[ADD] group_user_management: Module creation

group_user_management/README.rst

@@ -0,0 +1,120 @@
+=====================
+User management Group
+=====================
+
+.. 
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! This file is generated by oca-gen-addon-readme !!
+   !! changes will be overwritten.                   !!
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! source digest: sha256:e31aad4f0cb22a489d70478ebdebae4e94acfb5af11813f659b869be1a32f7ab
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
+    :target: https://odoo-community.org/page/development-status
+    :alt: Beta
+.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
+    :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
+    :alt: License: AGPL-3
+.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--backend-lightgray.png?logo=github
+    :target: https://github.com/OCA/server-backend/tree/16.0/group_user_management
+    :alt: OCA/server-backend
+.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
+    :target: https://translation.odoo-community.org/projects/server-backend-16-0/server-backend-16-0-group_user_management
+    :alt: Translate me on Weblate
+.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
+    :target: https://runboat.odoo-community.org/builds?repo=OCA/server-backend&target_branch=16.0
+    :alt: Try me on Runboat
+
+|badge1| |badge2| |badge3| |badge4| |badge5|
+
+This module adds a group (a res_groups for granting access rights) "User
+Management" which allows to read / create / update / delete users from
+your companies :
+
+-  including access rights management
+-  excluding Administration group access rights management
+
+The purpose of this new group is to grant user authorization to manage
+users but without allowing configuration of other stuff of the instance
+(as default Administration > Access Rights can do)
+
+**Table of contents**
+
+.. contents::
+   :local:
+
+Use Cases / Context
+===================
+
+The purpose of this module is to add a new group for user management to
+grant user authorization to manage users but without allowing
+configuration of other stuff of the instance (as default Administration
+> Access Rights can do)
+
+In other terms, if you want to get a user administrator on your instance
+that will :
+
+-  Create new users
+-  Update user rights
+-  Update passwords or generate renew password links
+-  Archive or remove users
+
+But is not authorized to :
+
+-  Grant himself (or anyone else) Administration / Access Rights or
+   Administration / Settings role
+-  Update advanced configuration of the instance
+-  Update access rights / ir rules
+-  Create or Update existing groups
+
+Usage
+=====
+
+To user this module, you need to:
+
+1. Activate debug mode
+2. Go to Settings > Users & Companies > Users
+3. Open the form view of the User to whom you want to grant User
+   Management access
+4. Tick User Management (in Extra Rights Section)
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-backend/issues>`_.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+`feedback <https://github.com/OCA/server-backend/issues/new?body=module:%20group_user_management%0Aversion:%2016.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+
+Do not contact contributors directly about support or help with technical issues.
+
+Credits
+=======
+
+Authors
+-------
+
+* Le Filament
+
+Contributors
+------------
+
+-  Rémi - Le Filament (https://le-filament.com)
+
+Maintainers
+-----------
+
+This module is maintained by the OCA.
+
+.. image:: https://odoo-community.org/logo.png
+   :alt: Odoo Community Association
+   :target: https://odoo-community.org
+
+OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.
+
+This module is part of the `OCA/server-backend <https://github.com/OCA/server-backend/tree/16.0/group_user_management>`_ project on GitHub.
+
+You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.

group_user_management/__init__.py

@@ -0,0 +1 @@
+from . import models

group_user_management/__manifest__.py

@@ -0,0 +1,16 @@
+{
+    "name": "User management Group",
+    "version": "16.0.1.0.0",
+    "category": "Tools",
+    "author": "Le Filament, Odoo Community Association (OCA)",
+    "license": "AGPL-3",
+    "development_status": "Beta",
+    "website": "https://github.com/OCA/server-backend",
+    "depends": ["base", "auth_signup"],
+    "data": [
+        "security/res_groups.xml",
+        "security/ir_ui_menu.xml",
+        "security/ir.model.access.csv",
+    ],
+    "installable": True,
+}

