally:</p> <ul class="simple"> <li>you can grant view/edit permissions by using <code>read_group_ids</code> and <code>write_group_ids</code></li> </ul> <a name="advanced-controller-security"></a> <h4>Advanced controller security</h4> <p>By default Odoo raises <code>503 Forbidden</code> access error only if you access a field of the record.</p> <p><cite>503</cite> is not the perfect status in this case because it tells you that a record w/ that id in the route exists.</p> <p>A record that is not published should be NOT found in any case.</p> <p>This module override the standard model converter to raise <code>404 NotFound</code> if current user cannot see the item <strong>before</strong> template rendering.</p> <a name="developer-control"></a> <h4>Developer control</h4> <p>All of the above features are automatically activated by setting the flag <code>_cms_auto_security_policy = True</code>. By default is <cite>False</cite> as you might want to implement your own security policy.</p> <p>The rules are create only if this flag is turned on and the advanced controller will check for permissions only if the model inherits from <code>CMSSecurityMixin</code>.</p> <a name="usage"></a> <h3>Usage</h3> <p>To secure your model, all you have to do is this:</p> <pre> <code lang="python">class SecuredModel(models.Model): _name = 'my.secure.model' _inherit = [ 'website.published.mixin', 'cms.security.mixin', ] # generate security automatically _cms_auto_security_policy = True</code> </pre> <a name="add-your-tests-easily"></a> <h4>Add your tests easily</h4> <p>All the above features are 100% covered with tests. Furthermore, to ease your duty when adding security tests for your models you can inherit from the base test cases defined in this module.</p> <p>To test your ACL + RR:</p> <pre> <code lang="python">import odoo.tests.common as test_common from odoo.cms_security.test.base import BasePermissionTestCase class TestSecurity(BasePermissionTestCase, test_common.SavepointCase): &quot;&quot;&quot;All tests come from `BasePermissionTestCase`.&quot;&quot;&quot; at_install = False post_install = True &#64;property def model(self): return self.env['my.secure.model']</code> </pre> <p>To test that your controllers work as you expect:</p> <pre> <code lang="python">import odoo.tests.common as test_common from odoo.cms_security.test.base import BaseSecureConverterTestCase class SecureConverterTestCase(BaseSecureConverterTestCase, test_common.SavepointCase): &quot;&quot;&quot;All tests come from `BaseSecureConverterTestCase`.&quot;&quot;&quot; at_install = False post_install = True &#64;property def model(self): return self.env['my.secure.model']</code> </pre> <a name="batteries-not-included"></a> <h4>Batteries not included</h4> <p>This module is a base module to ease implementation of your own models' security. It <strong>does not</strong> provide any new model or view (nor backend nor frontend).</p> <a name="bug-tracker"></a> <h3>Bug Tracker</h3> <p>Bugs are tracked on <a class="reference external" href="https://github.com/OCA/website-cms/issues">GitHub Issues</a>. In case of trouble, please check there if your issue has already been reported. If you spotted it first, help us smash it by providing detailed and welcomed feedback.</p> <a name="credits"></a> <h3>Credits</h3> <a name="contributors"></a> <h4>Contributors</h4> <ul class="simple"> <li>Simone Orsi &lt;<a class="reference external" href="mailto:simone.orsi&#64;camptocamp.com">simone.orsi&#64;camptocamp.com</a>&gt;</li> </ul> <p>Do not contact contributors directly about support or help with technical issues.</p> <a name="maintainer"></a> <h4>Maintainer</h4> <a class="reference external image-reference" href="https://odoo-community.org"><img alt="Odoo Community Association" src="https://odoo-community.org/logo.png" /></a> <p>This module is maintained by the OCA.</p> <p>OCA, or the Odoo Community Association, is a nonprofit organization whose mission is to support the collaborative development of Odoo features and promote its widespread use.</p> <p>To contribute to this module, please visit <a class="reference external" href="https://odoo-community.org">https://odoo-community.org</a>.</p>