[IMP] base: ensure public user exists and prevent deletion

shsa-odoo · shsa-odoo · commit ca24c1b57d14 · 2025-11-13T07:30:14.000Z
Steps to Reproduce: 1. Create a database without installing the Website module. 2. Navigate to archived users and delete the "Public User." 3. Attempt to log in to the database from another browser or incognito mode. 4. An internal server error occurs because the public user does not exist, making the login page inaccessible. Issue: Previously, it was possible to delete the public user, leading to an internal server error due to its absence, which prevented public access to the login page. Solution: - Implemented a restriction to prevent the deletion of the public user, similar to portal and default users. - Added a test case to validate this functionality and ensure the public user cannot be deleted. task-4423568 closes odoo#234285 X-original-commit: 0d5cf53 Signed-off-by: Raphael Collet <rco@odoo.com> Signed-off-by: Sanjay Sharma (shsa) <shsa@odoo.com>
diff --git a/odoo/addons/base/models/res_users.py b/odoo/addons/base/models/res_users.py
@@ -649,6 +649,7 @@ def write(self, vals):
     @api.ondelete(at_uninstall=True)
     def _unlink_except_master_data(self):
         portal_user_template = self.env.ref('base.template_portal_user_id', False)
+        public_user = self.env.ref('base.public_user', False)
         if SUPERUSER_ID in self.ids:
             raise UserError(_('You can not remove the admin user as it is used internally for resources created by Odoo (updates, module installation, ...)'))
         user_admin = self.env.ref('base.user_admin', raise_if_not_found=False)
@@ -657,6 +658,8 @@ def _unlink_except_master_data(self):
         self.env.registry.clear_cache()
         if portal_user_template and portal_user_template in self:
             raise UserError(_('Deleting the template users is not allowed. Deleting this profile will compromise critical functionalities.'))
+        if public_user and public_user in self:
+            raise UserError(_("Deleting the public user is not allowed. Deleting this profile will compromise critical functionalities."))
 
     @api.model
     def name_search(self, name='', domain=None, operator='ilike', limit=100):
diff --git a/odoo/addons/base/tests/test_res_users.py b/odoo/addons/base/tests/test_res_users.py
@@ -222,6 +222,19 @@ def test_deactivate_portal_users_archive_and_remove(self):
         self.assertTrue(portal_partner_2.exists(), 'Should have kept the partner')
         self.assertEqual(asked_deletion_2.state, 'fail', 'Should have marked the deletion as failed')
 
+    def test_delete_public_user(self):
+        """Test that the public user cannot be deleted."""
+        public_user = self.env.ref('base.public_user')
+        public_partner = public_user.partner_id
+
+        # Attempt to delete the public user
+        with self.assertRaises(UserError, msg="Public user should not be deletable"):
+            public_user.unlink()
+
+        # Ensure the public user still exists and is inactive
+        self.assertTrue(public_user.exists() and not public_user.active, "Public user should still exist and be inactive")
+        self.assertTrue(public_partner.exists() and not public_partner.active, "Public partner should still exist and be inactive")
+
     def test_user_home_action_restriction(self):
         test_user = new_test_user(self.env, 'hello world')
 
