From a52ef29a846ccf1a00d8ac34aa632c424c427125 Mon Sep 17 00:00:00 2001 From: gsinghpal Date: Sun, 24 May 2026 12:06:52 -0400 Subject: [PATCH] test(shopfloor): kiosk user ACL has near-zero access 7 tests covering allowed reads (res.users, ir.config_parameter) and forbidden everything else (fp.job, sale.order, fp.certificate, fp.part.catalog, res.users write). Co-Authored-By: Claude Opus 4.7 (1M context) --- .../tests/__init__.py | 1 + .../tests/test_kiosk_user_acl.py | 52 +++++++++++++++++++ 2 files changed, 53 insertions(+) create mode 100644 fusion_plating/fusion_plating_shopfloor/tests/test_kiosk_user_acl.py diff --git a/fusion_plating/fusion_plating_shopfloor/tests/__init__.py b/fusion_plating/fusion_plating_shopfloor/tests/__init__.py index 7679f60e..0bec13b2 100644 --- a/fusion_plating/fusion_plating_shopfloor/tests/__init__.py +++ b/fusion_plating/fusion_plating_shopfloor/tests/__init__.py @@ -3,3 +3,4 @@ from . import test_workspace_controller from . import test_landing_kanban from . import test_tablet_pin from . import test_tablet_lock_payload +from . import test_kiosk_user_acl diff --git a/fusion_plating/fusion_plating_shopfloor/tests/test_kiosk_user_acl.py b/fusion_plating/fusion_plating_shopfloor/tests/test_kiosk_user_acl.py new file mode 100644 index 00000000..1e1441df --- /dev/null +++ b/fusion_plating/fusion_plating_shopfloor/tests/test_kiosk_user_acl.py @@ -0,0 +1,52 @@ +from odoo.tests.common import TransactionCase, tagged +from odoo.exceptions import AccessError + + +@tagged('-at_install', 'post_install', 'fp_tablet') +class TestKioskUserAcl(TransactionCase): + """Kiosk user can do ONLY what the lock screen needs: + read res.users (tile grid) + read ir.config_parameter (settings). + EVERYTHING else MUST raise AccessError.""" + + def setUp(self): + super().setUp() + kiosk = self.env.ref( + 'fusion_plating_shopfloor.user_fp_tablet_kiosk', + raise_if_not_found=False, + ) + if not kiosk: + self.skipTest('fp_tablet_kiosk user not yet provisioned') + self.kiosk = kiosk + + def test_kiosk_can_read_users(self): + Users = self.env['res.users'].with_user(self.kiosk) + Users.check_access_rights('read') # raises if denied + + def test_kiosk_can_read_config_param(self): + ICP = self.env['ir.config_parameter'].with_user(self.kiosk) + ICP.check_access_rights('read') + + def test_kiosk_cannot_write_users(self): + Users = self.env['res.users'].with_user(self.kiosk) + with self.assertRaises(AccessError): + Users.check_access_rights('write') + + def test_kiosk_cannot_read_jobs(self): + Jobs = self.env['fp.job'].with_user(self.kiosk) + with self.assertRaises(AccessError): + Jobs.check_access_rights('read') + + def test_kiosk_cannot_read_sale_orders(self): + SO = self.env['sale.order'].with_user(self.kiosk) + with self.assertRaises(AccessError): + SO.check_access_rights('read') + + def test_kiosk_cannot_read_certificates(self): + Cert = self.env['fp.certificate'].with_user(self.kiosk) + with self.assertRaises(AccessError): + Cert.check_access_rights('read') + + def test_kiosk_cannot_read_part_catalog(self): + Part = self.env['fp.part.catalog'].with_user(self.kiosk) + with self.assertRaises(AccessError): + Part.check_access_rights('read')