Přejít na obsah
You need to be registered to interact with the community.
All Posts Lidé Odznaky
Štítky (View all)
odoo accounting v14 pos v15
O tomto fóru
This question has been flagged
securityv8fieldsorm
1 Odpovědět
6542 Zobrazení
Avatar
Marvin Taboada

Hi, I have been using field level 'read/write' access rights in OpenERP 7.0 (please don't be confused with the 'groups' field attribute) and I know the low level details of what is their effect. Just as a reference, below are links to the 7.0 sources where they are processed in the ORM of v7.0:

* field_object.read (field values are cleared after reading the DB if the user doesn't have read permission)

* field_object.write: (field keys/values are silently removed before writing them to the database if the user doesn't have write permissions)

My problem is that I have not found where field level 'read' (only read) access rights are processed in Odoo 8.0, I have read the new ORM sources and identified the corresponding read method (_read_from_database), but I have not found any chunk of code where field level 'read' access rights are processed. I'm afraid the feature is missing in v8.0.

On the other hand, field level 'write' access rights is correctly processed in the _write method for Odoo 8.0.

Is this a missing feature in Odoo 8.0?

Are field level 'read/write' access rights a feature that is expected to be included in Odoo 8.0?

Thanks in advance for your attention,

Marvin

Avatar
Zrušit
Avatar
Atchuthan - Technical Consultant, Sodexis Inc
Nejlepší odpověď

 

In my opinion, we use check_access_rights method to check whether the access is available for the particular table.
self.check_access_rights(cr, uid, 'read')
fields = self.check_field_access_rights(cr, user, 'read', fields)   

    def check_field_access_rights(self, cr, user, operation, fields, context=None):
        """
        Check the user access rights on the given fields. This raises Access
        Denied if the user does not have the rights. Otherwise it returns the
        fields (as is if the fields is not falsy, or the readable/writable
        fields if fields is falsy).
        """

then using the generated fields list, self._read_flat(cr, user, select, fields, context, load) is called.

So, why do we need to check the access once again after the _read_flat is generated? 

Avatar
Zrušit
Marvin Taboada
Autor

Wrong answer my friend, I already said I'm not talking about the 'field_object.groups' attribute. Please review the implementation of 'check_field_access_rights' at https://github.com/odoo/odoo/blob/7.0/openerp/osv/orm.py#L3646 to verify that it is not related to my question. Thanks anyway for your time.

Related Posts Odpovědi Zobrazení Aktivita
Troubleshooting access denied problems
security v8 orm
Avatar
0
zář 15
3749
Odoo security issue for invisible fields Vyřešeno
security v8 fields invisible
Avatar
Avatar
Avatar
5
lis 15
5176
Is there a way to apply read, write permissions per field? Or turn to read-only based on user groups?
security v8 fields permissions
Avatar
0
bře 15
4246
Field Read-only for certain users (logged-in)
security fields
Avatar
2
srp 20
2927
How to change inherited fields group?
security fields res.users
Avatar
1
lis 24
1026