Přejít na obsah
You need to be registered to interact with the community.
All Posts Lidé Odznaky
Štítky (View all)
odoo accounting v14 pos v15
O tomto fóru
This question has been flagged
securityfieldsusersgroupaccessrights
1 Odpovědět
10679 Zobrazení
Avatar
Bienvenido Villabroza

I am using Odoo 13 and I need to set field level access rights on the object level.

I have a Driver group and a Car object.

The Car object has three attributes: door_number, tire_brand, and bank_id.
I need the following:

1) door_number to be read only

2) tire_brand to be read and write only

3) band_id to be inaccessible to the Driver group.


I know I can edit the view as seen here: https://www.odoo.com/forum/help-1/question/how-to-apply-field-level-access-rights-for-user-19481
This would make the appropriate changes on the view level but the object access rights will not be affected. That would be a security risk.

I also know that I can set the accessible fields on the model itself as seen here: https://www.odoo.com/documentation/13.0/reference/security.html#field-access

However, that would take away both the read and write access rights of all groups unstated in the groups attribute. That will make my previously stated "1) door_number to be read only" impossible to do.

Is there a way to achieve my needs using Odoo 13? I need field level access rights.


Avatar
Zrušit
Avatar
Ray Carnes (ray)
Nejlepší odpověď

Did you try adding base.group_user to the groups attribute for each field that you want to be accessed by Internal Users (everyone)?

Every internal user is a member.

Then, set your read-only fields and add other groups where you only want specific groups to have access.

Avatar
Zrušit
Bienvenido Villabroza
Autor

I have not tried doing that. I was not aware that was an option. Thank you for sharing. However, what do you mean by "set your read-only fields?" Do you mean set them from my views? I would like the field (not just the form) to be secure from unauthorized access.

Ray Carnes (ray)

I mean use the READONLY (or STATES) attribute at the field level.

Bienvenido Villabroza
Autor

According to the documentation, "this only has an impact on the UI." https://www.odoo.com/documentation/13.0/reference/orm.html#fields

Is there a way of securing the system in the database level (not just the form level).

Ray Carnes (ray)

The documentation is meaning to convey that users have no way to set values for these fields directly (even by importing) but the API can still be used to give them a value - programatically. Odoo users don't have direct access to PostgreSQL. You only have to control database level access for users YOU give access to the database. If you mean the Odoo business object level, then GROUPS (which can be assigned at the field level) provide what you ask. See the "FIELD ACCESS" section of https://www.odoo.com/documentation/13.0/reference/security.html

Bienvenido Villabroza
Autor

You said that "the API can still be used to give them a value - programatically." I thought anyone can access the API? Or do they have to be a PostgreSQL user?

Also, for the link you sent, the documentation says "attempts to (explicitly) read from or write to restricted fields results in an access error." I can't distinguish from read and write with the groups attribute. I need that distinction.

Related Posts Odpovědi Zobrazení Aktivita
Keep Getting "The user cannot have more than one user types." Vyřešeno
security users group
Avatar
1
lis 21
6675
How to hide field from the specific user Vyřešeno
security fields hide group odoo12.0
Avatar
Avatar
1
úno 21
12997
Cannot save the custom group for users in user access rights in Odoo 13 Vyřešeno
security users group record_rules Odoo13.0
Avatar
Avatar
1
pro 19
4554
How to identify which access should give to the specific user as per below error?
security users operation odoo10 accessrights
Avatar
Avatar
1
srp 17
4717
Users & Group
users group
Avatar
Avatar
2
zář 22
4758