Community mailing list archives

Re: Strange error with record rules!!

Martin Trigaux (mat)
- 05/08/2015 03:29:05
On 08/05/15 01:20, Graeme Gellatly wrote:
> I ran into this the other day after updating to latest.  It is a
> regression I think.  Basically AFAICT security rules are now all being
> AND ed instead of OR'ed for non Global rules.  Is only a guess as to fix
> I had to remove the user from groups that did not have write access.

Sorry but I doubt that (that would break like every record rule if it
was the case). Let me give an example on how the rules are combined:

3 rules on res.partner:
1. global rule [('company_id', '=',]
2. group salesman [('customer', '=', True)]
3. group sales manager [(1, '=', 1)] # easy way to say every record

If you don't belong to a sale group, only the global rule will apply
(only partners of your company).

If you belong to salesman group, you will combine 1&2, getting only the
partners with customer checkbox and in your company. Combining a global
and non-global rule with an AND.

If you now are added to the sales manager group, you will combine the 3
rules (manager are automatically sales man) but the group-based rules
are combined with an OR and with an AND for the global rule. so:

[(my company) AND ((customers) OR (all))]

So in the end, the sales manager will have access to every partner of
its company. Local rules can never overcome global rules. What may seem
odd in my example (probably not the best) is that the user belonging to
no sale group has as much rights as the user with sales manager

If you have the impression of having less rights after adding a group
based rule, it may be that the user was belonging to no group targeted
by record rule (so in the first case in my example).

Martin Trigaux
Odoo (Formerly OpenERP)

Chaussée de Namur, 40
1367 Grand-Rosière
Tel: +32 81 81 37 00