Bring odoo-go to ~70%: read_group, record rules, admin, sessions

Phase 1: read_group/web_read_group with SQL GROUP BY, aggregates (sum/avg/min/max/count/array_agg/sum_currency), date granularity, M2O groupby resolution to [id, display_name]. Phase 2: Record rules with domain_force parsing (Python literal parser), global AND + group OR merging. Domain operators: child_of, parent_of, any, not any compiled to SQL hierarchy/EXISTS queries. Phase 3: Button dispatch via /web/dataset/call_button, method return values interpreted as actions. Payment register wizard (account.payment.register) for sale→invoice→pay flow. Phase 4: ir.filters, ir.default, product fields expanded, SO line product_id onchange, ir_model+ir_model_fields DB seeding. Phase 5: CSV export (/web/export/csv), attachment upload/download via ir.attachment, fields_get with aggregator hints. Admin/System: Session persistence (PostgreSQL-backed), ir.config_parameter with get_param/set_param, ir.cron, ir.logging, res.lang, res.config.settings with company-related fields, Settings form view. Technical menu with Views/Actions/Parameters/Security/Logging sub-menus. User change_password, preferences. Password never exposed in UI/API. Bugfixes: false→nil for varchar/int fields, int32 in toInt64, call_button route with trailing slash, create_invoices returns action, search view always included, get_formview_action, name_create, ir.http stub. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-02 19:26:08 +02:00
parent 06e49c878a
commit b57176de2f
29 changed files with 3243 additions and 111 deletions
--- a/pkg/orm/rules.go
+++ b/pkg/orm/rules.go
@@ -10,12 +10,12 @@ import (
 //
 // Rules work as follows:
 // - Global rules (no groups) are AND-ed together
-// - Group rules are OR-ed within the group set
-// - The final domain is: global_rules AND (group_rule_1 OR group_rule_2 OR ...)
+// - Group rules (user belongs to one of the rule's groups) are OR-ed together
+// - The final domain is: original AND global_rules AND (group_rule_1 OR group_rule_2 OR ...)
 //
 // Implementation:
 // 1. Built-in company filter (for models with company_id)
-// 2. Custom ir.rule records loaded from the database
+// 2. Custom ir.rule records loaded from the database, domain_force parsed
 func ApplyRecordRules(env *Environment, m *Model, domain Domain) Domain {
 	if env.su {
 		return domain // Superuser bypasses record rules
@@ -38,59 +38,143 @@ func ApplyRecordRules(env *Environment, m *Model, domain Domain) Domain {
 		}
 	}

-	// 2. Load custom ir.rule records from DB
-	// Mirrors: odoo/addons/base/models/ir_rule.py IrRule._compute_domain()
+	// 2. Load ir.rule records from DB
+	// Mirrors: odoo/addons/base/models/ir_rule.py IrRule._get_rules() + _compute_domain()
 	//
 	// Query rules that apply to this model for the current user:
 	// - Rule must be active and have perm_read = true
-	// - Either the rule has no group restriction (global rule),
-	//   or the user belongs to one of the rule's groups.
-	// Use a savepoint so that a failed query (e.g., missing junction table)
-	// doesn't abort the parent transaction.
+	// - Either the rule is global (no groups assigned),
+	//   or the user belongs to one of the rule's groups via rule_group_rel.
+	// Use a savepoint so that a failed query (e.g., missing table) doesn't abort the parent tx.
 	sp, spErr := env.tx.Begin(env.ctx)
 	if spErr != nil {
 		return domain
 	}
+
 	rows, err := sp.Query(env.ctx,
-		`SELECT r.id, r.domain_force, COALESCE(r.global, false)
+		`SELECT r.id, r.domain_force, COALESCE(r."global", false) AS is_global
 		 FROM ir_rule r
 		 JOIN ir_model m ON m.id = r.model_id
-		 WHERE m.model = $1 AND r.active = true
-		 AND r.perm_read = true`,
-		m.Name())
+		 WHERE m.model = $1
+		   AND r.active = true
+		   AND r.perm_read = true
+		   AND (
+		       r."global" = true
+		       OR r.id IN (
+		           SELECT rg.rule_group_id
+		           FROM rule_group_rel rg
+		           JOIN res_groups_users_rel gu ON gu.gid = rg.group_id
+		           WHERE gu.uid = $2
+		       )
+		   )
+		 ORDER BY r.id`,
+		m.Name(), env.UID())
 	if err != nil {
 		sp.Rollback(env.ctx)
 		return domain
 	}
-	defer func() {
-		rows.Close()
-		sp.Commit(env.ctx)
-	}()

