diff --git a/impersonate_login/README.rst b/impersonate_login/README.rst index 77d52a2ee1..ac54ea035a 100644 --- a/impersonate_login/README.rst +++ b/impersonate_login/README.rst @@ -40,7 +40,10 @@ following measures are in place: - Mails and messages are sent from the original user. - Impersonated logins are logged and can be consulted through the Settings -> Technical menu. -- +- To prevent users with "Administration: Settings" rights from being + impersonated, enable the restrict_impersonate_admin_settings field in + the settings. This will restrict the ability to impersonate users + with administrative access to the settings. There is an alternative module to allow logins as another user (auth_admin_passkey), but it does not support these security mechanisms. @@ -55,6 +58,10 @@ Configuration The impersonating user must belong to group "Impersonate Users". +If you want to forbid impersonation of users with the "Administration: +Settings" access rights, enable the *Restrict Impersonation of +"Administration: Settings" Users* option in the settings. + Usage ===== diff --git a/impersonate_login/__manifest__.py b/impersonate_login/__manifest__.py index 23516e92ee..a6c62fe42f 100644 --- a/impersonate_login/__manifest__.py +++ b/impersonate_login/__manifest__.py @@ -20,6 +20,7 @@ "data": [ "security/group.xml", "security/ir.model.access.csv", + "views/res_config_settings.xml", "views/res_users.xml", "views/impersonate_log.xml", ], diff --git a/impersonate_login/models/__init__.py b/impersonate_login/models/__init__.py index debb66e9c1..d483c409d4 100644 --- a/impersonate_login/models/__init__.py +++ b/impersonate_login/models/__init__.py @@ -4,3 +4,4 @@ from . import mail_message from . import impersonate_log from . import model +from . import res_config_settings diff --git a/impersonate_login/models/res_config_settings.py b/impersonate_login/models/res_config_settings.py new file mode 100644 index 0000000000..04fbf9571f --- /dev/null +++ b/impersonate_login/models/res_config_settings.py @@ -0,0 +1,15 @@ +from odoo import fields, models + + +class ResConfigSettings(models.TransientModel): + _inherit = "res.config.settings" + + restrict_impersonate_admin_settings = fields.Boolean( + string="Restrict Impersonation of 'Administration: Settings' Users", + config_parameter="impersonate_login.restrict_impersonate_admin_settings", + help=( + "If enabled, users with the 'Administration: Settings' access right" + " cannot be impersonated." + ), + default=False, + ) diff --git a/impersonate_login/models/res_users.py b/impersonate_login/models/res_users.py index 27dd13f66a..5a1aaf4e2c 100644 --- a/impersonate_login/models/res_users.py +++ b/impersonate_login/models/res_users.py @@ -24,6 +24,20 @@ def _is_impersonate_user(self): def impersonate_login(self): if request: + config_restrict = ( + self.env["ir.config_parameter"] + .sudo() + .get_param("impersonate_login.restrict_impersonate_admin_settings") + ) + if config_restrict: + admin_settings_group = self.env.ref("base.group_system") + if admin_settings_group in self.groups_id: + raise UserError( + _( + "You cannot impersonate users with" + " 'Administration: Settings' access rights." + ) + ) if request.session.impersonate_from_uid: if self.id == request.session.impersonate_from_uid: return self.back_to_origin_login() diff --git a/impersonate_login/readme/CONFIGURE.md b/impersonate_login/readme/CONFIGURE.md index 33ebb6904a..649fb31c76 100644 --- a/impersonate_login/readme/CONFIGURE.md +++ b/impersonate_login/readme/CONFIGURE.md @@ -1 +1,5 @@ The impersonating user must belong to group "Impersonate Users". + +If you want to prevent impersonation of users with the *Administration: Settings* +rights, enable the *Restrict Impersonation of "Administration: Settings" Users* +option in the settings. diff --git a/impersonate_login/readme/DESCRIPTION.md b/impersonate_login/readme/DESCRIPTION.md index cee4996cfb..757ab10e2b 100644 --- a/impersonate_login/readme/DESCRIPTION.md +++ b/impersonate_login/readme/DESCRIPTION.md @@ -6,6 +6,7 @@ To ensure that any abuse of this feature will not go unnoticed, the following me * In the chatter, it is displayed who is the user that is logged as another user. * Mails and messages are sent from the original user. * Impersonated logins are logged and can be consulted through the Settings -> Technical menu. -* +* You can optionally forbid impersonation of users with "Administration: Settings" + rights by enabling the related option in the settings. There is an alternative module to allow logins as another user (auth_admin_passkey), but it does not support these security mechanisms. diff --git a/impersonate_login/static/description/index.html b/impersonate_login/static/description/index.html index bc3126b298..32d25f6136 100644 --- a/impersonate_login/static/description/index.html +++ b/impersonate_login/static/description/index.html @@ -381,7 +381,10 @@

Impersonate Login

  • Mails and messages are sent from the original user.
  • Impersonated logins are logged and can be consulted through the Settings -> Technical menu.
    • -
  • +
  • To prevent users with “Administration: Settings” rights from being +impersonated, enable the restrict_impersonate_admin_settings field in +the settings. This will restrict the ability to impersonate users +with administrative access to the settings.

    • There is an alternative module to allow logins as another user (auth_admin_passkey), but it does not support these security mechanisms.

    @@ -402,6 +405,9 @@

    Impersonate Login

    Configuration

    The impersonating user must belong to group “Impersonate Users”.

    +

    If you want to forbid impersonation of users with the “Administration: +Settings” access rights, enable the Restrict Impersonation of “Administration: +Settings” Users option in the settings.

    Usage

    diff --git a/impersonate_login/tests/test_impersonate_login.py b/impersonate_login/tests/test_impersonate_login.py index ad0665c4ee..313239ce99 100644 --- a/impersonate_login/tests/test_impersonate_login.py +++ b/impersonate_login/tests/test_impersonate_login.py @@ -258,3 +258,37 @@ def test_04_write_uid(self): self.assertEqual(result, True) self.assertEqual(contact.ref, "abc") self.assertEqual(contact.write_uid, self.admin_user) + + def test_05_limit_access_to_admin(self): + """ + Test restriction on impersonating admin users + with 'Administration: Settings' access rights. + """ + config_settings = self.env["res.config.settings"].create( + {"restrict_impersonate_admin_settings": True} + ) + config_settings.execute() + + config_restrict = ( + self.env["ir.config_parameter"] + .sudo() + .get_param("impersonate_login.restrict_impersonate_admin_settings") + ) + self.assertTrue(config_restrict) + + admin_settings_group = self.env.ref("base.group_system") + self.admin_user.groups_id += admin_settings_group + + self.authenticate(user="demo", password="demo") + self.assertEqual(self.session.uid, self.demo_user.id) + + self.demo_user.groups_id += self.env.ref( + "impersonate_login.group_impersonate_login" + ) + + with mute_logger("odoo.http"): + data = self._impersonate_user(self.admin_user) + self.assertEqual( + data["error"]["data"]["message"], + "You cannot impersonate users with 'Administration: Settings' access rights.", + ) diff --git a/impersonate_login/views/res_config_settings.xml b/impersonate_login/views/res_config_settings.xml new file mode 100644 index 0000000000..9d51519540 --- /dev/null +++ b/impersonate_login/views/res_config_settings.xml @@ -0,0 +1,36 @@ + + + res.config.settings.impersonate + res.config.settings + + + +
    +

    Impersonation Login

    +
    +
    +
    + +
    +
    + +
    + Prevents impersonating users that have the + "Administration: Settings" access rights. +
    +
    +
    +
    +
    +     +     +     +