Community mailing list archives

RE: Record Security For Groups (that ar NOT groups)

Omal Bastin
- 10/12/2016 14:13:53

If you check record rule of projects you will get clear idea. Projects have a record rule which checks for followers of the project. I believe this is exactly your case

On Oct 12, 2016 9:36 PM, "Phillip" <> wrote:
Or being that there are likely only a few members is it better to create 
10 many2one user relationships on the record which get programatically 
assigned to the members of the many2many. Each user is part of a 
security group which allows viewing a record in the model if user_id_1, 
or user_id_2, or user_id_3 or ... =

Security rules work great if you are talking about members of a security 
group. However how do you appropriately  provide access to specific 
records to specific users leaving security groups out of the mix?

I have a model which has a Many2many relationship with res.users. So 
many users can be associated with a record. I would like to restrict 
access to each record entirely to users who are a part of that Many2many 
relationship. I could create a security group for each record and add 
the users into it programatically however I could have thousands of 
records (which means thousands of groups) and so this does not seem to 
be the appropriate way to accomplish this restriction. However the 
force_domain field will no let me do the obvious thing 
[('','in','user_ids')] as 'user_ids' is the field on the record I 
am evaluating security for.

Is there a way to check if a user is a member of a many2many field on a 
record for security access?

Or should I programatically update the security rule every time the 
many2many is modified. So the force_domain would be updated with an 
explicit list of the record members which would all be 'or'd like this.


Although the many2many has no restriction on number of members in most 
cases there will only be 1 to 3 members which will not be an overly 
cumbersome sql query.

Please let me know you thoughts, I would really appreciate it.


Post to: