Community mailing list archives

community@mail.odoo.com

Re: Strange error with record rules!!

by
Graeme Gellatly
- 05/08/2015 04:09:58
All I know is database that has been working for 5 years, no source update since february, got latest and ran an -u all in dev off latest update, all of a sudden access rights were an issue for sale managers.  Can't remember exactly what the process was but by deleting the own leads record rule for sale it worked.  That said can't reproduce in runbot but just rolled back to Feb revision rather than mess about.

On Fri, May 8, 2015 at 7:35 PM, Martin Trigaux <mat@odoo.com> wrote:
On 08/05/15 01:20, Graeme Gellatly wrote:
> I ran into this the other day after updating to latest.  It is a
> regression I think.  Basically AFAICT security rules are now all being
> AND ed instead of OR'ed for non Global rules.  Is only a guess as to fix
> I had to remove the user from groups that did not have write access.
> 

Sorry but I doubt that (that would break like every record rule if it
was the case). Let me give an example on how the rules are combined:

3 rules on res.partner:
1. global rule [('company_id', '=', user.company_id.id)]
2. group salesman [('customer', '=', True)]
3. group sales manager [(1, '=', 1)] # easy way to say every record

If you don't belong to a sale group, only the global rule will apply
(only partners of your company).

If you belong to salesman group, you will combine 1&2, getting only the
partners with customer checkbox and in your company. Combining a global
and non-global rule with an AND.

If you now are added to the sales manager group, you will combine the 3
rules (manager are automatically sales man) but the group-based rules
are combined with an OR and with an AND for the global rule. so:

[(my company) AND ((customers) OR (all))]

So in the end, the sales manager will have access to every partner of
its company. Local rules can never overcome global rules. What may seem
odd in my example (probably not the best) is that the user belonging to
no sale group has as much rights as the user with sales manager

If you have the impression of having less rights after adding a group
based rule, it may be that the user was belonging to no group targeted
by record rule (so in the first case in my example).

-- 
Martin Trigaux
Odoo (Formerly OpenERP)
github.com/mart-e

Chaussée de Namur, 40
1367 Grand-Rosière
Tel: +32 81 81 37 00
https://odoo.com

_______________________________________________
Mailing-List: https://www.odoo.com/groups/community-59
Post to: mailto:community@mail.odoo.com
Unsubscribe: https://www.odoo.com/groups?unsubscribe