上QQ阅读APP看书，第一时间看更新

Adding security groups

Before features can be used by regular users, access must be granted for them. In Odoo, this is done using security groups—access privileges are granted to groups, and users are assigned security groups.

Odoo apps typically provide two groups, a user level, for use by regular users, and a manager level, with additional access to app configuration.

So, we will add these two security groups now. Access-security related files are usually kept in a /security module subdirectory, so we should create the security/library_security.xml file for these definitions. Security groups use categories to better organize related app. So, we will start by creating a category for our library app, in the ir.module.category model:

<?xml version="1.0" ?>
<odoo>

  <record id="module_library_category" model="ir.module.category">
    <field name="name">Library</field>
  </record>

</odoo>

Next, we will add the two security groups, starting with the user group. Add the following XML block inside the <odoo> element, just before the </odoo> closing tag:

  <!-- Library User Group -->
  <record id="library_group_user" model="res.groups">
    <field name="name">User</field>
    <field name="category_id" 
           ref="module_library_category"/>
    <field name="implied_ids" 
           eval="[(4, ref('base.group_user'))]"/>
  </record>

The record is created in the res.groups model, and values are given for three fields:

name is the group title.
category_id is the related app. It is a relational field, so the ref attribute is used with an XML ID linking it to the category we've already created.
implied_ids is a one-to-many relational field, and contains a list of groups that will also apply to users belonging to this group. It uses a special syntax that will be explained in Chapter 5, Import, Export, and Module Data. In this case, we are using code 4 to add a link to base.group_user, the basic internal user group.

Next, we will create the manager group. It should give us all the privileges granted to the user group, plus some additional access reserved for the app manager:

  <!-- Library Manager Group -->
  <record id="library_group_manager" model="res.groups">
    <field name="name">Manager</field>
    <field name="category_id" 
           ref="module_library_category"/>
    <field name="implied_ids" 
           eval="[(4, ref('library_group_user'))]"/>
    <field name="users" 
           eval="[(4, ref('base.user_root')),
                  (4, ref('base.user_admin'))]"/>
  </record>

Here, we also see the name, category_id, and implied_ids fields, as before. implied_ids is set with a link to the library user group, to inherit its privileges.

We also set the value for the users field, so that the administrator and the internal root users are automatically app managers.

In previous Odoo versions, the admin administrator user was also the internal root user. In Odoo 12, we have a system root user, which is not shown in the user list, and is used internally by the framework when privilege-elevation is needed ( sudo). The admin user can be used to log into the server and should have full access to all features, but can no longer bypass access security, as the system root user can.

We also need to add this new XML file to the module's manifest file:

'data': [
    'security/library_security.xml',
    'views/library_menu.xml',
],

Notice that the library_security.xml file was added before library_menu.xml. The order in which data files are loaded is important, since you can only use identifier references that have already been defined. It is common for menu items to reference security groups, and so it is good practice to add security definitions before menu and view definitions.