From 1dea752a2965a296ec5d8e15015d7170a5ba7970 Mon Sep 17 00:00:00 2001
From: gsinghpal <gur_preet.singh@outlook.com>
Date: Sun, 24 May 2026 12:29:52 -0400
Subject: [PATCH] test(shopfloor): fp.tablet.session.event is append-only

Owner reads. Technician cannot read. Owner cannot write or unlink.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../tests/__init__.py                         |  1 +
 .../tests/test_tablet_session_event_model.py  | 59 +++++++++++++++++++
 2 files changed, 60 insertions(+)
 create mode 100644 fusion_plating/fusion_plating_shopfloor/tests/test_tablet_session_event_model.py

diff --git a/fusion_plating/fusion_plating_shopfloor/tests/__init__.py b/fusion_plating/fusion_plating_shopfloor/tests/__init__.py
index 0bec13b2..4e127c3f 100644
--- a/fusion_plating/fusion_plating_shopfloor/tests/__init__.py
+++ b/fusion_plating/fusion_plating_shopfloor/tests/__init__.py
@@ -4,3 +4,4 @@ from . import test_landing_kanban
 from . import test_tablet_pin
 from . import test_tablet_lock_payload
 from . import test_kiosk_user_acl
+from . import test_tablet_session_event_model
diff --git a/fusion_plating/fusion_plating_shopfloor/tests/test_tablet_session_event_model.py b/fusion_plating/fusion_plating_shopfloor/tests/test_tablet_session_event_model.py
new file mode 100644
index 00000000..cac874b7
--- /dev/null
+++ b/fusion_plating/fusion_plating_shopfloor/tests/test_tablet_session_event_model.py
@@ -0,0 +1,59 @@
+from odoo.tests.common import TransactionCase, tagged
+from odoo.exceptions import AccessError
+
+
+@tagged('-at_install', 'post_install', 'fp_tablet')
+class TestTabletSessionEventAppendOnly(TransactionCase):
+
+    def setUp(self):
+        super().setUp()
+        Users = self.env['res.users'].with_context(no_reset_password=True)
+        self.owner = Users.create({
+            'login': 'audit_owner', 'name': 'Audit Owner',
+            'email': 'audit_owner@example.com',
+            'group_ids': [(6, 0, [
+                self.env.ref('fusion_plating.group_fp_owner').id
+            ])],
+        })
+        self.tech = Users.create({
+            'login': 'audit_tech', 'name': 'Audit Tech',
+            'email': 'audit_tech@example.com',
+            'group_ids': [(6, 0, [
+                self.env.ref('fusion_plating.group_fp_technician').id
+            ])],
+        })
+
+    def test_owner_can_read(self):
+        event = self.env['fp.tablet.session.event'].sudo().create({
+            'event_type': 'unlock',
+            'user_id': self.tech.id,
+        })
+        # Owner reads via their own user
+        e = self.env['fp.tablet.session.event'].with_user(self.owner).browse(event.id)
+        self.assertEqual(e.user_id, self.tech)
+
+    def test_technician_cannot_read(self):
+        event = self.env['fp.tablet.session.event'].sudo().create({
+            'event_type': 'unlock',
+            'user_id': self.tech.id,
+        })
+        with self.assertRaises(AccessError):
+            self.env['fp.tablet.session.event'].with_user(self.tech).browse(event.id).event_type
+
+    def test_owner_cannot_write(self):
+        event = self.env['fp.tablet.session.event'].sudo().create({
+            'event_type': 'unlock',
+            'user_id': self.tech.id,
+        })
+        with self.assertRaises(AccessError):
+            self.env['fp.tablet.session.event'].with_user(self.owner).browse(event.id).write({
+                'event_type': 'failed_unlock',
+            })
+
+    def test_owner_cannot_unlink(self):
+        event = self.env['fp.tablet.session.event'].sudo().create({
+            'event_type': 'unlock',
+            'user_id': self.tech.id,
+        })
+        with self.assertRaises(AccessError):
+            self.env['fp.tablet.session.event'].with_user(self.owner).browse(event.id).unlink()