Community mailing list archives
Re: Strange error with record rules!!by
Open For Small Business Ltd, Graeme Gellatly
All I know is database that has been working for 5 years, no source update since february, got latest and ran an -u all in dev off latest update, all of a sudden access rights were an issue for sale managers. Can't remember exactly what the process was but by deleting the own leads record rule for sale it worked. That said can't reproduce in runbot but just rolled back to Feb revision rather than mess about.
On Fri, May 8, 2015 at 7:35 PM, Martin Trigaux <email@example.com> wrote:
On 08/05/15 01:20, Graeme Gellatly wrote: > I ran into this the other day after updating to latest. It is a > regression I think. Basically AFAICT security rules are now all being > AND ed instead of OR'ed for non Global rules. Is only a guess as to fix > I had to remove the user from groups that did not have write access. > Sorry but I doubt that (that would break like every record rule if it was the case). Let me give an example on how the rules are combined: 3 rules on res.partner: 1. global rule [('company_id', '=', user.company_id.id)] 2. group salesman [('customer', '=', True)] 3. group sales manager [(1, '=', 1)] # easy way to say every record If you don't belong to a sale group, only the global rule will apply (only partners of your company). If you belong to salesman group, you will combine 1&2, getting only the partners with customer checkbox and in your company. Combining a global and non-global rule with an AND. If you now are added to the sales manager group, you will combine the 3 rules (manager are automatically sales man) but the group-based rules are combined with an OR and with an AND for the global rule. so: [(my company) AND ((customers) OR (all))] So in the end, the sales manager will have access to every partner of its company. Local rules can never overcome global rules. What may seem odd in my example (probably not the best) is that the user belonging to no sale group has as much rights as the user with sales manager If you have the impression of having less rights after adding a group based rule, it may be that the user was belonging to no group targeted by record rule (so in the first case in my example). -- Martin Trigaux Odoo (Formerly OpenERP) github.com/mart-e Chaussée de Namur, 40 1367 Grand-Rosière Tel: +32 81 81 37 00 https://odoo.com