Skip to content

Commit

Permalink
[IMP] impersonate_login: Restrict Admin settings impersonation
Browse files Browse the repository at this point in the history
  • Loading branch information
toita86 committed Nov 15, 2024
1 parent cf67a5b commit 6739552
Show file tree
Hide file tree
Showing 9 changed files with 84 additions and 3 deletions.
7 changes: 6 additions & 1 deletion impersonate_login/README.rst
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,10 @@ following measures are in place:
- Mails and messages are sent from the original user.
- Impersonated logins are logged and can be consulted through the
Settings -> Technical menu.
-
- To prevent users with "Administration: Settings" rights from being impersonated,
enable the restrict_impersonate_admin_settings field in the settings.
This will restrict the ability to impersonate users with administrative
access to the settings.

There is an alternative module to allow logins as another user
(auth_admin_passkey), but it does not support these security mechanisms.
Expand Down Expand Up @@ -81,6 +84,8 @@ Contributors
- Kévin Roche <kevin.roche@akretion.com>
- [360ERP](https://www.360erp.com):
- Andrea Stirpe
- `Ooops404 <https://www.ooops404.com/>`_:
- Eduard Brahas <eduard@ooops404.com>

Maintainers
~~~~~~~~~~~
Expand Down
1 change: 1 addition & 0 deletions impersonate_login/__manifest__.py
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
"views/assets.xml",
"views/res_users.xml",
"views/impersonate_log.xml",
"views/res_config_settings.xml",
"security/group.xml",
"security/ir.model.access.csv",
],
Expand Down
1 change: 1 addition & 0 deletions impersonate_login/models/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,4 @@
from . import mail_message
from . import impersonate_log
from . import model
from . import res_config_settings
12 changes: 12 additions & 0 deletions impersonate_login/models/res_config_settings.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
from odoo import fields, models


class ResConfigSettings(models.TransientModel):
_inherit = "res.config.settings"

restrict_impersonate_admin_settings = fields.Boolean(
string="Restrict Impersonation of 'Administration: Settings' Users",
config_parameter="impersonate_login.restrict_impersonate_admin_settings",
help="If enabled, users with the 'Administration: Settings' access right"
" cannot be impersonated.",
)
16 changes: 16 additions & 0 deletions impersonate_login/models/res_users.py
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,22 @@ def _is_impersonate_user(self):

def impersonate_login(self):
if request:

config_restrict = (
self.env["ir.config_parameter"]
.sudo()
.get_param("impersonate_login.restrict_impersonate_admin_settings")
)
if config_restrict:
admin_settings_group = self.env.ref("base.group_system")

Check warning on line 34 in impersonate_login/models/res_users.py

View check run for this annotation

Codecov / codecov/patch

impersonate_login/models/res_users.py#L34

Added line #L34 was not covered by tests
if admin_settings_group in self.groups_id:
raise UserError(

Check warning on line 36 in impersonate_login/models/res_users.py

View check run for this annotation

Codecov / codecov/patch

impersonate_login/models/res_users.py#L36

Added line #L36 was not covered by tests
_(
"You cannot impersonate users with"
" 'Administration: Settings' access rights."
)
)

if request.session.impersonate_from_uid:
if self.id == request.session.impersonate_from_uid:
return self.back_to_origin_login()
Expand Down
2 changes: 2 additions & 0 deletions impersonate_login/readme/CONTRIBUTORS.rst
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
- Kévin Roche <kevin.roche@akretion.com>
- [360ERP](https://www.360erp.com):
- Andrea Stirpe
- `Ooops404 <https://www.ooops404.com/>`_:
- Eduard Brahas <eduard@ooops404.com>
5 changes: 4 additions & 1 deletion impersonate_login/readme/DESCRIPTION.rst
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,10 @@ following measures are in place:
- Mails and messages are sent from the original user.
- Impersonated logins are logged and can be consulted through the
Settings -> Technical menu.
-
- To prevent users with "Administration: Settings" rights from being impersonated,
enable the restrict_impersonate_admin_settings field in the settings.
This will restrict the ability to impersonate users with administrative
access to the settings.

There is an alternative module to allow logins as another user
(auth_admin_passkey), but it does not support these security mechanisms.
10 changes: 9 additions & 1 deletion impersonate_login/static/description/index.html
Original file line number Diff line number Diff line change
Expand Up @@ -381,7 +381,13 @@ <h1 class="title">Impersonate Login</h1>
<li>Mails and messages are sent from the original user.</li>
<li>Impersonated logins are logged and can be consulted through the
Settings -&gt; Technical menu.</li>
<li></li>
<li><dl class="first docutils">
<dt>To prevent users with “Administration: Settings” rights from being impersonated,</dt>
<dd>enable the restrict_impersonate_admin_settings field in the settings.
This will restrict the ability to impersonate users with administrative
access to the settings.</dd>
</dl>
</li>
</ul>
<p>There is an alternative module to allow logins as another user
(auth_admin_passkey), but it does not support these security mechanisms.</p>
Expand Down Expand Up @@ -426,6 +432,8 @@ <h2><a class="toc-backref" href="#toc-entry-5">Contributors</a></h2>
<li>Kévin Roche &lt;<a class="reference external" href="mailto:kevin.roche&#64;akretion.com">kevin.roche&#64;akretion.com</a>&gt;</li>
<li>[360ERP](<a class="reference external" href="https://www.360erp.com">https://www.360erp.com</a>):
- Andrea Stirpe</li>
<li><a class="reference external" href="https://www.ooops404.com/">Ooops404</a>:
- Eduard Brahas &lt;<a class="reference external" href="mailto:eduard&#64;ooops404.com">eduard&#64;ooops404.com</a>&gt;</li>
</ul>
</div>
<div class="section" id="maintainers">
Expand Down
33 changes: 33 additions & 0 deletions impersonate_login/views/res_config_settings.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
<odoo>
<record id="view_res_config_settings_impersonate" model="ir.ui.view">
<field name="name">res.config.settings.impersonate</field>
<field name="model">res.config.settings</field>
<field name="inherit_id" ref="base_setup.res_config_settings_view_form" />
<field name="arch" type="xml">
<xpath expr="//div[@id='invite_users']" position="after">
<div id="impersonate_login">
<h2>Impersonation Login</h2>
<div
class="row mt16 o_settings_container"
name="impersonate_login_settings_container"
>
<div
class="col-12 col-lg-6 o_setting_box"
id="impersonate_login_settings"
>
<div class="o_setting_right_pane">
<label for="restrict_impersonate_admin_settings">
Restrict Impersonation Login
</label>
<field
name="restrict_impersonate_admin_settings"
string="Restrict Impersonation of 'Administration: Settings' Users"
/>
</div>
</div>
</div>
</div>
</xpath>
</field>
</record>
</odoo>

0 comments on commit 6739552

Please sign in to comment.