Hello.
In Odoo 16 I have the following (security) problem:
When a user opens the "employee" module, he gets the model hr.employee.public, which is fine.
There is an "organization chart" in the user objects. On mouseover on the employees, the link looks correct (view?model=hr.employee.public&res_id=63). But when the user clicks on someone, he gets to the hr.employee model (web#id=63&cids=1&model=hr.employee&view_type=form).
The Form throws an Access Error while accessing:
The requested operation can not be completed due to security restrictions.
Document type: HR Employee (hr.employee)
Operation: read
User: 10
Fields:
- message_main_attachment_id (allowed for groups 'Employees / Officer : Manage all employees')
When the user clicks OK, they are taken to the view and see the information in read-only mode. This is not nice, but the "private" and "HR" information is hidden.
BUT: the user can access the chatter in read-only mode and that's not good as long as HR people have to add sensitive information here.
How can I avoid this behavior or set the chat in this model so that it is only read by HR employees?
Thanks & Best regards
Luke
