Community mailing list archives

Per-field permissions

Ludwik Trammer
- 01/02/2015 06:55:21


I learned about Odoo just four months ago. Since then I've done quite a lot of work with the Odoo programming framework - I created almost 20 Odoo modules for two clients, started a blog about Odoo development and posted answers to a dozen Odoo related questions on Stack Overflow.

The more I develop with Odoo the more I feel there is one area that is really lacking - per field permissions.

Yes, I know about the "groups" attribute - one can specify it on a model field to make it available to selected groups only. That's certainly a start. But this is not enough for more advanced uses.

Couple of example of things that would be very useful (or in my case - necessary) in that area:

1. Something similar to the "groups" attribute, but limited to the "write" permissions. It would make other groups able to read the field, but only chosen groups would be able to modify it.
This should both make the field appear readonly in forms (for users without modify privileges for that field) and validate the privileges when saving the model.

2. Rule-based per-field permissions. Something similar to ir.rule, but checked per individual field. This could look like this:

members = fields.many2many(
    read_rule="[('members', '=',]",
    write_rule="[('manager', '=',]",

Let's say this is a filed on a Project model. This would mean that only manager of this project is able to add/remove its members and only members of this project are able to see other members (readonly).

You are not able to achieve anything even remotely similar using only group permissions.

For consistency, the way group based per-field permissions ("groups" and "grups_modify") would interact with rule based per-field permissions would mirror the way ir.model.access and ir.rule interact.

3. Record rules should be reflected in the way views are presented to the user. If user doesn't have "write" access to the given object she should not be presented with an "edit" button. Similarly lack of "unlink" permissions should hide the "remove" option. Currently this works with access rules (ir.model.access), but not with record rules (ir.rule)
This issue confuses the heck out of my users (understandably). This means I'll be forced to roll my own solution for the issue, but this seams as something that should be dealt with on the framework layer.

Are those issue something that the Odoo Team is currently looking into? Are there any plans for improvements in Odoo 9?

Ludwik Trammer