group_user_management/i18n/fr.po

@@ -0,0 +1,54 @@
+# Translation of Odoo Server.
+# This file contains the translation of the following modules:
+# 	* group_user_management
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: Odoo Server 16.0\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2024-06-11 08:28+0000\n"
+"PO-Revision-Date: 2024-06-11 08:28+0000\n"
+"Last-Translator: \n"
+"Language-Team: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: \n"
+"Plural-Forms: \n"
+
+#. module: group_user_management
+#: model:ir.model,name:group_user_management.model_res_groups
+msgid "Access Groups"
+msgstr "Groupes"
+
+#. module: group_user_management
+#: model:ir.model,name:group_user_management.model_res_partner
+msgid "Contact"
+msgstr "Contact"
+
+#. module: group_user_management
+#: model:ir.model.fields,field_description:group_user_management.field_res_partner__signup_expiration
+#: model:ir.model.fields,field_description:group_user_management.field_res_users__signup_expiration
+msgid "Signup Expiration"
+msgstr "Expiration de la session de connexion"
+
+#. module: group_user_management
+#: model:ir.model.fields,field_description:group_user_management.field_res_partner__signup_token
+#: model:ir.model.fields,field_description:group_user_management.field_res_users__signup_token
+msgid "Signup Token"
+msgstr "Jeton de connexion"
+
+#. module: group_user_management
+#: model:ir.model.fields,field_description:group_user_management.field_res_partner__signup_type
+#: model:ir.model.fields,field_description:group_user_management.field_res_users__signup_type
+msgid "Signup Token Type"
+msgstr "Type de jeton de connexion"
+
+#. module: group_user_management
+#: model:res.groups,comment:group_user_management.group_user_manager
+msgid "This group allows to manage users and related access rights"
+msgstr "Ce groupe permet de gérer les utilisateurs et leurs droits d'accès"
+
+#. module: group_user_management
+#: model:res.groups,name:group_user_management.group_user_manager
+msgid "User Management"
+msgstr "Gestion des Utilisateurs"

group_user_management/i18n/user_management_role.pot

@@ -0,0 +1,54 @@
+# Translation of Odoo Server.
+# This file contains the translation of the following modules:
+# 	* group_user_management
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: Odoo Server 16.0\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2024-06-11 08:28+0000\n"
+"PO-Revision-Date: 2024-06-11 08:28+0000\n"
+"Last-Translator: \n"
+"Language-Team: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: \n"
+"Plural-Forms: \n"
+
+#. module: group_user_management
+#: model:ir.model,name:group_user_management.model_res_groups
+msgid "Access Groups"
+msgstr ""
+
+#. module: group_user_management
+#: model:ir.model,name:group_user_management.model_res_partner
+msgid "Contact"
+msgstr ""
+
+#. module: group_user_management
+#: model:ir.model.fields,field_description:group_user_management.field_res_partner__signup_expiration
+#: model:ir.model.fields,field_description:group_user_management.field_res_users__signup_expiration
+msgid "Signup Expiration"
+msgstr ""
+
+#. module: group_user_management
+#: model:ir.model.fields,field_description:group_user_management.field_res_partner__signup_token
+#: model:ir.model.fields,field_description:group_user_management.field_res_users__signup_token
+msgid "Signup Token"
+msgstr ""
+
+#. module: group_user_management
+#: model:ir.model.fields,field_description:group_user_management.field_res_partner__signup_type
+#: model:ir.model.fields,field_description:group_user_management.field_res_users__signup_type
+msgid "Signup Token Type"
+msgstr ""
+
+#. module: group_user_management
+#: model:res.groups,comment:group_user_management.group_user_manager
+msgid "This group allows to manage users and related access rights"
+msgstr ""
+
+#. module: group_user_management
+#: model:res.groups,name:group_user_management.group_user_manager
+msgid "User Management"
+msgstr ""

group_user_management/models/__init__.py

@@ -0,0 +1,3 @@
+from . import res_groups
+from . import res_partner
+from . import res_users

