Community mailing list archives

Re: Per-field permissions

Dhaval Patel
- 01/05/2015 04:55:40

I think this is the thing that was asked here. 

Great Work, really essential.


Dhaval Patel
Team Lead Engineer
Denero Team.
Skype : deneroteam
Mobile : +91-9327694716

On Mon, Jan 5, 2015 at 2:56 PM, Nemry, Jonathan <> wrote:
I think I have something that may help you at least for this point:
"Something similar to the "groups" attribute, but limited to the "write" permissions."

Actually I've made a custom module named "readonly_field_groups"
This module allows to manage a special attribute like "groups" but in order to manage "readonly" feature

You can find it here

I think I will suggest it to the addons of OCA

Hope this help


2015-01-02 13:47 GMT+01:00 Alp ŞEBER <>:

Alp ŞEBER | G.Manager | TEKIMSAN LTD STI | A: Ferhatpasa Mah, 17 Sk No:112 34888 Atasehir Istanbul TURKEY | Ph.: +90 216 471 82 55 (116) | Fax: +90 216 471 82 56 | E: | Skype: pina.alp

We produce & trade pool equipments

2015-01-02 14:17 GMT+02:00 John Pia Jr <>:


On Jan 2, 2015 6:58 AM, "Ludwik Trammer" <> wrote:


I learned about Odoo just four months ago. Since then I've done quite a lot of work with the Odoo programming framework - I created almost 20 Odoo modules for two clients, started a blog about Odoo development and posted answers to a dozen Odoo related questions on Stack Overflow.

The more I develop with Odoo the more I feel there is one area that is really lacking - per field permissions.

Yes, I know about the "groups" attribute - one can specify it on a model field to make it available to selected groups only. That's certainly a start. But this is not enough for more advanced uses.

Couple of example of things that would be very useful (or in my case - necessary) in that area:

1. Something similar to the "groups" attribute, but limited to the "write" permissions. It would make other groups able to read the field, but only chosen groups would be able to modify it.
This should both make the field appear readonly in forms (for users without modify privileges for that field) and validate the privileges when saving the model.

2. Rule-based per-field permissions. Something similar to ir.rule, but checked per individual field. This could look like this:

members = fields.many2many(
    read_rule="[('members', '=',]",
    write_rule="[('manager', '=',]",

Let's say this is a filed on a Project model. This would mean that only manager of this project is able to add/remove its members and only members of this project are able to see other members (readonly).

You are not able to achieve anything even remotely similar using only group permissions.

For consistency, the way group based per-field permissions ("groups" and "grups_modify") would interact with rule based per-field permissions would mirror the way ir.model.access and ir.rule interact.

3. Record rules should be reflected in the way views are presented to the user. If user doesn't have "write" access to the given object she should not be presented with an "edit" button. Similarly lack of "unlink" permissions should hide the "remove" option. Currently this works with access rules (ir.model.access), but not with record rules (ir.rule)
This issue confuses the heck out of my users (understandably). This means I'll be forced to roll my own solution for the issue, but this seams as something that should be dealt with on the framework layer.

Are those issue something that the Odoo Team is currently looking into? Are there any plans for improvements in Odoo 9?

Ludwik Trammer

Post to:

Post to:

Post to:

Nemry Jonathan
Software Engineer

Tel : +352 20 21 10 20 23
Gsm : +352 691 506 013

Acsone SA, Succursale de Luxembourg
22, Zone industrielle
L-8287 Kehlen, Luxembourg

Post to: