This question has been flagged
9 Replies
16058 Views
domainruleproject.task
Avatar
Yenthe Van Ginneken (Mainframe Monkey)

Hi guys,

Usually I would work with groups and rules for limiting different things to users but this one is different. I want to be able to influence who can view which project tasks without record rules but depending on what is filled in on a new model. To give you some insight:
I've first created a new model which has a many2one to 'res.users' and a many2many to 'project.task.type'. The code:

 class TaskStateRights(models.Model):
    _name = 'project.task.rights'
    name = fields.Char(
        String='Description'
    )
    username_ids = fields.Many2one(
        'res.users',
        'User'
    )
    project_task_fases = fields.Many2many('project.task.type','project_optional_rel','pr_src_id','pr_dest_id',string='Fases allowed to view', help="All the project task fases you choose here will be viewable by this user.")

I've then created a form and tree view for this new model:

 <!--Apply rights on tasktages -->
        <record id="project_task_rights_tree_view" model="ir.ui.view">
            <field name="name">project.task.rights.tree.view</field>
            <field name="model">project.task.rights</field>
            <field name="type">tree</field>
            <field name="priority" eval="1"/>
            <field name="arch" type="xml">
                <tree string="Taskstage rights">
                    <field name="username_ids"/>
                </tree>
            </field>
        </record>

        <record id="project_task_rights_form_view" model="ir.ui.view">
            <field name="name">project.task.rights.form.view</field>
            <field name="model">project.task.rights</field>
            <field name="type">form</field>
            <field name="priority" eval="1"/>
            <field name="arch" type="xml">
                <form string="Taskstage rights">
                    <group col="2">
                        <field name="username_ids"/>
			<field name="project_task_fases"/>
                    </group>
                </form>
            </field>
        </record>

        <record model="ir.actions.act_window" id="open_view_project_task_rights">
            <field name="name">Project task stage rights</field>
            <field name="res_model">project.task.rights</field>
            <field name="view_type">form</field>
            <field name='view_mode'>tree,form</field>
            <field name='view_id' ref='project_task_rights_tree_view'/>
        </record>

        <menuitem action="open_view_project_task_rights"
                  id="menu_projects_task_rights"
                  name="Project stage rights"
                  parent="project.menu_project_management"
                  sequence="10"/>

So on this new view you can choose an user and then choose project task stages. Depending on what is filled in for this user on the model 'project.task.rights' I want to show/hide different types. For example when we've added a record 'User1' and added the statusses 'Development', 'Testing' then the 'User1' should only be able to see the types 'Development' and 'Testing' on the project task view.

So, what is the best way to handle this?

Thanks,
Yenthe

Avatar
Discard
Prakash

I would like to know the record rule domain [('stage_id','in',(user.stages_ids.ids))] how to make work in Windows Action or Search filter. stages_ids is many2many field contain stage_id and user_id column. Thanks in advance

Avatar
Axel Mendoza
Best Answer

You could develop that checks as a field function of res.users and use that field function in the domain for ir.rule on the project.task model since the user object is available for ir.rule domains. Also if you need you could override _eval_context of the ir.rule to set more values to be available to ir.rule domains based on the uid or any other value searched through the orm or direct sql statements. That's all the options.

The following is an example based on the models that you provide(tested in old and new api and working)


class TaskStateRights(models.Model):
    _name = 'project.task.rights'
    name = fields.Char(
        String='Description'
    )
    username_ids = fields.Many2one(
        'res.users',
        'User'
    )
    project_task_fases = fields.Many2many('project.task.type','project_optional_rel','pr_src_id','pr_dest_id',string='Fases allowed to view', help="All the project task fases you choose here will be viewable by this user.")

