You can accomplish this by inheriting the write() function of the publication model. Give everyone write access initially, then restrict it back down if they're not the creator or in the management group. I'll assume your module is called "publication_module" and the publications model itself is named "my.publication".
First, you'll need a management group defined:
<record id="group_publication_manager" model="res.groups">
<field name="name">Publication Manager</field>
<field name="users" eval="[(4, ref('base.user_root'))]"/>
</record>
By default, I'm assuming that the built-in "admin" user (uid=1) is a Publication Manager.
Your ir.model.access.csv file would include lines for model_my_publication for general users and for managers:
id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
security_publication_user,security.publication.user,model_my_publication,base.group_user,1,1,1,0
security_publication_manager,security.publication.manager,model_my_publication,publication_module.group_publication_manager,1,1,1,1
Finally, the inherited write() function. If the user isn't a member of the management group, check if there are any records among the ones they're attempting to edit that were created by a different user, and raise an error if any are found:
def write(self, cr, uid, ids, values, context=None):
"""User must be a member of the management group or the creator of the publication to edit it"""
if context is None: context = {}
if not self.pool['res.users'].has_group(cr, uid, 'publication_module.group_publication_manager'):
# Find any instances of the current user not being the creator of the given ids
cr.execute("""select 1
from my_publication
where id in %s and create_uid <> %s""", (tuple(ids), uid,))
if bool(cr.fetchone()):
raise orm.except_orm("Error", "You can only edit your own publications!")
return super(my_publication, self).write(cr, uid, ids, values, context=context)
