From 5895660fb3d741a4e11ea6de8b45adb006a89400 Mon Sep 17 00:00:00 2001
From: Eduard Brahas <eduardbrhas@outlook.it>
Date: Fri, 15 Nov 2024 12:17:28 +0100
Subject: [PATCH] [IMP] impersonate_login: Restrict Admin settings
 impersonation

---
 impersonate_login/README.rst                  |  7 +++-
 impersonate_login/__manifest__.py             |  1 +
 impersonate_login/models/__init__.py          |  1 +
 .../models/res_config_settings.py             | 13 ++++++
 impersonate_login/models/res_users.py         | 16 ++++++++
 impersonate_login/readme/CONTRIBUTORS.rst     |  2 +
 impersonate_login/readme/DESCRIPTION.rst      |  5 ++-
 .../static/description/index.html             | 10 ++++-
 .../tests/test_impersonate_login.py           | 40 +++++++++++++++++++
 .../views/res_config_settings.xml             | 33 +++++++++++++++
 10 files changed, 125 insertions(+), 3 deletions(-)
 create mode 100644 impersonate_login/models/res_config_settings.py
 create mode 100644 impersonate_login/views/res_config_settings.xml

diff --git a/impersonate_login/README.rst b/impersonate_login/README.rst
index eb25fdab03..e0ef6f402c 100644
--- a/impersonate_login/README.rst
+++ b/impersonate_login/README.rst
@@ -40,7 +40,10 @@ following measures are in place:
 -  Mails and messages are sent from the original user.
 -  Impersonated logins are logged and can be consulted through the
    Settings -> Technical menu.
--
+- To prevent users with "Administration: Settings" rights from being impersonated,
+   enable the restrict_impersonate_admin_settings field in the settings.
+   This will restrict the ability to impersonate users with administrative
+   access to the settings.
 
 There is an alternative module to allow logins as another user
 (auth_admin_passkey), but it does not support these security mechanisms.
@@ -81,6 +84,8 @@ Contributors
 - Kévin Roche <kevin.roche@akretion.com>
 - [360ERP](https://www.360erp.com):
   - Andrea Stirpe
+- `Ooops404 <https://www.ooops404.com/>`_:
+  - Eduard Brahas <eduard@ooops404.com>
 