    @api.multi
    def write(self, vals):
        self.env['ir.rule'].clear_cache()
        return models.Model.write(self, vals)

    @api.model
    @api.returns('self', lambda value:value.id)
    def create(self, vals):
        self.env['ir.rule'].clear_cache()
        return models.Model.create(self, vals)

    def unlink(self, cr, uid, ids, context=None):
        self.pool.get('ir.rule').clear_cache(cr, uid)
        return models.Model.unlink(self, cr, uid, ids, context=context)


class res_users_rule(models.Model):
    _name = 'res.users'
    _inherit = 'res.users'

    task_rule = fields.Many2many(compute='_task_rule_calc', comodel_name='project.task.type')

    @api.multi
    def _task_rule_calc(self):
        for rec in self:
            right_ids = self.env['project.task.rights'].search([('username_ids','=',rec.id)])
            stage_ids = []
            for right in right_ids:
                for fase in right.project_task_fases:
                    stage_ids.append(fase.id)
            
            rec.task_rule = stage_ids
Avatar
Discard
Yenthe Van Ginneken (Mainframe Monkey)
Author

Hi Axel, could you give me some more of a sample in this case please? I've really never seen anything like this around in Odoo and I'm not quite sure how to proceed with this.. Sorry for asking :)

Axel Mendoza

Of course, let me do an example based on your case and I post it. There is nothing like this used in Odoo but the code that support it is there since 6.1 when I came up to it

Axel Mendoza

The answer is updated with an example and the way of test it

Axel Mendoza

It works or not. A feedback will be appreciated

Yenthe Van Ginneken (Mainframe Monkey)
Author

Hi Axel, I'm sorry for the late response I didn't have access to the PC yesterday afternoon / evening. I do understand the first part and I could add this without any problems (the new class and Python code) but I'm not fully understand what you mean from the domain on. Should I inherit the project task view and add a domain in there somewhere? And all the rest will work of itself or should I also add something manually elsewhere? Could you expand this a bit more in your answer please? I've already upvoted your answer, this is one of the best answers I've seen around on this forum. Many thanks :)

Axel Mendoza

The domain is to create an ir.rule record for the model project.task.type using it as a "Rule Definition (Domain Filter)" for the record rule, You could do it manually by going to the menu at /Settings/Technical/Security/Record Rules. You just need to put a name, the Rule Definition (Domain Filter) and check at least the Apply for Read checkbox to be able to see the difference. After that you can go to the project.task form view with the user that have a project.task.rights setup with less stages allowed to see the difference visible on the status bar, or by going to the project.task.type list view. With the admin user you will see no difference because that user don't use record security rules and see everything.

Yenthe Van Ginneken (Mainframe Monkey)
Author

Alright now I understand what you mean! So the first step is to say what task types the user can access from the view, as I did here: http://i.imgur.com/sQAaaBg.png the second step to create a new record rule under Settings > Technical > Security > Record rules where you define the domain. As you can see here: http://i.imgur.com/OkJDuEO.png when I now go back to project tasks under the admin user everything will be shown, as you said. When I switch to another user however I get in troubles.. It will say me "Field res.users.task_rule is accessed before being computed." as you can see here: http://i.imgur.com/ScKB6dg.png so why am I getting that error? Thanks for your time. I will create a comment on this topic where I will show all code. Give me a few minutes.

Neethu

hiii
I applied this method for lead records but when i create the lead record, its not showing in the user but when i restart the record will be there,how can i get the record based on the creation of the records

Avatar
Yenthe Van Ginneken (Mainframe Monkey)
Author Best Answer

Update for my code.

1) Model:

 class TaskStateRights(models.Model):
    _name = 'project.task.rights'
    name = fields.Char(
        String='Description'
    )
    username_ids = fields.Many2one(
        'res.users',
        'User'
    )
    project_task_fases = fields.Many2many('project.task.type','project_optional_rel','pr_src_id','pr_dest_id',string='Fases allowed to view', help="All the project task fases you choose here will be viewable by this user.")

class res_users_rule(models.Model):
    _name = 'res.users'
    _inherit = 'res.users'

    task_rule = fields.Many2many(compute='_task_rule_calc', comodel_name='project.task.type')

    def _task_rule_calc(self):
        right_ids = self.env['project.task.rights'].search([('username_ids.id','=',self.id)])
        stage_ids = []
        for right in right_ids:
            for fase in right.project_task_fases:
                stage_ids.append(fase.id)
        for rec in self:
            rec.task_rule = stage_ids

