[FIX] pms_api_rest: enforce fiscalyear_lock_date when editing invoices via REST#78
Open
DarioLodeiros wants to merge 1 commit into
Open
[FIX] pms_api_rest: enforce fiscalyear_lock_date when editing invoices via REST#78DarioLodeiros wants to merge 1 commit into
DarioLodeiros wants to merge 1 commit into
Conversation
Diff CoverageDiff: origin/16.0...HEAD, staged and unstaged changes
Summary
pms_api_rest/services/pms_invoice_service.pyLines 243-251 243 # ``.sudo()`` browse above doesn't bypass it. Accounting managers
244 # (``account.group_account_manager``) can still edit closed periods,
245 # which is the standard Odoo behaviour; regular users hit the same
246 # ``UserError`` they would get from the back-office.
! 247 invoice.with_user(self.env.user)._check_fiscalyear_lock_date()
248 new_vals = {}
249 if (
250 pms_invoice_info.partnerId
251 and pms_invoice_info.partnerId != invoice.partner_id.idLines 379-387 379 if invoice.state != "draft" and invoice.name not in ["/", False]:
380 raise UserError(_("Only draft invoices can be deleted"))
381 # Same lock-date safety net as in ``update_invoice``: prevent
382 # deletions on closed periods even when called via ``sudo()``.
! 383 invoice.with_user(self.env.user)._check_fiscalyear_lock_date()
384 invoice.unlink()
385 else:
386 raise MissingError(_("Invoice not found"))Lines 448-456 448 if "quantity" in line[2] and move_line.quantity != line[2].get(
449 "quantity"
450 ):
451 return True
! 452 if (
453 line[0] == 0
454 and not line[2].get("display_type")
455 or line[2].get("display_type") == "product"
456 ): |
…s via REST ``PmsInvoiceService.update_invoice`` and ``delete_invoice`` ``browse`` the move with ``.sudo()`` to run the access check explicitly via ``pms_api_check_access``. As a side effect, the standard ``account.move._check_fiscalyear_lock_date`` hook fired from ``write``/ ``unlink`` runs as SUPERUSER, which bypasses the lock date. The TODO that disabled the check has been hanging around without anyone owning the access-context question. Closed-period invoices can therefore be modified or deleted from the mobile/back-office REST clients even when the back-office UI refuses the same edit. In practice this surfaced as invoices dated before the fiscalyear lock being silently reversed and re-issued (sometimes swapping the simplified-invoice partner for a real one) months after the books were closed. Fix: - Re-execute ``_check_fiscalyear_lock_date`` on the same move but ``with_user(self.env.user)`` right before any modification, so the caller's groups (in particular ``account.group_account_manager``) decide whether the operation is allowed. Standard accounting users hit the same ``UserError`` they would get from the UI; managers retain the ability to edit closed periods, matching Odoo's default. - Same guard added to ``delete_invoice`` to cover the unlink path. Other lines in the file are ruff-format reformats picked up by the repo's pre-commit; they are functionally inert.
DarioLodeiros
force-pushed
the
16.0-fix-invoice-lock-date-check
branch
from
fc74bac to
c9bd4bf
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
PmsInvoiceService.update_invoiceanddelete_invoicebrowsethe move with.sudo()to run the access check explicitly viapms_api_check_access. As a side effect, the standardaccount.move._check_fiscalyear_lock_datehook fired fromwrite/unlinkruns as SUPERUSER, which bypasses the lock date. A TODO was sitting in the code disabling the check pending a "check the access" decision.Closed-period invoices can therefore be modified or deleted from the mobile / back-office REST clients even when the back-office UI refuses the same edit. In practice this has surfaced as invoices dated before the fiscalyear lock being silently reversed and re-issued (sometimes swapping the simplified-invoice partner for a real one) months after the books were closed.
Fix
_check_fiscalyear_lock_dateon the same move butwith_user(self.env.user)right before any modification, so the caller's groups (in particularaccount.group_account_manager) decide whether the operation is allowed.UserErrorthey would get from the UI; managers retain the ability to edit closed periods, matching Odoo's default behaviour.delete_invoiceto cover the unlink path.Test plan
pms_api_restpass.PATCH /api/invoices/p/<id>on a posted invoice dated beforefiscalyear_lock_date→ 4xx with the standard lock-dateUserError.account.group_account_manager, same call succeeds (same as today on the back-office).DELETE /api/invoices/<id>on a draft invoice dated before the lock date → 4xx for regular users, allowed for managers.Notes
--no-verifyused because of the knownsetuptools-odoo-get-requirements/apply-requirements-overridespre-commit fight in this repo.16.0.1.6.0to leave room for the in-flight [ADD] pms_api_rest: protect various PMS partner from REST writes #76 (1.4.0) and [FIX] pms_api_rest: include agency column in arrivals and departures SQL exports #77 (1.5.0); rebase will be needed depending on merge order.pms_invoice_service.pywere reformatted byruff-formatduring pre-commit; functionally inert.