[18.0][ADD] technical_admin_limited: add new module

technical_admin_limited/README.rst

@@ -0,0 +1,84 @@
+=======================
+Technical Admin Limited
+=======================
+
+.. 
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! This file is generated by oca-gen-addon-readme !!
+   !! changes will be overwritten.                   !!
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! source digest: sha256:05681c8b95215bc67d045a7cd874f6d05785f42ba9743df5b54345f0a8863908
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
+    :target: https://odoo-community.org/page/development-status
+    :alt: Beta
+.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
+    :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
+    :alt: License: AGPL-3
+.. |badge3| image:: https://img.shields.io/badge/github-Escodoo%2Fserver--addons-lightgray.png?logo=github
+    :target: https://github.com/Escodoo/server-addons/tree/18.0/technical_admin_limited
+    :alt: Escodoo/server-addons
+
+|badge1| |badge2| |badge3|
+
+This module creates a group to access to technical features without
+access to business or sensitive company data.
+
+**Table of contents**
+
+.. contents::
+   :local:
+
+Usage
+=====
+
+Configuration
+-------------
+
+The users that are in the group "Technical Administrator (Limited)" can
+access the settings and technical menus but can't access purchase
+orders, sales orders, account moves, employees or contracts. You must
+remove the following permissions from the user:
+
+-  Sales / Administrator
+-  Purchase / Administrator
+-  Invoicing / Administrator
+-  Employees / Administrator
+-  Contracts / Administrator
+
+Besides the restrictions in Sales, Purchase, Invoicing, Employees and
+Contracts, the module makes users, groups and record rules read-only,
+and restricts access to system parameters.
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues <https://github.com/Escodoo/server-addons/issues>`_.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+`feedback <https://github.com/Escodoo/server-addons/issues/new?body=module:%20technical_admin_limited%0Aversion:%2018.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+
+Do not contact contributors directly about support or help with technical issues.
+
+Credits
+=======
+
+Authors
+-------
+
+* Escodoo
+
+Contributors
+------------
+
+-  ``Escodoo <https://www.escodoo.com.br>``\ \_:
+
+   -  Wesley Oliveira wesley.oliveira@escodoo.com.br
+
+Maintainers
+-----------
+
+This module is part of the `Escodoo/server-addons <https://github.com/Escodoo/server-addons/tree/18.0/technical_admin_limited>`_ project on GitHub.
+
+You are welcome to contribute.

technical_admin_limited/__init__.py

@@ -0,0 +1 @@
+from . import models

technical_admin_limited/__manifest__.py

@@ -0,0 +1,27 @@
+# Copyright 2026 - TODAY, Escodoo
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+
+{
+    "name": "Technical Admin Limited",
+    "summary": """
+        Access to technical features without
+        allowing access to sensitive company data""",
+    "version": "18.0.1.0.0",
+    "license": "AGPL-3",
+    "author": "Escodoo",
+    "website": "https://github.com/Escodoo/server-addons",
+    "depends": [
+        "base",
+        "sale",
+        "purchase",
+        "account",
+        "hr",
+        "hr_contract",
+    ],
+    "data": [
+        "security/res_groups.xml",
+        "security/ir.model.access.csv",
+        "data/record_rules.xml",
+    ],
+    "installable": True,
+}

