How can I edit access rules in Odoo 10 to prevent users from editing other users calendar events?
Odoo is the world's easiest all-in-one management software.
It includes hundreds of business apps:
- CRM
- e-Commerce
- Accounting
- Inventory
- PoS
- Project management
- MRP
This question has been flagged
4
Replies
4842
Views
For Odoo 9.0, this patch makes it so the Edit button only appears when viewing your own events,
or under any condition you can compute in a Boolean computed field on the model.
You can use the patch on any model. The example below is for calendar.event.
You will still need a record rule as discussed in other answers
if you want only certain records to be VIEWED or DELETED or WRITTEN from other places.
This patch just deals with selective EDITS so the EDIT button itself does not appear,
rather than letting it appear and then giving the user a cannot-write-this-record message.
Yes, this is modifying core. Kindly forgive.
My intent is to make a module once I have my code base upgraded to Odoo 13.0....
1. Add a computed Boolean field to the model that computes if the row should be editable by the current user.
class CalendarEvent(models.Model):
_inherit = 'calendar.event'
@api.depends('user_id')
@api.one
def _get_selective_readonly_indicator(self):
# JavaScript always allows the admin user to edit, regardless of this indicator field.
self.selective_readonly_indicator = not self.user_id.id == self.env.uid
selective_readonly_indicator = fields.Boolean('Selective Readonly Indicator',
compute='_get_selective_readonly_indicator')
2. Update the form view to add selective_readonly_indicator_field="fieldname" to the <form> element and to include the computed field in the form, at least as an invisible field:
<record id="view_calendar_event_form" model="ir.ui.view">
<field name="name">Calendar - Event Form</field>
<field name="model">calendar.event</field>
<field name="inherit_id" ref="calendar.view_calendar_event_form"/>
<field name="arch" type="xml">
<!-- make editable only by owner of the event -->
<!-- requires patch to addons/web/static/src/js/views/form_view.js -->
<!-- See: https://www.odoo.com/forum/help-1/question/limiting-edition-of-event-in-calendar-only-to-creator-in-odoo-10-136385 -->
<xpath expr="//form" position="attributes">
<attribute name="selective_readonly_indicator_field">selective_readonly_indicator</attribute>
</xpath>
<xpath expr="//form" position="inside">
<field name="selective_readonly_indicator" invisible="1"/>
</xpath>
</field>
</record>
3. Include these three patches to addons/web/static/src/js/views/form_view.js:
Near line 13 after the other require() calls, add one line:
var session = require('web.session'); // 13.0.6.17.18-t13 jimays added
Near line 720 in function FormView._actualize_view(), add one line at the top of the function:
_actualize_mode: function(switch_to) {
switch_to = this.selective_readonly ? "view" : switch_to; // 13.0.6.17.18-t13 jimays selective_readonly
var mode = switch_to || this.get("actual_mode");
// ...
Near line 362 in function FormView.load_record(), add:
this.datarecord = record;
// 13.0.6.17.18-t13 jimays begin patch for selective_readonly_indicator_field
// For example, use <form selective_readonly_indicator_field="selective_readonly_indicator">
// to indicate that records should be readonly even in edit mode
// if the Boolean value of the "selective_readonly_indicator" field is True.
// gratitude View.is_action_enabled() in addons/web/static/src/js/framework/view.js
var attrs = this.fields_view.arch.attrs;
this.selective_readonly_indicator_field = (
'selective_readonly_indicator_field' in attrs ? attrs['selective_readonly_indicator_field'] : '');
// Default to edit mode 1) if admin user or 2) if <form> is free of selective_readonly_indicator_field=.
this.selective_readonly = !(session.uid == 1 || this.selective_readonly_indicator_field == '');
if(this.selective_readonly) { // if default is r/o, check value of field
true || console.log('datarecord: ' + JSON.stringify(this.datarecord));
if ( this.selective_readonly_indicator_field in self.datarecord ) {
this.selective_readonly = self.datarecord[this.selective_readonly_indicator_field];
}
}
true || console.log('selective_readonly: ' + JSON.stringify(this.selective_readonly));
// Blink the Edit button if there are buttons and an Edit button.
// Some forms, e.g. User Preferences window, are already free of visible buttons.
if(this.$buttons != undefined && this.$buttons.length) {
var $edit_button = this.$buttons.find('.oe_form_button_edit')
if($edit_button.length) {
$edit_button.toggle(!this.selective_readonly);
}
}
// 13.0.6.17.18-t13 jimays end patch for selective_readonly_indicator_field
this._actualize_mode();
Enjoy! As you click left/right in the form view to browse records,
the Edit button blinks on whenever you are on your own event.
The admin user is still able to edit all events.
Also answers https://www.odoo.com/forum/help-1/question/how-to-disable-other-user-edit-my-calendar-meeting-2432
More... I realized the calendar view also needs to restrict click/drag.
Patched addons/web_calendar/static/src/js/web_calendar.js
In the middle of view_loaded():
// Check whether the date field is editable (i.e. if the events can be dragged and dropped)
this.editable = !this.options.read_only_mode && !this.fields_view.fields[this.date_start].readonly;
// 13.0.7.0.4-t6 Add support for selective_readonly_indicator_field.
this.selective_readonly_indicator_field =
'selective_readonly_indicator_field' in attrs ? attrs.selective_readonly_indicator_field : '';
And at the bottom of event_data_transform():
// 13.0.7.0.4-t6 jimays Add support for selective_readonly_indicator_field.
// gratitude https://fullcalendar.io/docs/event-object
if ( this.selective_readonly_indicator_field && this.selective_readonly_indicator_field in evt ) {
r.editable = !evt[this.selective_readonly_indicator_field];
}
return r;
And added one more xml view:
<record id="view_calendar_event_calendar" model="ir.ui.view">
<field name="name">Meeting</field>
<field name="model">calendar.event</field>
<field name="inherit_id" ref="calendar.view_calendar_event_calendar"/>
<field name="arch" type="xml">
<!-- make editable only by owner of the event -->
<!-- requires patch to addons/web/static/src/js/views/form_view.js -->
<!-- requires patch to addons/web_calendar/static/src/js/web_calendar.js -->
<xpath expr="//calendar" position="attributes">
<attribute name="selective_readonly_indicator_field">selective_readonly_indicator</attribute>
</xpath>
<xpath expr="//field[@name='name']" position="after">
<field name="selective_readonly_indicator" invisible="1"/>
</xpath>
</field>
</record>
I've read tese articles and I'm sorry, but I do not see this well documented, description is very complicated and not so understandable.
http://learnopenerp.blogspot.com/2018/01/groups-and-access-rights-in-odoo.html