Public release from ruodoo-project: 19.0 - 2026-05-10 21:19:01 UTC

ir_rule_protected/tests/__init__.py

@@ -0,0 +1 @@
+from . import test_ir_rule

ir_rule_protected/tests/test_ir_rule.py

@@ -0,0 +1,81 @@
+# Copyright 2024 DOB
+# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl).
+
+from odoo import SUPERUSER_ID
+from odoo.exceptions import UserError
+from odoo.tests import new_test_user
+from odoo.tests.common import TransactionCase
+
+
+class TestIrRuleProtected(TransactionCase):
+    """Tests for ir_rule_protected: non-superuser cannot modify protected ir.rule.
+
+    Validates: Requirement 6.2
+    """
+
+    @classmethod
+    def setUpClass(cls):
+        super().setUpClass()
+        cls.env = cls.env(
+            context=dict(cls.env.context, tracking_disable=True, no_reset_password=True)
+        )
+        # Create a regular admin user (not superuser)
+        cls.regular_user = new_test_user(
+            cls.env,
+            name="Regular Admin",
+            login="test_regular_admin_ir_rule",
+            groups="base.group_user,base.group_system",
+        )
+        # Create a protected ir.rule
+        cls.protected_rule = cls.env["ir.rule"].with_user(SUPERUSER_ID).create({
+            "name": "Test Protected Rule",
+            "model_id": cls.env.ref("base.model_res_partner").id,
+            "protected": True,
+        })
+
+    def test_non_superuser_cannot_write_protected_rule(self):
+        """WHEN a user without is_superuser tries to modify a protected ir.rule,
+        ir_rule_protected SHALL deny the modification with UserError.
+
+        Validates: Requirement 6.2
+        """
+        with self.assertRaises(UserError):
+            self.protected_rule.with_user(self.regular_user).write(
+                {"name": "Attempted Rename"}
+            )
+
+    def test_non_superuser_cannot_unlink_protected_rule(self):
+        """WHEN a user without is_superuser tries to delete a protected ir.rule,
+        ir_rule_protected SHALL deny the deletion with UserError.
+
+        Validates: Requirement 6.2
+        """
+        with self.assertRaises(UserError):
+            self.protected_rule.with_user(self.regular_user).unlink()
+
+    def test_superuser_can_write_protected_rule(self):
+        """WHEN the superuser modifies a protected ir.rule,
+        ir_rule_protected SHALL allow the modification.
+
+        Validates: Requirement 6.2 (positive case)
+        """
+        original_name = self.protected_rule.name
+        self.protected_rule.with_user(SUPERUSER_ID).write({"name": "Superuser Rename"})
+        self.assertEqual(self.protected_rule.name, "Superuser Rename")
+        # Restore original name
+        self.protected_rule.with_user(SUPERUSER_ID).write({"name": original_name})
+
+    def test_non_superuser_can_write_unprotected_rule(self):
+        """WHEN a user without is_superuser modifies an unprotected ir.rule,
+        ir_rule_protected SHALL allow the modification.
+
+        Validates: Requirement 6.2 (negative case — unprotected rule)
+        """
+        unprotected_rule = self.env["ir.rule"].with_user(SUPERUSER_ID).create({
+            "name": "Unprotected Rule",
+            "model_id": self.env.ref("base.model_res_partner").id,
+            "protected": False,
+        })
+        # Should not raise
+        unprotected_rule.with_user(self.regular_user).write({"name": "Renamed OK"})
+        self.assertEqual(unprotected_rule.name, "Renamed OK")