Skip to content

[16.0][IMP] budget,budget_appropriation,budget_appropriation_summary: improve permission controls#677

Open
n3n wants to merge 1 commit into16.0from
16.0-imp-budget-review-permissions
Open

[16.0][IMP] budget,budget_appropriation,budget_appropriation_summary: improve permission controls#677
n3n wants to merge 1 commit into16.0from
16.0-imp-budget-review-permissions

Conversation

@n3n
Copy link
Copy Markdown
Member

@n3n n3n commented Apr 10, 2026

Summary

  • Enforce group_budget_commitment on commitment reserve/obligate/consume actions, with is_auto_created flag so mixin-created commitments bypass the check
  • Add groups="budget.group_budget_manager" on transfer Approve/Reject/Post buttons (XML) alongside existing Python has_group checks
  • Require budget manager to post all appropriation types (previously only initial); restrict button_draft to the responsible user or manager
  • Require budget manager for compilation action_done and action_draft, with guard preventing draft revert when master summary is already confirmed/done
  • Add groups="budget.group_budget_manager" on master summary and compilation buttons (Confirm/Done/Back to Draft)
  • Enable perm_write and perm_unlink on all operating unit ir.rules across 3 OU modules for full read/write/delete isolation

Test plan

  • Verify budget_user cannot see Reserve/Obligate/Consume buttons on commitment form (requires group_budget_commitment)
  • Verify mixin-created commitments (from PR/PO) still auto-reserve without group check
  • Verify budget_user cannot see Approve/Reject/Post buttons on transfer form
  • Verify budget_user cannot post any appropriation type (initial or supplementary)
  • Verify only responsible user or manager can reset appropriation to draft
  • Verify budget_user cannot see Done/Back to Draft buttons on compilation and master summary
  • Verify compilation cannot revert to draft when master summary is confirmed/done
  • Verify operating unit isolation blocks cross-OU write/delete via RPC

@n3n
[IMP] budget,budget_appropriation,budget_appropriation_summary: impro…
5965cd3 
…ve permission controls

- Enforce group_budget_commitment on commitment reserve/obligate/consume
  with is_auto_created flag to bypass for mixin-created commitments
- Require budget manager for transfer approve/reject/post buttons via XML groups
- Require budget manager to post all appropriation types (not just initial)
- Restrict appropriation button_draft to owner or manager
- Require budget manager for compilation done/draft with master_summary guard
- Add groups=budget.group_budget_manager on master summary buttons
- Enable perm_write/perm_unlink on operating unit ir.rules for full isolation
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@n3n