Hello,

I have 3 group roles: user, manager and logist. And need that user and manager on states 'approved', and 'to_approve_second' do not have write right.

all the users have write right and there are ir.rules:

<record id="purchase_request_followers_rule" model="ir.rule">

        <field name="name">Follow Purchase Request</field>

        <field name="model_id" ref="model_purchase_request"/>

        <field name="groups" eval="[(6,0, [ref('group_purchase_request_user')])]"/>

        <field name="perm_read" eval="True"/>

        <field name="perm_write" eval="False"/>

        <field name="perm_create" eval="False"/>

        <field name="perm_unlink" eval="False"/>

        <field name="domain_force">['|',('requested_by','=',user.id),

                                        ('message_partner_ids', 'in', [user.partner_id.id])]</field>

    </record>

    <record id="purchase_request_rule" model="ir.rule">

        <field name="name">Purchase Request User</field>

        <field name="model_id" ref="model_purchase_request"/>

        <field name="groups" eval="[(6,0, [ref('group_purchase_request_user')])]"/>

        <field name="perm_read" eval="True"/>

        <field name="perm_write" eval="True"/>

        <field name="perm_create" eval="True"/>

        <field name="perm_unlink" eval="True"/>

        <field name="domain_force">[('requested_by','=',user.id)]</field>

    </record>

    <record id="purchase_request_manager_rule" model="ir.rule">

        <field name="name">Purchase Request Manager</field>

        <field name="model_id" ref="model_purchase_request"/>

        <field name="groups" eval="[(6,0, [ref('group_purchase_request_manager')])]"/>

        <field name="perm_read" eval="True"/>

        <field name="perm_write" eval="True"/>

        <field name="perm_create" eval="True"/>

        <field name="perm_unlink" eval="True"/>

    </record>

I tried to add:

<record id="purchase_request_user_access" model="ir.rule">

        <field name="name">Purchase Request User Rule</field>

        <field name="model_id" ref="model_purchase_request"/>

        <field name="groups" eval="[(6,0, [ref('group_purchase_request_user')])]"/>

        <field name="perm_read" eval="True"/>

        <field name="perm_write" eval="False"/>

        <field name="perm_create" eval="False"/>

        <field name="perm_unlink" eval="False"/>

        <field name="domain_force">[('state','in',('approved', 'to_approve_second'))]</field>

    </record>

<record id="purchase_request_manager_access" model="ir.rule">

        <field name="name">Purchase Request Manager Rule</field>

        <field name="model_id" ref="model_purchase_request"/>

        <field name="groups" eval="[(6,0, [ref('group_purchase_request_manager')])]"/>

        <field name="perm_read" eval="True"/>

        <field name="perm_write" eval="False"/>

        <field name="perm_create" eval="False"/>

        <field name="perm_unlink" eval="False"/>

        <field name="domain_force">[('state','in',('approved', 'to_approve_second'))]</field>

    </record>

But nothing happens. User and manager can edit the document on  'approved' and 'to_approve_second' states.
What can be wrong?