technical_admin_limited/data/record_rules.xml

@@ -0,0 +1,116 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!-- Copyright 2026 - TODAY, Wesley Oliveira <wesley.oliveira@escodoo.com.br>
+     License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl). -->
+<odoo noupdate="1">
+    <record id="rule_sale_order_block_technical_admin" model="ir.rule">
+        <field name="name">Block Sale Orders for Technical Admin</field>
+        <field name="model_id" ref="sale.model_sale_order" />
+        <field
+            name="groups"
+            eval="[(4, ref('technical_admin_limited.group_technical_admin_limited'))]"
+        />
+        <field name="domain_force">[('id', '=', False)]</field>
+        <field name="perm_read" eval="True" />
+        <field name="perm_write" eval="True" />
+        <field name="perm_create" eval="True" />
+        <field name="perm_unlink" eval="True" />
+    </record>
+
+    <record id="rule_sale_order_line_block_technical_admin" model="ir.rule">
+        <field name="name">Block Sale Order Lines for Technical Admin</field>
+        <field name="model_id" ref="sale.model_sale_order_line" />
+        <field
+            name="groups"
+            eval="[(4, ref('technical_admin_limited.group_technical_admin_limited'))]"
+        />
+        <field name="domain_force">[('id', '=', False)]</field>
+        <field name="perm_read" eval="True" />
+        <field name="perm_write" eval="True" />
+        <field name="perm_create" eval="True" />
+        <field name="perm_unlink" eval="True" />
+    </record>
+
+    <record id="rule_purchase_order_block_technical_admin" model="ir.rule">
+        <field name="name">Block Purchase Orders for Technical Admin</field>
+        <field name="model_id" ref="purchase.model_purchase_order" />
+        <field
+            name="groups"
+            eval="[(4, ref('technical_admin_limited.group_technical_admin_limited'))]"
+        />
+        <field name="domain_force">[('id', '=', False)]</field>
+        <field name="perm_read" eval="True" />
+        <field name="perm_write" eval="True" />
+        <field name="perm_create" eval="True" />
+        <field name="perm_unlink" eval="True" />
+    </record>
+
+    <record id="rule_purchase_order_line_block_technical_admin" model="ir.rule">
+        <field name="name">Block Purchase Order Lines for Technical Admin</field>
+        <field name="model_id" ref="purchase.model_purchase_order_line" />
+        <field
+            name="groups"
+            eval="[(4, ref('technical_admin_limited.group_technical_admin_limited'))]"
+        />
+        <field name="domain_force">[('id', '=', False)]</field>
+        <field name="perm_read" eval="True" />
+        <field name="perm_write" eval="True" />
+        <field name="perm_create" eval="True" />
+        <field name="perm_unlink" eval="True" />
+    </record>
+
+    <record id="rule_account_move_block_technical_admin" model="ir.rule">
+        <field name="name">Block Account Moves for Technical Admin</field>
+        <field name="model_id" ref="account.model_account_move" />
+        <field
+            name="groups"
+            eval="[(4, ref('technical_admin_limited.group_technical_admin_limited'))]"
+        />
+        <field name="domain_force">[('id', '=', False)]</field>
+        <field name="perm_read" eval="True" />
+        <field name="perm_write" eval="True" />
+        <field name="perm_create" eval="True" />
+        <field name="perm_unlink" eval="True" />
+    </record>
+
+    <record id="rule_account_move_line_block_technical_admin" model="ir.rule">
+        <field name="name">Block Account Move Lines for Technical Admin</field>
+        <field name="model_id" ref="account.model_account_move_line" />
+        <field
+            name="groups"
+            eval="[(4, ref('technical_admin_limited.group_technical_admin_limited'))]"
+        />
+        <field name="domain_force">[('id', '=', False)]</field>
+        <field name="perm_read" eval="True" />
+        <field name="perm_write" eval="True" />
+        <field name="perm_create" eval="True" />
+        <field name="perm_unlink" eval="True" />
+    </record>
+
+    <record id="rule_hr_employee_block_technical_admin" model="ir.rule">
+        <field name="name">Block Employees for Technical Admin</field>
+        <field name="model_id" ref="hr.model_hr_employee" />
+        <field
+            name="groups"
+            eval="[(4, ref('technical_admin_limited.group_technical_admin_limited'))]"
+        />
+        <field name="domain_force">[('id', '=', False)]</field>
+        <field name="perm_read" eval="True" />
+        <field name="perm_write" eval="True" />
+        <field name="perm_create" eval="True" />
+        <field name="perm_unlink" eval="True" />
+    </record>
+
+    <record id="rule_hr_contract_block_technical_admin" model="ir.rule">
+        <field name="name">Block Contracts for Technical Admin</field>
+        <field name="model_id" ref="hr_contract.model_hr_contract" />
+        <field
+            name="groups"
+            eval="[(4, ref('technical_admin_limited.group_technical_admin_limited'))]"
+        />
+        <field name="domain_force">[('id', '=', False)]</field>
+        <field name="perm_read" eval="True" />
+        <field name="perm_write" eval="True" />
+        <field name="perm_create" eval="True" />
+        <field name="perm_unlink" eval="True" />
+    </record>
+</odoo>

technical_admin_limited/models/__init__.py

@@ -0,0 +1,4 @@
+from . import ir_rule
+from . import ir_config_parameter
+from . import res_groups
+from . import res_users