group_user_management/models/res_groups.py

@@ -0,0 +1,48 @@
+#  Copyright (c) 2024- Le Filament (https://le-filament.com)
+#  License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
+
+from lxml import etree
+
+from odoo import api, models
+
+from odoo.addons.base.models.res_users import name_selection_groups
+
+
+class ResGroups(models.Model):
+    _inherit = "res.groups"
+
+    @api.model
+    def _update_user_groups_view(self):
+        """
+        Modify the view with xmlid ``base.user_groups_view``, which inherits
+        the user form view, and introduces the reified group fields.
+        """
+        res = super()._update_user_groups_view()
+        view = self.env.ref("base.user_groups_view")
+        arch = etree.fromstring(view.arch)
+
+        modified = False
+
+        # Get xpath to add group_erp_manager to Admin category
+        admin_categories = [
+            category
+            for category in self.get_groups_by_application()
+            if category[0].xml_id
+            == "base.module_category_administration_administration"
+        ]
+        for _app, _kind, gs, _category_name in admin_categories:
+            field_name = name_selection_groups(gs.ids)
+            xpath_expr = "//group[field[@name='%s']]" % field_name
+            for group in arch.xpath(xpath_expr):
+                group.attrib["groups"] = "base.group_erp_manager"
+                modified = True
+
+        # Only rewrite view if changes were made
+        if modified:
+            view_context = dict(view._context, lang=None)
+            view_context.pop("install_filename", None)
+            view.with_context(**view_context).write(
+                {"arch": etree.tostring(arch, pretty_print=True, encoding="unicode")}
+            )
+
+        return res

group_user_management/models/res_partner.py

@@ -0,0 +1,19 @@
+#  Copyright (c) 2024- Le Filament (https://le-filament.com)
+#  License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
+
+from odoo import fields, models
+
+
+class ResPartner(models.Model):
+    _inherit = "res.partner"
+
+    # Add new group_user_manager to the existing signup fields
+    signup_token = fields.Char(
+        groups="base.group_erp_manager, group_user_management.group_user_manager",
+    )
+    signup_type = fields.Char(
+        groups="base.group_erp_manager, group_user_management.group_user_manager",
+    )
+    signup_expiration = fields.Datetime(
+        groups="base.group_erp_manager, group_user_management.group_user_manager",
+    )

group_user_management/models/res_users.py

@@ -0,0 +1,45 @@
+#  Copyright (c) 2024- Le Filament (https://le-filament.com)
+#  License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
+
+from odoo import _, models
+from odoo.exceptions import AccessError
+
+
+class ResUsers(models.Model):
+    _inherit = "res.users"
+
+    def _remove_reified_groups(self, values):
+        """
+        Overrides default base module method to raise an AccessError in case user tries
+        to set/unset base.group_system or base.group_erp_manager from another user
+        if current user is not at least in base.group_erp_manager
+        """
+        res = super()._remove_reified_groups(values)
+        if (
+            "groups_id" in res
+            and not self.env.user._is_admin()
+            and not self.env.user._is_system()
+            and not self.env.user._is_superuser()
+        ):
+            admin_group = self.env.ref("base.group_erp_manager")
+            system_group = self.env.ref("base.group_system")
+            groups = res.get("groups_id")
+            if groups and any(
+                group == (3, admin_group.id) or group == (3, system_group.id)
+                for group in groups
+            ):
+                raise AccessError(
+                    _(
+                        "You are not allowed to unset an Administration group on admin user"
+                    )
+                )
+            elif groups and any(
+                group == (4, admin_group.id) or group == (4, system_group.id)
+                for group in groups
+            ):
+                raise AccessError(
+                    _(
+                        "You are not allowed to set an Administration group on non-admin user"
+                    )
+                )
+        return res

group_user_management/readme/CONTEXT.md

@@ -0,0 +1,15 @@
+The purpose of this module is to add a new group for user management to grant user
+authorization to manage users but without allowing configuration of other stuff of the instance
+(as default Administration > Access Rights can do)
+
+In other terms, if you want to get a user administrator on your instance that will :
+  - Create new users
+  - Update user rights
+  - Update passwords or generate renew password links
+  - Archive or remove users
+
+But is not authorized to :
+  - Grant himself (or anyone else) Administration / Access Rights or Administration / Settings role
+  - Update advanced configuration of the instance
+  - Update access rights / ir rules
+  - Create or Update existing groups

group_user_management/readme/CONTRIBUTORS.md

@@ -0,0 +1 @@
+- Rémi - Le Filament <remi-filament> (https://le-filament.com)

group_user_management/readme/DESCRIPTION.md

@@ -0,0 +1,8 @@
+This module adds a group (a res_groups for granting access rights) "User Management"
+which allows to read / create / update / delete users from your companies :
+  * including access rights management
+  * excluding Administration group access rights management
+
+The purpose of this new group is to grant user authorization to manage users but without
+allowing configuration of other stuff of the instance
+(as default Administration > Access Rights can do)