public/access_apps/tests/test_access.py

# Copyright 2024 DOB
# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl).

from odoo.exceptions import AccessError
from odoo.tests import new_test_user
from odoo.tests.common import TransactionCase


class TestAccessApps(TransactionCase):
    """Tests for access_apps: access control to the Apps section.

    Validates: Requirement 6.1
    """

    @classmethod
    def setUpClass(cls):
        super().setUpClass()
        cls.env = cls.env(
            context=dict(cls.env.context, tracking_disable=True, no_reset_password=True)
        )
        # Regular user without admin rights and without group_allow_apps
        cls.regular_user = new_test_user(
            cls.env,
            name="Regular User",
            login="test_regular_user_access_apps",
            groups="base.group_user",
        )

    def test_non_admin_cannot_read_ir_module_module(self):
        """WHEN a user without admin rights tries to access the Apps section,
        access_apps SHALL deny access.

        Validates: Requirement 6.1
        """
        # The module deactivates base.access_ir_module_module_group_user,
        # so only users in group_allow_apps can read ir.module.module.
        # A regular user (not in group_allow_apps) should get AccessError.
        with self.assertRaises(AccessError):
            self.env["ir.module.module"].with_user(self.regular_user).search([])

    def test_admin_can_read_ir_module_module(self):
        """WHEN the admin user (in group_allow_apps) accesses the Apps section,
        access_apps SHALL allow access.

        Validates: Requirement 6.1 (positive case)
        """
        # Admin is in group_allow_apps by default (see security XML)
        admin_user = self.env.ref("base.user_admin")
        modules = self.env["ir.module.module"].with_user(admin_user).search([], limit=1)
        # Should not raise; result may be empty or non-empty
        self.assertIsNotNone(modules)

    def test_non_admin_not_in_group_allow_apps(self):
        """WHEN a regular user is not in group_allow_apps,
        they SHALL NOT have access to ir.module.module.

        Validates: Requirement 6.1
        """
        group_allow_apps = self.env.ref("access_apps.group_allow_apps")
        self.assertNotIn(
            self.regular_user,
            group_allow_apps.users,
            "Regular user should not be in group_allow_apps",
        )