 Maintainers
 ~~~~~~~~~~~
diff --git a/impersonate_login/__manifest__.py b/impersonate_login/__manifest__.py
index 35b39b0e6a..49b8702c42 100644
--- a/impersonate_login/__manifest__.py
+++ b/impersonate_login/__manifest__.py
@@ -21,6 +21,7 @@
         "views/assets.xml",
         "views/res_users.xml",
         "views/impersonate_log.xml",
+        "views/res_config_settings.xml",
         "security/group.xml",
         "security/ir.model.access.csv",
     ],
diff --git a/impersonate_login/models/__init__.py b/impersonate_login/models/__init__.py
index debb66e9c1..d483c409d4 100644
--- a/impersonate_login/models/__init__.py
+++ b/impersonate_login/models/__init__.py
@@ -4,3 +4,4 @@
 from . import mail_message
 from . import impersonate_log
 from . import model
+from . import res_config_settings
diff --git a/impersonate_login/models/res_config_settings.py b/impersonate_login/models/res_config_settings.py
new file mode 100644
index 0000000000..5f687595d1
--- /dev/null
+++ b/impersonate_login/models/res_config_settings.py
@@ -0,0 +1,13 @@
+from odoo import fields, models
+
+
+class ResConfigSettings(models.TransientModel):
+    _inherit = "res.config.settings"
+
+    restrict_impersonate_admin_settings = fields.Boolean(
+        string="Restrict Impersonation of 'Administration: Settings' Users",
+        config_parameter="impersonate_login.restrict_impersonate_admin_settings",
+        help="If enabled, users with the 'Administration: Settings' access right"
+        " cannot be impersonated.",
+        default=False,
+    )
diff --git a/impersonate_login/models/res_users.py b/impersonate_login/models/res_users.py
index c3307dddd7..22a2939ee5 100644
--- a/impersonate_login/models/res_users.py
+++ b/impersonate_login/models/res_users.py
@@ -24,6 +24,22 @@ def _is_impersonate_user(self):
 
     def impersonate_login(self):
         if request:
+
+            config_restrict = (
+                self.env["ir.config_parameter"]
+                .sudo()
+                .get_param("impersonate_login.restrict_impersonate_admin_settings")
+            )
+            if config_restrict:
+                admin_settings_group = self.env.ref("base.group_system")
+                if admin_settings_group in self.groups_id:
+                    raise UserError(
+                        _(
+                            "You cannot impersonate users with"
+                            " 'Administration: Settings' access rights."
+                        )
+                    )
+
             if request.session.impersonate_from_uid:
                 if self.id == request.session.impersonate_from_uid:
                     return self.back_to_origin_login()
diff --git a/impersonate_login/readme/CONTRIBUTORS.rst b/impersonate_login/readme/CONTRIBUTORS.rst
index 56c4cb59e2..2198ac7c2a 100644
--- a/impersonate_login/readme/CONTRIBUTORS.rst
+++ b/impersonate_login/readme/CONTRIBUTORS.rst
@@ -1,3 +1,5 @@
 - Kévin Roche <kevin.roche@akretion.com>
 - [360ERP](https://www.360erp.com):
   - Andrea Stirpe
+- `Ooops404 <https://www.ooops404.com/>`_:
+  - Eduard Brahas <eduard@ooops404.com>
diff --git a/impersonate_login/readme/DESCRIPTION.rst b/impersonate_login/readme/DESCRIPTION.rst
index 8df932e9d1..3fb0e32b38 100644
--- a/impersonate_login/readme/DESCRIPTION.rst
+++ b/impersonate_login/readme/DESCRIPTION.rst
@@ -10,7 +10,10 @@ following measures are in place:
 -  Mails and messages are sent from the original user.
 -  Impersonated logins are logged and can be consulted through the
    Settings -> Technical menu.
--
+- To prevent users with "Administration: Settings" rights from being impersonated,
+   enable the restrict_impersonate_admin_settings field in the settings.
+   This will restrict the ability to impersonate users with administrative
+   access to the settings.
 
 There is an alternative module to allow logins as another user
 (auth_admin_passkey), but it does not support these security mechanisms.
diff --git a/impersonate_login/static/description/index.html b/impersonate_login/static/description/index.html
index 29d39506a1..de62407628 100644
--- a/impersonate_login/static/description/index.html
+++ b/impersonate_login/static/description/index.html
@@ -381,7 +381,13 @@ <h1 class="title">Impersonate Login</h1>
 <li>Mails and messages are sent from the original user.</li>
 <li>Impersonated logins are logged and can be consulted through the
 Settings -&gt; Technical menu.</li>
-<li></li>
+<li><dl class="first docutils">
+<dt>To prevent users with “Administration: Settings” rights from being impersonated,</dt>
+<dd>enable the restrict_impersonate_admin_settings field in the settings.
+This will restrict the ability to impersonate users with administrative
+access to the settings.</dd>
+</dl>
+</li>
 </ul>
 <p>There is an alternative module to allow logins as another user
 (auth_admin_passkey), but it does not support these security mechanisms.</p>
@@ -426,6 +432,8 @@ <h2><a class="toc-backref" href="#toc-entry-5">Contributors</a></h2>
 <li>Kévin Roche &lt;<a class="reference external" href="mailto:kevin.roche&#64;akretion.com">kevin.roche&#64;akretion.com</a>&gt;</li>
 <li>[360ERP](<a class="reference external" href="https://www.360erp.com">https://www.360erp.com</a>):
 - Andrea Stirpe</li>
+<li><a class="reference external" href="https://www.ooops404.com/">Ooops404</a>:
+- Eduard Brahas &lt;<a class="reference external" href="mailto:eduard&#64;ooops404.com">eduard&#64;ooops404.com</a>&gt;</li>
 </ul>
 </div>
 <div class="section" id="maintainers">
diff --git a/impersonate_login/tests/test_impersonate_login.py b/impersonate_login/tests/test_impersonate_login.py
index 41b5e04062..d84a22d5b7 100644
--- a/impersonate_login/tests/test_impersonate_login.py
+++ b/impersonate_login/tests/test_impersonate_login.py
@@ -261,3 +261,43 @@ def test_04_write_uid(self):
         contact.invalidate_cache()
         self.assertEqual(contact.ref, "abc")
         self.assertEqual(contact.write_uid, self.admin_user)
+
+    def test_05_limit_access_to_admin(self):
+        """
+        Test restriction on impersonating admin users
+        with 'Administration: Settings' access rights.
+        """
+        # Enable the configuration setting via ResConfigSettings
+        config_settings = self.env["res.config.settings"].create(
+            {"restrict_impersonate_admin_settings": True}
+        )
+        config_settings.execute()
+
+        # Ensure the configuration parameter is set
+        config_restrict = (
+            self.env["ir.config_parameter"]
+            .sudo()
+            .get_param("impersonate_login.restrict_impersonate_admin_settings")
+        )
+        self.assertTrue(config_restrict)
+
+        # Ensure the admin user has the 'Administration: Settings' group
+        admin_settings_group = self.env.ref("base.group_system")
+        self.admin_user.groups_id += admin_settings_group
+
+        # Login as demo user
+        self.authenticate(user="demo", password="demo")
+        self.assertEqual(self.session.uid, self.demo_user.id)
+
+        # Give demo user the impersonation group
+        self.demo_user.groups_id += self.env.ref(
+            "impersonate_login.group_impersonate_login"
+        )
+
+        with mute_logger("odoo.http"):
+            data = self._impersonate_user(self.admin_user)
+        # Validate the error message
+        self.assertEqual(
+            data["error"]["data"]["message"],
+            "You cannot impersonate users with 'Administration: Settings' access rights.",
+        )
diff --git a/impersonate_login/views/res_config_settings.xml b/impersonate_login/views/res_config_settings.xml
new file mode 100644
index 0000000000..8717e32c53
--- /dev/null
+++ b/impersonate_login/views/res_config_settings.xml
@@ -0,0 +1,33 @@
+<odoo>
+    <record id="view_res_config_settings_impersonate" model="ir.ui.view">
+        <field name="name">res.config.settings.impersonate</field>
+        <field name="model">res.config.settings</field>
+        <field name="inherit_id" ref="base_setup.res_config_settings_view_form" />
+        <field name="arch" type="xml">
+            <xpath expr="//div[@id='invite_users']" position="after">
+                <div id="impersonate_login">
+                    <h2>Impersonation Login</h2>
+                    <div
+                        class="row mt16 o_settings_container"
+                        name="impersonate_login_settings_container"
+                    >
+                        <div
+                            class="col-12 col-lg-6 o_setting_box"
+                            id="impersonate_login_settings"
+                        >
+                            <div class="o_setting_right_pane">
+                                <label for="restrict_impersonate_admin_settings">
+                                    Restrict Impersonation Login
+                                </label>
+                                <field
+                                    name="restrict_impersonate_admin_settings"
+                                    string="Restrict Impersonation of 'Administration: Settings' Users"
+                                />
+                            </div>
+                        </div>
+                    </div>
+                </div>
+            </xpath>
+        </field>
+    </record>
+</odoo>