Odoo Help

Welcome!

This community is for beginners and experts willing to share their Odoo knowledge. It's not a forum to discuss ideas, but a knowledge base of questions and their answers.

1

How to use access rights and record rules?

By
René Schuster
on 1/7/14, 7:26 AM 11,022 views

I am currently super confused when handling the permissions for the project module.

At first, some questions:
1. Can Record Rules override Acces Rules?
2. Are Record Rules only used to filter some visible data?
3. Can Record Rules be used to reduce or increase the permissions? or even both? 4. Is there any domain operand to check whether a list conaints an element? (like the opposite of 'in'; e.g. ('member_ids', 'contain', user.id))

What I am trying to do is the following:
My Project module has three groups: User, Accountant, Manager. At the moment, I am only workling on the User group. The project itself has a member list (many2many) and a assigned manager.
I want the permissions this way, that all members of Project/User group can only see (read) the projects in which they are member. Further I want all members of Project/User group, that are manager of a project to be able to read and edit (write) their own projects.

What I have tried that far:
Using an access rule to give the Project/User group read and write access. Creating the following record rules:

<record model="ir.rule" id="project_project_user_rule">
             <field name="name">Project: User is Member</field>
             <field name="model_id" ref="model_project_project"></field>
             <field name="groups" eval="[(4,ref('project.group_project_user'))]"></field>
             <field name="domain_force">[('member_ids', 'in', user.employee_ids[0].id)]</field>
             <field eval="1" name="perm_read"></field>   
             <field eval="0" name="perm_write"></field> 
             <field eval="0" name="perm_unlink"></field>
             <field eval="0" name="perm_create"></field>
     </record>    

     <record model="ir.rule" id="project_project_user_manager_rule">
             <field name="name">Project: User is Manager</field>
             <field name="model_id" ref="model_project_project"></field>
             <field name="groups" eval="[(4,ref('project.group_project_user'))]"></field>
             <field name="domain_force">[('manager_id', '=', user.employee_ids[0].id)]</field>
             <field eval="1" name="perm_write"></field>
             <field eval="1" name="perm_read"></field>
             <field eval="0" name="perm_unlink"></field>
             <field eval="0" name="perm_create"></field>
     </record>

The result is some how mysterious for me.
The project list view shows only the project in which the current user is member or manager (that's what i want!).
Projects in which the user is manager are accessable and editable (that's what i want too!)
Projects in which the user is member are not accessable (Access denied error). (that's not what i want, and confusing, since the record rule domain seems to work in the list view).

EDIT: Gathering more information, I've tried the following domains:

             [('member_ids', '=', user.employee_ids[0].id)]
             [('member_ids.user_id', '=', user.id)]

But for both, the issue remains the same..

3
Mind And Go
On 5/14/14, 4:56 PM

Hy,

  1. Access rules are per Model access rules and record rules are per Record rules so they can't override the first rule.
  2. I think so
  3. Indirectly it could as you could allow people to see datas that is not natively supposed to be displayed. It's a kind of reduc/increase permission
    1. There is no such an inverse operand but solutions exists check below

Multiple answer for your right access :

  1. For letting the manager read their own project, a simple
    [('user_id','=', user.id)]
    should help because project inherits from account.analytic.account and the project manager is the anlytic one.
  2. For the many2many field Maybe you could try something like this, create another many2many field in the res.users object, call it projects_ids then you'll be able to do something like this :
    [('id','in', [ p.id for p from user.project_ids ])]

Hope it could help

 

 

 

Your Answer

Please try to give a substantial answer. If you wanted to comment on the question or answer, just use the commenting tool. Please remember that you can always revise your answers - no need to answer the same question twice. Also, please don't forget to vote - it really helps to select the best questions and answers!

About This Community

This community is for professionals and enthusiasts of our products and services. Read Guidelines

Question tools

4 follower(s)

Stats

Asked: 1/7/14, 7:26 AM
Seen: 11022 times
Last updated: 4/5/16, 2:32 AM