Siirry sisältöön
Sinun on rekisteröidyttävä, jotta voit olla vuorovaikutuksessa yhteisön kanssa.
Kaikki kirjoitukset Ihmiset Merkit
Tunnisteet (Näytä kaikki)
odoo accounting v14 pos v15
Tietoa tästä foorumista
Tämä kysymys on merkitty
2 Vastaukset
1047 Näkymät
Avatar
P

Hi everyone,

I’ve encountered a potential permission issue in a fresh installation of Odoo 17 (Community Edition). I created a demo user and assigned them only the Inventory > User access level (not Administrator). However, when logged in as this user, they are still able to:

  • View and edit Operation Types (e.g., Receipts, Internal Transfers, etc.)
  • Access stock.picking.type records as a manager (Inventory / Administrator level)

From what I understand, modifying Operation Types should only be possible for users with Inventory > Administrator rights.

I’ve double-checked that the user is not in the Administrator group or granted any extra permissions beyond Inventory > User.

Has anyone else run into this issue? In picture you can see demo user with Inventory->User permission, but he still hets Inventory->Administrator event tho he is not it that group. Please help me explain why this is happening.

Thanks in advance!

Avatar
Hylkää
P
Tekijä

I made video, showing how in clean install odoo17 this happends:


Anyone have any ideas what is going on? Even tho user demo is not in Inventory/Administrator group, it has access to stock.picking.type manager

P
Tekijä

https://youtu.be/0K1KiTlqrCk

Chris TRINGHAM

This does seem strange but it's hard to check from the video - we can see that the user should not be able to get access, but cannot see that they are able to get access to update Operation Types. The other missing part is to check the detailed setup of the user access groups in case something has been changed there.

P
Tekijä

Access right that users get's permits all access to Picking type, so he can modify all  picking time records. Question, why user get's that permission. Even tho he is not it group, that has that permission. 


Christoph Farnleitner

Unless I've misunderstood your case - I can't reproduce it in https://runbot.odoo.com (user 'demo' / password 'demo' has 'Inventory: User permission' and can't see the Inventory Configuration in menu. If the link to the Configuration page of Operation Types is known to the user s/he can see it, but still can't edit it).

Avatar
Cybrosys Techno Solutions Pvt.Ltd
Paras vastaus

Hi,


If you want to restrict Operation Types so only Administrators can change them:

    Override the ACL for stock.picking.type:

        Create a custom module with an updated ir.model.access.csv that:

            Removes write/create/delete for stock.group_stock_user.

            Grants full access only to stock.group_stock_manager.

            Eg:

         id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink

            access_stock_picking_type_user,stock.picking.type user,model_stock_picking_type,stock.group_stock_user,1,0,0,0

            access_stock_picking_type_manager,stock.picking.type manager,model_stock_picking_type,stock.group_stock_manager,1,1,1,1

    Reload your module, update security, and the user will only be able to view operation types (no editing).

What you’re seeing is not a bug, but the default Access rights in Odoo 17 Community: Inventory Users are given full access to stock.picking.type. That’s why your demo user appears to have “Administrator-like” access for operation types. If you need stricter control, you’ll need to override the access rules by creating a small custom security module.


Hope it helps

Avatar
Hylkää
Avatar
D Enterprise
Paras vastaus

hii,

I suggest you check whether the user is also part of another group that has been given the permission, even if you have not granted the permission directly to that user — they might still be able to perform operations like edit.

Avatar
Hylkää