This question has been flagged
1 Reply
5329 Views
securityv8fieldsorm
Avatar
Marvin Taboada

Hi, I have been using field level 'read/write' access rights in OpenERP 7.0 (please don't be confused with the 'groups' field attribute) and I know the low level details of what is their effect. Just as a reference, below are links to the 7.0 sources where they are processed in the ORM of v7.0:

* field_object.read (field values are cleared after reading the DB if the user doesn't have read permission)

* field_object.write: (field keys/values are silently removed before writing them to the database if the user doesn't have write permissions)

My problem is that I have not found where field level 'read' (only read) access rights are processed in Odoo 8.0, I have read the new ORM sources and identified the corresponding read method (_read_from_database), but I have not found any chunk of code where field level 'read' access rights are processed. I'm afraid the feature is missing in v8.0.

On the other hand, field level 'write' access rights is correctly processed in the _write method for Odoo 8.0.

Is this a missing feature in Odoo 8.0?

Are field level 'read/write' access rights a feature that is expected to be included in Odoo 8.0?

Thanks in advance for your attention,

Marvin

Avatar
Discard
Avatar
Atchuthan - Technical Consultant, Sodexis Inc
Best Answer

 

In my opinion, we use check_access_rights method to check whether the access is available for the particular table.
self.check_access_rights(cr, uid, 'read')
fields = self.check_field_access_rights(cr, user, 'read', fields)   

    def check_field_access_rights(self, cr, user, operation, fields, context=None):
        """
        Check the user access rights on the given fields. This raises Access
        Denied if the user does not have the rights. Otherwise it returns the
        fields (as is if the fields is not falsy, or the readable/writable
        fields if fields is falsy).
        """

then using the generated fields list, self._read_flat(cr, user, select, fields, context, load) is called.

So, why do we need to check the access once again after the _read_flat is generated? 

Avatar
Discard
Marvin Taboada
Author

Wrong answer my friend, I already said I'm not talking about the 'field_object.groups' attribute. Please review the implementation of 'check_field_access_rights' at https://github.com/odoo/odoo/blob/7.0/openerp/osv/orm.py#L3646 to verify that it is not related to my question. Thanks anyway for your time.