technical_admin_limited/models/ir_config_parameter.py

@@ -0,0 +1,44 @@
+from odoo import api, exceptions, models
+
+
+class IrConfigParameter(models.Model):
+    _inherit = "ir.config_parameter"
+
+    def _check_technical_admin_limited(self):
+        if self.env.user.has_group(
+            "technical_admin_limited.group_technical_admin_limited"
+        ):
+            raise exceptions.AccessError(
+                self.env._(
+                    "You are not allowed to access System Parameters.\n\n"
+                    "This action is restricted for Technical "
+                    "Administrators (Limited)."
+                )
+            )
+
+    @api.model
+    def web_search_read(
+        self, domain, specification, offset=0, limit=None, order=None, count_limit=None
+    ):
+        self._check_technical_admin_limited()
+        return super().web_search_read(
+            domain,
+            specification,
+            offset=offset,
+            limit=limit,
+            order=order,
+            count_limit=count_limit,
+        )
+
+    @api.model_create_multi
+    def create(self, vals_list):
+        self._check_technical_admin_limited()
+        return super().create(vals_list)
+
+    def write(self, vals):
+        self._check_technical_admin_limited()
+        return super().write(vals)
+
+    def unlink(self):
+        self._check_technical_admin_limited()
+        return super().unlink()

technical_admin_limited/models/ir_rule.py

@@ -0,0 +1,30 @@
+from odoo import api, exceptions, models
+
+
+class IrRule(models.Model):
+    _inherit = "ir.rule"
+
+    def _check_technical_admin_limited(self):
+        if self.env.user.has_group(
+            "technical_admin_limited.group_technical_admin_limited"
+        ):
+            raise exceptions.AccessError(
+                self.env._(
+                    "You are not allowed to modify rules.\n\n"
+                    "This action is restricted for Technical "
+                    "Administrators (Limited)."
+                )
+            )
+
+    @api.model_create_multi
+    def create(self, vals_list):
+        self._check_technical_admin_limited()
+        return super().create(vals_list)
+
+    def write(self, vals):
+        self._check_technical_admin_limited()
+        return super().write(vals)
+
+    def unlink(self):
+        self._check_technical_admin_limited()
+        return super().unlink()

technical_admin_limited/models/res_groups.py

@@ -0,0 +1,30 @@
+from odoo import api, exceptions, models
+
+
+class ResGroups(models.Model):
+    _inherit = "res.groups"
+
+    def _check_technical_admin_limited(self):
+        if self.env.user.has_group(
+            "technical_admin_limited.group_technical_admin_limited"
+        ):
+            raise exceptions.AccessError(
+                self.env._(
+                    "You are not allowed to modify groups.\n\n"
+                    "This action is restricted for Technical "
+                    "Administrators (Limited)."
+                )
+            )
+
+    @api.model_create_multi
+    def create(self, vals_list):
+        self._check_technical_admin_limited()
+        return super().create(vals_list)
+
+    def write(self, vals):
+        self._check_technical_admin_limited()
+        return super().write(vals)
+
+    def unlink(self):
+        self._check_technical_admin_limited()
+        return super().unlink()

technical_admin_limited/models/res_users.py

@@ -0,0 +1,30 @@
+from odoo import api, exceptions, models
+
+
+class ResUsers(models.Model):
+    _inherit = "res.users"
+
+    def _check_technical_admin_limited(self):
+        if self.env.user.has_group(
+            "technical_admin_limited.group_technical_admin_limited"
+        ):
+            raise exceptions.AccessError(
+                self.env._(
+                    "You are not allowed to modify users.\n\n"
+                    "This action is restricted for Technical "
+                    "Administrators (Limited)."
+                )
+            )
+
+    @api.model_create_multi
+    def create(self, vals_list):
+        self._check_technical_admin_limited()
+        return super().create(vals_list)
+
+    def write(self, vals):
+        self._check_technical_admin_limited()
+        return super().write(vals)
+
+    def unlink(self):
+        self._check_technical_admin_limited()
+        return super().unlink()

technical_admin_limited/pyproject.toml

@@ -0,0 +1,3 @@
+[build-system]
+requires = ["whool"]
+build-backend = "whool.buildapi"

technical_admin_limited/readme/CONTRIBUTORS.md

@@ -0,0 +1,3 @@
+* `Escodoo <https://www.escodoo.com.br>`_:
+
+  * Wesley Oliveira <wesley.oliveira@escodoo.com.br>

technical_admin_limited/readme/DESCRIPTION.md

@@ -0,0 +1,2 @@
+This module creates a group to access to technical features
+without access to business or sensitive company data.