<a class="reference external image-reference" href="http://www.gnu.org/licenses/LGPL-3.0-standalone.html"><img alt="License: LGPL-3" src="https://img.shields.io/badge/licence-lgpl--3-blue.svg">
</a>
<a name="cms-security"></a>
<h2>CMS security</h2>
<p>Implements basic security features on your model.</p>
<a name="features"></a>
<h3>Features</h3>
<p>It provides a <code>cms.security.mixin</code>
that gives your models the following security behavior:</p>
<ul class="simple">
<li>only owner can edit or delete</li>
<li>only owner can view if not published</li>
<li>only published items are visible by other users or anonymous users</li>
</ul>
<p>Additionally:</p>
<ul class="simple">
<li>you can grant view/edit permissions by using <code>read_group_ids</code> and <code>write_group_ids</code></li>
</ul>
<a name="advanced-controller-security"></a>
<h4>Advanced controller security</h4>
<p>By default Odoo raises <code>503 Forbidden</code> access error
only if you access a field of the record.</p>
<p><cite>503</cite> is not the perfect status in this case
because it tells you that a record w/ that id in the route exists.</p>
<p>A record that is not published should be NOT found in any case.</p>
<p>This module override the standard model converter to raise <code>404 NotFound</code>
if current user cannot see the item <strong>before</strong> template rendering.</p>
<a name="developer-control"></a>
<h4>Developer control</h4>
<p>All of the above features are automatically activated
by setting the flag <code>_cms_auto_security_policy = True</code>.
By default is <cite>False</cite> as you might want to implement your own security policy.</p>
<p>The rules are create only if this flag is turned on and the advanced controller
will check for permissions only if the model inherits from <code>CMSSecurityMixin</code>.</p>
<a name="usage"></a>
<h3>Usage</h3>
<p>To secure your model, all you have to do is this:</p>
<pre>
<code lang="python">class SecuredModel(models.Model):
_name = 'my.secure.model'
_inherit = [
'website.published.mixin',
'cms.security.mixin',
]
# generate security automatically
_cms_auto_security_policy = True</code>
</pre>
<a name="add-your-tests-easily"></a>
<h4>Add your tests easily</h4>
<p>All the above features are 100% covered with tests.
Furthermore, to ease your duty when adding security tests for your models
you can inherit from the base test cases defined in this module.</p>
<p>To test your ACL + RR:</p>
<pre>
<code lang="python">import odoo.tests.common as test_common
from odoo.cms_security.test.base import BasePermissionTestCase
class TestSecurity(BasePermissionTestCase, test_common.SavepointCase):
"""All tests come from `BasePermissionTestCase`."""
at_install = False
post_install = True
@property
def model(self):
return self.env['my.secure.model']</code>
</pre>
<p>To test that your controllers work as you expect:</p>
<pre>
<code lang="python">import odoo.tests.common as test_common
from odoo.cms_security.test.base import BaseSecureConverterTestCase
class SecureConverterTestCase(BaseSecureConverterTestCase,
test_common.SavepointCase):
"""All tests come from `BaseSecureConverterTestCase`."""
at_install = False
post_install = True
@property
def model(self):
return self.env['my.secure.model']</code>
</pre>
<a name="batteries-not-included"></a>
<h4>Batteries not included</h4>
<p>This module is a base module
to ease implementation of your own models' security.
It <strong>does not</strong> provide any new model or view (nor backend nor frontend).</p>
<a name="bug-tracker"></a>
<h3>Bug Tracker</h3>
<p>Bugs are tracked on <a class="reference external" href="https://github.com/OCA/website-cms/issues">GitHub Issues</a>. In case of trouble, please
check there if your issue has already been reported. If you spotted it first,
help us smash it by providing detailed and welcomed feedback.</p>
<a name="credits"></a>
<h3>Credits</h3>
<a name="contributors"></a>
<h4>Contributors</h4>
<ul class="simple">
<li>Simone Orsi <<a class="reference external" href="mailto:simone.orsi@camptocamp.com">simone.orsi@camptocamp.com</a>></li>
</ul>
<p>Do not contact contributors directly about support or help with technical issues.</p>
<a name="maintainer"></a>
<h4>Maintainer</h4>
<a class="reference external image-reference" href="https://odoo-community.org"><img alt="Odoo Community Association" src="https://odoo-community.org/logo.png" /></a>
<p>This module is maintained by the OCA.</p>
<p>OCA, or the Odoo Community Association, is a nonprofit organization whose
mission is to support the collaborative development of Odoo features and
promote its widespread use.</p>
<p>To contribute to this module, please visit <a class="reference external" href="https://odoo-community.org">https://odoo-community.org</a>.</p>