|
| 1 | +# Part of OpenSPP. See LICENSE file for full copyright and licensing details. |
| 2 | +"""Security: hazard models must not be readable by every internal user. |
| 3 | +
|
| 4 | +Regression test for "Broad internal read access exposes hazard impact records": |
| 5 | +the ACL granted ``base.group_user`` read on the hazard models, so any internal |
| 6 | +user could read hazard data (including registrant-linked impact records) via RPC, |
| 7 | +even without a hazard role. Access must require a dedicated hazard group (or |
| 8 | +``registry_viewer``/admin), not merely being an internal user. |
| 9 | +""" |
| 10 | + |
| 11 | +from odoo import Command |
| 12 | +from odoo.exceptions import AccessError |
| 13 | +from odoo.tests import tagged |
| 14 | + |
| 15 | +from .common import HazardTestCase |
| 16 | + |
| 17 | +# The registrant-linked impact model is sensitive and must NOT be readable by |
| 18 | +# every internal user. The other hazard models are non-PII reference/operational |
| 19 | +# data that sibling modules (e.g. spp_drims) legitimately read broadly. |
| 20 | +SENSITIVE_MODEL = "spp.hazard.impact" |
| 21 | +NON_SENSITIVE_MODELS = [ |
| 22 | + "spp.hazard.category", |
| 23 | + "spp.hazard.incident", |
| 24 | + "spp.hazard.incident.area", |
| 25 | + "spp.hazard.impact.type", |
| 26 | +] |
| 27 | +ALL_HAZARD_MODELS = [SENSITIVE_MODEL, *NON_SENSITIVE_MODELS] |
| 28 | + |
| 29 | + |
| 30 | +@tagged("post_install", "-at_install") |
| 31 | +class TestHazardBaseUserNoAccess(HazardTestCase): |
| 32 | + @classmethod |
| 33 | + def setUpClass(cls): |
| 34 | + super().setUpClass() |
| 35 | + cls.plain_user = cls.env["res.users"].create( |
| 36 | + { |
| 37 | + "name": "Plain Internal User", |
| 38 | + "login": "plain_internal_hazard_test", |
| 39 | + "group_ids": [Command.link(cls.env.ref("base.group_user").id)], |
| 40 | + } |
| 41 | + ) |
| 42 | + |
| 43 | + def test_plain_internal_user_cannot_read_impact(self): |
| 44 | + """base.group_user (any internal user) must NOT read the sensitive impact model.""" |
| 45 | + with self.assertRaises(AccessError): |
| 46 | + self.env[SENSITIVE_MODEL].with_user(self.plain_user).check_access("read") |
| 47 | + |
| 48 | + def test_plain_internal_user_can_read_non_sensitive_models(self): |
| 49 | + """Non-PII hazard reference/operational models remain internally readable |
| 50 | + (sibling modules such as spp_drims depend on reading incidents).""" |
| 51 | + for model in NON_SENSITIVE_MODELS: |
| 52 | + # Raises AccessError only if broad read was wrongly removed here. |
| 53 | + self.env[model].with_user(self.plain_user).check_access("read") |
| 54 | + |
| 55 | + def test_hazard_viewer_retains_read(self): |
| 56 | + """A hazard-group user must keep read access to all hazard models.""" |
| 57 | + for model in ALL_HAZARD_MODELS: |
| 58 | + self.env[model].with_user(self.hazard_viewer).check_access("read") |
| 59 | + |
| 60 | + def test_registry_user_can_still_read_registrant_hazard_fields(self): |
| 61 | + """Regression: the registrant form's hazard indicator fields read |
| 62 | + spp.hazard.impact in their compute. A registry user (Officer implies |
| 63 | + Registry Viewer, which retains hazard read) must still be able to load |
| 64 | + them after the ACL tightening — i.e. the fix must not break the form.""" |
| 65 | + officer = self.env["res.users"].create( |
| 66 | + { |
| 67 | + "name": "Registry Officer (no hazard group)", |
| 68 | + "login": "registry_officer_hazard_test", |
| 69 | + "group_ids": [Command.link(self.env.ref("spp_registry.group_registry_officer").id)], |
| 70 | + } |
| 71 | + ) |
| 72 | + # Sanity: this user is NOT in any hazard group. |
| 73 | + self.assertFalse(officer.has_group("spp_hazard.group_hazard_read")) |
| 74 | + |
| 75 | + incident = self.env["spp.hazard.incident"].create( |
| 76 | + { |
| 77 | + "name": "Registry Officer Incident", |
| 78 | + "code": "ROI-HAZ-001", |
| 79 | + "category_id": self.category_typhoon.id, |
| 80 | + "start_date": "2024-01-01", |
| 81 | + } |
| 82 | + ) |
| 83 | + self.env["spp.hazard.impact"].create( |
| 84 | + { |
| 85 | + "incident_id": incident.id, |
| 86 | + "registrant_id": self.registrant.id, |
| 87 | + "impact_type_id": self.impact_type_displacement.id, |
| 88 | + "damage_level": "moderate", |
| 89 | + "impact_date": "2024-01-02", |
| 90 | + } |
| 91 | + ) |
| 92 | + registrant_as_officer = self.registrant.with_user(officer) |
| 93 | + # Force a live read through the impact O2M (not just the stored count), |
| 94 | + # which must not raise AccessError for a registry user. |
| 95 | + self.assertEqual(registrant_as_officer.hazard_impact_ids.mapped("damage_level"), ["moderate"]) |
| 96 | + |
| 97 | + def test_incident_form_hides_impacts_from_non_hazard_user(self): |
| 98 | + """The incident form's Impacts O2M reads spp.hazard.impact; it must be |
| 99 | + stripped from the arch for a user without impact read (e.g. a DRIMS-only |
| 100 | + user), so opening an incident does not raise AccessError.""" |
| 101 | + arch = self.env["spp.hazard.incident"].with_user(self.plain_user).get_view(view_type="form")["arch"] |
| 102 | + self.assertNotIn("impact_ids", arch) |
| 103 | + |
| 104 | + def test_incident_form_shows_impacts_to_hazard_user(self): |
| 105 | + """A hazard user still gets the Impacts O2M on the incident form.""" |
| 106 | + arch = self.env["spp.hazard.incident"].with_user(self.hazard_viewer).get_view(view_type="form")["arch"] |
| 107 | + self.assertIn("impact_ids", arch) |
0 commit comments