Views:

 <!--Apply rights on tasktages -->
        <record id="project_task_rights_tree_view" model="ir.ui.view">
            <field name="name">project.task.rights.tree.view</field>
            <field name="model">project.task.rights</field>
            <field name="type">tree</field>
            <field name="priority" eval="1"/>
            <field name="arch" type="xml">
                <tree string="Taskstage rights">
                    <field name="username_ids"/>
                </tree>
            </field>
        </record>

        <record id="project_task_rights_form_view" model="ir.ui.view">
            <field name="name">project.task.rights.form.view</field>
            <field name="model">project.task.rights</field>
            <field name="type">form</field>
            <field name="priority" eval="1"/>
            <field name="arch" type="xml">
                <form string="Taskstage rights">
                    <group col="2">
                        <field name="username_ids"/>
			<field name="project_task_fases"/>
                    </group>
                </form>
            </field>
        </record>

        <record model="ir.actions.act_window" id="open_view_project_task_rights">
            <field name="name">Project task stage rights</field>
            <field name="res_model">project.task.rights</field>
            <field name="view_type">form</field>
            <field name='view_mode'>tree,form</field>
            <field name='view_id' ref='project_task_rights_tree_view'/>
        </record>

        <menuitem action="open_view_project_task_rights"
                  id="menu_projects_task_rights"
                  name="Project stage rights"
                  parent="project.menu_project_management"
                  sequence="10"/>
    </data>

The access rule (created from settings > technical > security > Record rules):
I've given it a name, gave it all rights, put the object on 'Task Stage (project.task.type) and under 'Rule Definition' I've added the following:

[('id','in', user.task_rule.ids)]

Printscreen can be found here: http://i.imgur.com/PnlX6UF.png

Thanks,
Yenthe

Avatar
Discard
Axel Mendoza

I'm not found anything related in my Odoo source code here, could you be more specific on the error from logs or where is the code that raise that to take a look? maybe on Github?

Axel Mendoza

My Odoo source code is from July 11, seems to not have that bug, it's reported as a issue https://github.com/odoo/odoo/issues/1715. Pedro Baeza suggest in a mail group that it's because none value i'ts set for the field and you could try by setting a default value before the function execution, but seems to be solved in new versions of Odoo. I don't know if your version is stable enough? I made a pull request to solve a huge little bug in the one Im using it that cause the js of modules not get evaluated and I don't now but seems to not pulled or solve it yet

Yenthe Van Ginneken (Mainframe Monkey)
Author

So I could do a simple task_rule = fields.Many2many(default='0',compute='_task_rule_calc', comodel_name='project.task.type') to fix this? Because that doesn't work either.

Axel Mendoza

As I said that it's a bug reported in Odoo, try with an updated Odoo version

Yenthe Van Ginneken (Mainframe Monkey)
Author

@Axel I understand but shouldn't a simple default='0' fix that issue than?

Yenthe Van Ginneken (Mainframe Monkey)
Author

@Axel when I use this on my old dev server I will get this error. When I do all the same on a fresh Odoo (from today) there will be no limitations on any user. They will still see every project task type with all tasks, no matter what is configured.I've published the module on Github so you can see it too: https://github.com/Yenthe666/aa_maatwerk_a3

Axel Mendoza

I cannot reproduce the error, I installed your module in a new database that is basically the same code than mine in a module created for test it before posting. In my Odoo version and in the latest from today works ok, I don't set any defaults, work just with the code I gave to you

Axel Mendoza

The issue that you are facing on the latest version that shows nothing is due to the orm cache use for the ir.rule _compute_domain method, and the steps that you use, I think that you first create the ir.rule record, next you go to see the Task stages and the ir.rule record for that args get evaluated and cached, next you create a project.task.rights for the user and go to see if the stages for the user changes but the domain for that ir.rule is cached and nothing shows new. Something like that happens to you in the latest, if you change the ir.rule for example uncheck all the apply fields and left only read, just to clear the cache of the ir.rule, next go to see stages of the user, you will see the stages that you assigned to him. The solution is something that clear that record cache when the project.task.rights is created or updated

