Odoo is the world's easiest all-in-one management software.
It includes hundreds of business apps:

CRM
e-Commerce
Bogføring
Lager
PoS
Projekt
MRP

All apps

All Posts People Emblemer

Tags (View all)

odoo accounting v14 pos v15

Om dette forum

Hjælp

Separate groups for AR and AP user

security accounting

1 Svar

1143 Visninger

SIA, MILWELL HUI

In Odoo if you are member of any accounting group, you can access both AR and AP records

Using groups in menus can separate access, but this can easily be bypassed by bookmarking the URL like "http://odoo16/web#action=249&model=account.payment&view_type=list&cids=1"

Is there a more secure way of preventing access? I'm thinking of a custom search function. But is there a better way?

SIA, MILWELL HUI

Forfatter

I have found solution by overriding the controller

import logging
from odoo.addons.web.controllers.action import Action
from odoo.exceptions import AccessDenied
from odoo.http import Controller, request, route


_logger = logging.getLogger(__name__)


class SecureAction(Action):

    @route('/web/action/load', type='json', auth="user")
    def load(self, action_id, additional_context=None):
        retval = super().load(action_id, additional_context)
        if 'id' in retval:
            window_action = request.env['ir.actions.act_window'].sudo().browse(retval.get('id'))
            if window_action.allowed_groups_id:
                if not any(allowed_group in request.env.user.groups_id for allowed_group in window_action.allowed_groups_id):
                    raise AccessDenied(
                        '{} ({}) can only be accessed by {}'.format(
                            window_action.display_name,window_action.xml_id,', '.join(window_action.mapped('allowed_groups_id.full_name')))
                    )
        return retval

Also adding special field in Window Action

from odoo import models, fields, api, _
from datetime import datetime, timedelta
import logging

_logger = logging.getLogger(__name__)

class WindowAction(models.Model):
    _inherit = 'ir.actions.act_window'

    allowed_groups_id = fields.Many2many('res.groups',relation="rel_allowed_groups_window_action")

View code

<odoo>
    <record id="view_window_action_form" model="ir.ui.view">
        <field name="inherit_id" ref="base.view_window_action_form"/>
        <field name="model">ir.actions.act_window</field>
        <field name="arch" type="xml">
            <notebook>
                <page name="allowed_groups" string="Allowed Groups">
                    <field name="allowed_groups_id" nolabel="1">
                        <tree editable="bottom">
                            <field name="full_name"/>
                        </tree>
                    </field>
                </page>
            </notebook>
        </field>
    </record>
</odoo>

Anybody else have another idea?

Enjoying the discussion? Don't just read, join in!

Create an account today to enjoy exclusive features and engage with our awesome community!

Tilmeld dig

Related Posts	Besvarelser	Visninger
Can I perform multi-division accounting and security? security salesteams accounting	0 mar. 15	4347
dfgfdgdf fgfgf xcvdf fgdf dsf accounting	0 nov. 25	3
{{GUIA`$Avianca$𓆩×͜×𓆪 𝐏𝐀}}¿Cómo llamar a Avianca desde Panamá? accounting	0 nov. 25	58
Invoice Printing Error in Odoo V19 – GCC/Saudi Localization accounting	1 nov. 25	185
After Odoo 18 to Odoo 19 upgrade - how do I manage Bills for products that already posted to the interim account? - مشكلة بعد الترقية من Odoo 18 إلى Odoo 19. accounting	1 nov. 25	221

Dette spørgsmål er blevet anmeldt

Enjoying the discussion? Don't just read, join in!