[17.0] odoo_readonly_user: Unintended privilege escalation for users with read-only permissions

[mahdiBerranem]

The current implementation defaults to the "read" mode when checking access permissions, which inadvertently grants users access to write, create, and unlink operations if they already have read access.

https://github.com/CybroOdoo/CybroAddons/blame/29df15e9050eeeb889bc234884eb8a11a3e7a23a/odoo_readonly_user/models/ir_model_access.py#L30-L42

Suggested code:

@api.model
    def check(self, model, mode='read', raise_exception=True):
        """Overrides the default check method to allow
         only read access to the user."""
        model_name = ['res.users.log', 'mail.channel', 'mail.alias',
                 'bus.presence', 'res.lang',
                 'mail.channel.member']
        res = super().check(model, mode, raise_exception=raise_exception)
        if self.env.user.has_group('odoo_readonly_user.group_users_readonly') \
                and model not in model_name and mode in (
                'write', 'create', 'unlink'):
            return False
        return res

[digizilla-tohamy]

Facing same issue here