Axel Mendoza

As a way to complete the solution I update my code with cache updates for ir_rule compute domain when: create, write, unlink project.task.rights

Yenthe Van Ginneken (Mainframe Monkey)
Author

@Axel I've tried this too but it doesn't work either. In an old Odoo version I will always get the warning about not being computed and in the newest Odoo code I will get no warnings but nothing is filtered either. I've added your code, create the access rule and set the rights for the user but no succes. Any more ideas? :s

Axel Mendoza

@Yenthe, I create a video showing a working version of what I am testing to be sure that is the same or not that you wanna accomplish. See it here: https://vid.me/8Pmt

Axel Mendoza

I update the method _task_rule_calc to solve a multi recordset issue, just a reorder of the code

Yenthe Van Ginneken (Mainframe Monkey)
Author

@Axel its exactly the same that I want to accomplish, you've understood everything correctly! I've updated my code too for the multi record set. The problem is that this still doesn't work at my side. In an older Odoo 8 I will get the computation error, in the newest Odoo version (from yesterday) I will get to see all stages for any user, even when there is only one stage specified for example. What could I be missing / doing wrong? Everything looks exactly the same at my side. Is there a specific order that matters in the installation/creation proces of the module and its records?

Axel Mendoza

Did you include the methods create, write, unlink that clear the cache? I add those a few days ago, with that methods the order is not important. I test on a latest from a few days ago and working too, the video was captured using that latest from Version: 8.0-20150827. Please update the code example at https://github.com/Yenthe666/aa_maatwerk_a3. That is the code used to test for the video with the changes I update in the answer

Yenthe Van Ginneken (Mainframe Monkey)
Author

@Axel I did include the methods create, write, unlink. I've updated the code which can be found here: https://github.com/Yenthe666/aa_maatwerk_a3/blob/master/aa_maatwerk_a3/models/project_task_model.py

Axel Mendoza

Sorry @Yenthe, My mistake when updating the post, those methods create, write, unlink need to be on the class TaskStateRights. The idea is that always when any of those methods get executed on the TaskStateRights model the ir.rule _compute_domain cache get cleared just like the ir.rule does when it get a change. The good news is that you will be able run it ok, let me update again the post

Yenthe Van Ginneken (Mainframe Monkey)
Author

@Axel no problem such things can happen. I'm more than happy that you're still trying to help me with this! Alright I've updated my code on Github again. I've changed the rule definition too since I saw this has changed from '=' to 'in'. New rule: [('id','in', user.task_rule.ids)] But still when I change with my user I will see all tasks and all stages. I really don't get what is wrong..

Axel Mendoza

Meld show that we are using the same code, no differences, is very strange in my side works but not in yours. I don't imagine what else could be affecting you. You need to debug to see what is happening on your side

Yenthe Van Ginneken (Mainframe Monkey)
Author

@Axel I've given this another dozen of tries with anything I could think of but nothing works. Could you place your module online somewhere? I'll give yours a try and see if that works. Perhaps something else that I have is causing this problem..

Axel Mendoza

The code in github? or the demo running online?

Yenthe Van Ginneken (Mainframe Monkey)
Author

The code, if you want to share it online :)

Axel Mendoza

here is the code, https://github.com/aek/aa_maatwerk_a3, basically is the same as yours, let me create you a demo online

Axel Mendoza

You can access to the installed and working demo at https://yenthe.soltein.org user: admin pass: admin user: demo pass: soltein

Yenthe Van Ginneken (Mainframe Monkey)
Author

@Axel I'm having the exact same behaviour at your end that isn't working either. When I log in with the user demo and click on tasks I will see all stages with all tasks, there are no limitations. Could you give me your email adres? I'll explain things in a mail with images. :)

Axel Mendoza

Then seems to be a browser issue, I test it on the instance that I sent you. I'm using Google Chrome Version 45.0.2454.85 (64-bit). Also tested with Firefox 40.0.3

Axel Mendoza

removed my email since I don't want to be spammed