This question has been flagged

Hi together,


today I realized, that Odoo 12 (and I think the newer versions also) do not safe the data as it should:

The account.invoice Model has a state and defines the "readonly=True" flag as default and it only set it to False on the draft state. 

BUT: You can still change the account.invoice.line after the account.invoice state is 'done'. (For example in an self.env['account.invoice.line'].write() call or if you make a new view that is directly on account.invoice.line.

So I wondering about it, because if the system does not prevent the change, Odoo is not conform on all western markets. Currently only the GUI-Logic is preventing from saving an already done invoice (if you go through account.invoice directly), but if you would use the xmlrpc api or you have a server.action that addresses it directly, there is no prevention!

Am I doing something wrong? Or is it right, that this is still possible? 

Avatar
Discard
Author Best Answer

In my understanding of an ERP system (which also relies on an app store with third-party extensions) it is irresponsible and not guaranteed that an extension e.g. or someone who simply makes a change via API access is able to make a change. This would mean that Odoo would treat the invoices like a simple database table and pass the responsibility 100% to the user instead of intercepting these essential important things in the standard. However, in many countries the requirement of correct accounting (unchangeability, storage obligation etc.) must be implemented, otherwise the system may not be used for theoretical reasons alone.

Avatar
Discard
Best Answer

Hi there

All of that is right but not necessarily wrong since there are scenarios when the states of the documents need to be reverted to draft or cancel it in order to make changes and modify the document. There are some others scenarios where there are checks and constraints in place to prevent the modifications of the records for some states. Odoo is an extensible platform that provides the basis so you could provide extensions to reach your clients goals and requirements. Seems that you are the one that wanna manually make modifications to the records by your own code and you are allowed to do it. Also you could do it too with direct SQL Queries in Odoo or directly in Postgres so, what's the big deal?

It's not an issue by itself, but if it's an issue for you, you could create some constraints, write and unlink checks, security rules, SQL locks, SQL triggers, SQL constrainsts...

Avatar
Discard