Skip to content

[19.0][ADD] base_tier_validation: tier.definition.exclude_requester (four-eyes)#43

Open
bosd wants to merge 1 commit into
OCA:19.0from
bosd:19.0-imp-base_tier_validation-four-eyes
Open

[19.0][ADD] base_tier_validation: tier.definition.exclude_requester (four-eyes)#43
bosd wants to merge 1 commit into
OCA:19.0from
bosd:19.0-imp-base_tier_validation-four-eyes

Conversation

@bosd

@bosd bosd commented May 14, 2026

Copy link
Copy Markdown
Contributor

Summary

Solve the much-asked "four-eyes principle" pattern (a co-worker needs to validate, but not me) with a single checkbox on the tier definition, no custom Python required.

[ ] Reviewer must differ from requester

When set, the user who requested the validation is removed from this tier's reviewer pool. Anyone else in the configured group can act; the requester cannot self-validate.

Why this is needed

Currently, when a requester is a member of the configured reviewer group, the auto-validation logic includes them in their own review's reviewer_ids and lets them validate themselves. The only workaround is custom Python on every model. This PR puts the gate on the definition.

How it works

  • New Boolean tier.definition.exclude_requester (default False, backwards compatible).
  • tier.review._get_reviewers post-filters the computed pool by subtracting requested_by when the definition opted in. Applies uniformly across review_type (individual / group / field).
  • _get_reviewer_fields extended so the computed reviewer_ids recomputes when either definition_id.exclude_requester or requested_by changes.
  • Field exposed on the tier definition form under the approve-sequence block.

Edge case worth knowing

For review_type='individual' with the flag set, if the designated reviewer is the requester the pool ends up empty — the workflow surfaces as blocked. That's intentional and signals a misconfiguration. The flag is meaningful for group / field review types.

Tests

  • test_exclude_requester_drops_requester_from_group — flag on, requester is one of N group members. After request_validation, reviewer_ids excludes them; can_review is False for the requester and True for the other group member.
  • test_exclude_requester_off_keeps_legacy_behavior — flag off, requester remains in reviewer_ids and can can_review. Backwards-compatibility check.

Companion PR

This complements #42 (allow_reject for sign-off tiers). Both shape per-tier reviewer behaviour via simple booleans on tier.definition. They can land in either order — no overlap.

@OCA-git-bot

Copy link
Copy Markdown
Contributor

Hi @LoisRForgeFlow,
some modules you are maintaining are being modified, check this out!

@OCA-git-bot OCA-git-bot added mod:base_tier_validation Module base_tier_validation series:19.0 labels May 14, 2026
…r-eyes

Add a per-definition Boolean ``exclude_requester`` that removes the
requester from the tier's reviewer pool. Solves the common
"four-eyes" pattern: anyone in this group can validate, except the
user who requested the validation.

Without this flag, when the requester happens to be a member of the
configured reviewer group (or is the user returned by a reviewer
field) they get included in their own review's ``reviewer_ids`` and
can auto-validate -- defeating the purpose of asking for review.
The current workaround requires custom Python; this PR makes it a
single checkbox on the definition form.

Implementation:

- ``tier.definition.exclude_requester`` Boolean, default ``False``
  (backwards compatible -- existing definitions and tests unchanged).
- ``tier.review._get_reviewers`` post-filter subtracts
  ``requested_by`` when the definition opted in. Applies uniformly
  across ``review_type`` values (individual / group / field).
- ``_get_reviewer_fields`` extended with the new dependency keys so
  the computed ``reviewer_ids`` recomputes when either
  ``definition_id.exclude_requester`` or ``requested_by`` changes.
- Field exposed on the tier definition form view under the
  approve-sequence block.

Tests cover both directions: with the flag set the requester is
excluded and cannot ``can_review``; without it the legacy auto-
include behaviour is preserved.

Notes:

- For ``review_type='individual'`` with the flag on, if the
  designated reviewer *is* the requester the pool ends up empty.
  That's intentional -- the workflow surfaces as blocked, signalling
  a misconfiguration. Combine the flag with ``group`` or ``field``
  for meaningful four-eyes setups.
- This is a per-definition gate. A per-user "courtesy reviewer"
  variant (where only some users in the group can act, others just
  see) remains future work; ``allow_reject`` was the first step in
  that direction.
@bosd bosd force-pushed the 19.0-imp-base_tier_validation-four-eyes branch from 20342cc to 0778937 Compare May 14, 2026 16:23

@Dranyel-Bosd Dranyel-Bosd left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 💯

@OCA-git-bot

Copy link
Copy Markdown
Contributor

This PR has the approved label and has been created more than 5 days ago. It should therefore be ready to merge by a maintainer (or a PSC member if the concerned addon has no declared maintainer). 🤖

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants