Community mailing list archives

Re: Strange error with record rules!!

- 05/10/2015 21:47:21
Believe it or not, politics can destroy many beautiful things in this world.
It seems that the license war overcame all our discussions about our bugs and improvements. However, I'm in the same line of continuing the openness path. 
Now, can anybody help me in this issue?

On Sat, May 9, 2015 at 2:47 AM, Rami Talat <> wrote:
Sorry Abu,
But I see it as a bug.

On Fri, May 8, 2015 at 8:07 PM, Abu Helal <> wrote:
So, what is the solution for this problem in your opinion?
I'm stuck now in the middle of the way, and con't proceed in further steps.
Please help.

On Fri, May 8, 2015 at 10:21 AM, Graeme Gellatly <> wrote:
All I know is database that has been working for 5 years, no source update since february, got latest and ran an -u all in dev off latest update, all of a sudden access rights were an issue for sale managers.  Can't remember exactly what the process was but by deleting the own leads record rule for sale it worked.  That said can't reproduce in runbot but just rolled back to Feb revision rather than mess about.

On Fri, May 8, 2015 at 7:35 PM, Martin Trigaux <> wrote:
On 08/05/15 01:20, Graeme Gellatly wrote:
> I ran into this the other day after updating to latest.  It is a
> regression I think.  Basically AFAICT security rules are now all being
> AND ed instead of OR'ed for non Global rules.  Is only a guess as to fix
> I had to remove the user from groups that did not have write access.

Sorry but I doubt that (that would break like every record rule if it
was the case). Let me give an example on how the rules are combined:

3 rules on res.partner:
1. global rule [('company_id', '=',]
2. group salesman [('customer', '=', True)]
3. group sales manager [(1, '=', 1)] # easy way to say every record

If you don't belong to a sale group, only the global rule will apply
(only partners of your company).

If you belong to salesman group, you will combine 1&2, getting only the
partners with customer checkbox and in your company. Combining a global
and non-global rule with an AND.

If you now are added to the sales manager group, you will combine the 3
rules (manager are automatically sales man) but the group-based rules
are combined with an OR and with an AND for the global rule. so:

[(my company) AND ((customers) OR (all))]

So in the end, the sales manager will have access to every partner of
its company. Local rules can never overcome global rules. What may seem
odd in my example (probably not the best) is that the user belonging to
no sale group has as much rights as the user with sales manager

If you have the impression of having less rights after adding a group
based rule, it may be that the user was belonging to no group targeted
by record rule (so in the first case in my example).

Martin Trigaux
Odoo (Formerly OpenERP)

Chaussée de Namur, 40
1367 Grand-Rosière
Tel: +32 81 81 37 00

Post to:

Post to:

Post to:

Post to: