I am currently super confused when handling the permissions for the project module.
At first, some questions:
1. Can Record Rules override Acces Rules?
2. Are Record Rules only used to filter some visible data?
3. Can Record Rules be used to reduce or increase the permissions? or even both?
4. Is there any domain operand to check whether a list conaints an element? (like the opposite of 'in'; e.g. ('member_ids', 'contain', user.id))
What I am trying to do is the following:
My Project module has three groups: User, Accountant, Manager. At the moment, I am only workling on the User group. The project itself has a member list (many2many) and a assigned manager.
I want the permissions this way, that all members of Project/User group can only see (read) the projects in which they are member. Further I want all members of Project/User group, that are manager of a project to be able to read and edit (write) their own projects.
What I have tried that far:
Using an access rule to give the Project/User group read and write access.
Creating the following record rules:
<record model="ir.rule" id="project_project_user_rule">
<field name="name">Project: User is Member</field>
<field name="model_id" ref="model_project_project"></field>
<field name="groups" eval="[(4,ref('project.group_project_user'))]"></field>
<field name="domain_force">[('member_ids', 'in', user.employee_ids[0].id)]</field>
<field eval="1" name="perm_read"></field>
<field eval="0" name="perm_write"></field>
<field eval="0" name="perm_unlink"></field>
<field eval="0" name="perm_create"></field>
</record>
<record model="ir.rule" id="project_project_user_manager_rule">
<field name="name">Project: User is Manager</field>
<field name="model_id" ref="model_project_project"></field>
<field name="groups" eval="[(4,ref('project.group_project_user'))]"></field>
<field name="domain_force">[('manager_id', '=', user.employee_ids[0].id)]</field>
<field eval="1" name="perm_write"></field>
<field eval="1" name="perm_read"></field>
<field eval="0" name="perm_unlink"></field>
<field eval="0" name="perm_create"></field>
</record>
The result is some how mysterious for me.
The project list view shows only the project in which the current user is member or manager (that's what i want!).
Projects in which the user is manager are accessable and editable (that's what i want too!)
Projects in which the user is member are not accessable (Access denied error). (that's not what i want, and confusing, since the record rule domain seems to work in the list view).
EDIT: Gathering more information, I've tried the following domains:
[('member_ids', '=', user.employee_ids[0].id)]
[('member_ids.user_id', '=', user.id)]
But for both, the issue remains the same..
ACL in odoo: https://goo.gl/4jAhtH