[IMP] estate: add security, groups, and access restrictions

Introduce proper security model for estate management:

- Add two groups:
  * Estate Agent: can access and manage their own properties.
  * Estate Manager: inherits Agent, can configure property types/tags.

- Define access rights (ACLs):
  * Agents: can read, create, write their own estate properties.
  * Managers: can read all, and write their own records.

- Add record rules:
  * Agents: only see their own properties or unassigned ones.
  * Managers: read all properties, but only update their own.

- Secure configuration menus:
  * Property types and tags only visible to Managers.
  * Properties menu accessible to Agents and Managers.

- Enforce programmatic security:
  * Use `self.check_access('write')` before creating invoices
    to prevent bypassing ORM rules from Python code.

This ensures:
- Non-agents cannot access estate records.
- Agents cannot interfere with each other’s properties.
- Managers retain global visibility.
- Invoices and other side-effects are resilient to security bypass.

Author: pusu-odoo

estate/__manifest__.py

@@ -1,9 +1,11 @@
 {
     "name": "Real Estate",
     "description": "",
+    "category": "Real Estate/Brokerage",
     "depends": ["base"],
     "sequence": 1,
     "data": [
+        "security/security.xml",
         "security/ir.model.access.csv",
         "data/ir_cron_data.xml",
         "views/estate_property_views.xml",
@@ -13,9 +15,9 @@
         "views/estate_menus.xml",
         "views/res_users_views.xml",
     ],
-    'assets': {
-        'web.assets_backend': [
-            'estate/static/src/css/custom.css',
+    "assets": {
+        "web.assets_backend": [
+            "estate/static/src/css/custom.css",
         ],
     },
     "license": "LGPL-3",

estate/models/estate_property.py

@@ -84,6 +84,12 @@ class EstateProperty(models.Model):
         string="Best Offer",
         compute="_compute_best_price",
     )
+    company_id = fields.Many2one(
+        "res.company",
+        required=True,
+        default=lambda self: self.env.company,
+        string="Agency",
+    )
 
     @api.depends("living_area", "garden_area", "garden")
     def _compute_total_area(self):

estate/security/ir.model.access.csv

@@ -1,5 +1,11 @@
 id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
 access_estate_property,estate.property,model_estate_property,base.group_user,1,1,1,1
-access_estate_property_type,estate.property.type,model_estate_property_type,base.group_user,1,1,1,1
-access_estate_property_tag,estate.property.tag,model_estate_property_tag,base.group_user,1,1,1,1
-access_estate_property_offer,estate.property.offer,model_estate_property_offer,base.group_user,1,1,1,1
+access_estate_property_manager,estate.property.manager,model_estate_property,estate_group_manager,1,1,1,1
+access_estate_property_type_manager,estate.property.type.manager,model_estate_property_type,estate_group_manager,1,1,1,1
+access_estate_property_tag_manager,estate.property.tag.manager,model_estate_property_tag,estate_group_manager,1,1,1,1
+access_estate_property_offer_manager,estate.property.offer.manager,model_estate_property_offer,estate_group_manager,1,1,1,1
+
+access_estate_property_user,estate.property.user,model_estate_property,estate_group_user,1,1,1,0
+access_estate_property_offer_user,estate.property.offer.user,model_estate_property_offer,estate_group_user,1,1,1,0
+access_estate_property_type_user,estate.property.type.user,model_estate_property_type,estate_group_user,1,0,0,0
+access_estate_property_tag_user,estate.property.tag.user,model_estate_property_tag,estate_group_user,1,0,0,0

estate/security/security.xml

@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="utf-8"?>
+<odoo>
+    <record id="estate_group_user" model="res.groups">
+        <field name="name">Agent</field>
+        <field name="category_id" ref="base.module_category_real_estate_brokerage"/>
+    </record>
+
+    <record id="estate_group_manager" model="res.groups">
+        <field name="name">Manager</field>
+        <field name="category_id" ref="base.module_category_real_estate_brokerage"/>
+        <field name="implied_ids" eval="[(4, ref('estate_group_user'))]"/>
+    </record>
+
+    <data noupdate="1">
+        <record id="estate_property_speicific_user" model="ir.rule">
+            <field name="name">Estate property view to specific user</field>
+            <field name="model_id" ref="model_estate_property"/>
+            <field name="perm_read" eval="True"/>
+            <field name="perm_write" eval="True"/>
+            <field name="groups" eval="[Command.link(ref('estate.estate_group_user'))]"/>
+            <field name="domain_force">['|', ('salesman_id', '=', user.id),('salesman_id', '=', False)]</field>
+        </record>
+
+        <record id="estate_property_specific_manager" model="ir.rule">
+            <field name="name">Estate property view to specific manager</field>
+            <field name="model_id" ref="model_estate_property"/>
+            <field name="groups" eval="[Command.link(ref('estate.estate_group_manager'))]"/>
+            <field name="perm_read" eval="True"/>
+        </record>
+
+        <record id="estate_property_company_rule" model="ir.rule">
+            <field name="name">Estate Property Multi-Company Rule</field>
+            <field name="model_id" ref="model_estate_property"/>
+            <field name="global" eval="True"/>
+            <field name="domain_force">['|', ('company_id', '=', False),('company_id', 'in', company_ids)]</field>
+        </record>     
+    </data>
+</odoo>

estate/views/estate_menus.xml

@@ -5,7 +5,7 @@
         <menuitem id="estate_menu_properties" name="Advertisements">
             <menuitem id="estate_property_menu_action" action="estate_property_action"/>
         </menuitem>
-        <menuitem id="estate_menu_property_types" name="Settings">
+        <menuitem id="estate_menu_property_types" name="Settings" groups="estate_group_manager">
             <menuitem id="estate_property_type_menu_action" action="estate_property_type_action"/>
             <menuitem id="estate_property_tag_menu_action" action="estate_property_tag_action"/>
         </menuitem>

estate_account/models/estate_property.py

@@ -1,10 +1,17 @@
 from odoo import models, fields, Command
+from odoo.exceptions import AccessError
 
 
 class EstateProperty(models.Model):
     _inherit = "estate.property"
 
     def action_set_sold(self):
+
+        try:
+            self.check_access("write")
+        except AccessError:
+            raise AccessError("You are not allowed to sell this property. Contact your manager.")
+        
         self.env["account.move"].sudo().create(
             {
                 "partner_id": self.buyer_id.id,