-	// Collect domain_force strings from matching rules
-	// TODO: parse domain_force strings into Domain objects and merge them
-	ruleCount := 0
+	type ruleRow struct {
+		id          int64
+		domainForce *string
+		global      bool
+	}
+	var rules []ruleRow
+
 	for rows.Next() {
-		var ruleID int64
-		var domainForce *string
-		var global bool
-		if err := rows.Scan(&ruleID, &domainForce, &global); err != nil {
+		var r ruleRow
+		if err := rows.Scan(&r.id, &r.domainForce, &r.global); err != nil {
 			continue
 		}
-		ruleCount++
-		// TODO: parse domainForce (Python-style domain string) into Domain
-		// and AND global rules / OR group rules into the result domain.
-		// For now, rules are loaded but domain parsing is deferred.
-		_ = domainForce
-		_ = global
+		rules = append(rules, r)
 	}
-	if ruleCount > 0 {
-		log.Printf("orm: loaded %d ir.rule record(s) for %s (domain parsing pending)", ruleCount, m.Name())
+	rows.Close()
+	if err := sp.Commit(env.ctx); err != nil {
+		// Non-fatal: rules already read
+		_ = err
+	}
+
+	if len(rules) == 0 {
+		return domain
+	}
+
+	// Parse domain_force strings and split into global vs. group rules.
+	// Mirrors: odoo/addons/base/models/ir_rule.py IrRule._compute_domain()
+	//   global rules  → AND together
+	//   group rules   → OR together
+	//   final = original AND all_global AND (group_1 OR group_2 OR ...)
+	var globalDomains []DomainNode
+	var groupDomains []DomainNode
+	parseErrors := 0
+
+	for _, r := range rules {
+		if r.domainForce == nil || *r.domainForce == "" || *r.domainForce == "[]" {
+			// Empty domain_force = match everything, skip
+			continue
+		}
+
+		parsed, err := ParseDomainString(*r.domainForce, env)
+		if err != nil {
+			parseErrors++
+			log.Printf("orm: failed to parse domain_force for ir.rule %d: %v (raw: %s)", r.id, err, *r.domainForce)
+			continue
+		}
+		if len(parsed) == 0 {
+			continue
+		}
+
+		if r.global {
+			// Global rule: wrap as a single node for AND-ing
+			globalDomains = append(globalDomains, domainAsNode(parsed))
+		} else {
+			// Group rule: wrap as a single node for OR-ing
+			groupDomains = append(groupDomains, domainAsNode(parsed))
+		}
+	}
+
+	if parseErrors > 0 {
+		log.Printf("orm: %d ir.rule domain_force parse error(s) for %s", parseErrors, m.Name())
+	}
+
+	// Merge group domains with OR
+	if len(groupDomains) > 0 {
+		orDomain := Or(groupDomains...)
+		globalDomains = append(globalDomains, domainAsNode(orDomain))
+	}
+
+	// AND all rule domains into the original domain
+	if len(globalDomains) > 0 {
+		ruleDomain := And(globalDomains...)
+		if len(domain) == 0 {
+			domain = ruleDomain
+		} else {
+			result := Domain{OpAnd}
+			result = append(result, domain...)
+			result = append(result, ruleDomain...)
+			domain = result
+		}
 	}

 	return domain
 }

+// domainAsNode wraps a Domain (which is a []DomainNode) into a single DomainNode
+// so it can be used as an operand for And() / Or().
+// If the domain has a single node, return it directly.
+// If multiple nodes, wrap in a domainGroup.
+func domainAsNode(d Domain) DomainNode {
+	if len(d) == 1 {
+		return d[0]
+	}
+	return domainGroup(d)
+}
+
+// domainGroup wraps a Domain as a single DomainNode for use in And()/Or() combinations.
+// When compiled, it produces the same SQL as the contained domain.
+type domainGroup Domain
+
+func (dg domainGroup) isDomainNode() {}
+
 // CheckRecordRuleAccess verifies the user can access specific record IDs.
 // Returns an error if any record is not accessible.
 func CheckRecordRuleAccess(env *Environment, m *Model, ids []int64, perm string) error {