Community: Framework mailing list archives

expert-framework@mail.odoo.com

Discussion on security

by
Maxim Litnitskiy
- 02/15/2016 08:39:16
Hi dear experts!

I'd like to understand why groups_id is working only with inherited views.

There is the following code in get_inheriting_views_arch (from openerp/addons/base/ir/ir_ui_view.py) 

return [(view.arch, view.id)
                for view in self.browse(cr, 1, view_ids, context)
                if not (view.groups_id and user_groups.isdisjoint(view.groups_id))]

This allows to have views exclusively for a group specified but only if view is inherited. But if we have general base view bound to an act_window user knowing that act_window id can call it from his browser and the view will be shown with all fields in it!

Yes, I understand that the right way to deal with security it using Access Control Lists and Record Rules.

But when I need to have separate UIs for admin and user having same access to all records just making some fields read-only for user it's a pain.

1. I can bind a menu to a group - but user can see act_window  id and call it directly without access to menu. 

2. The solution could be setting groups_id on act_window so that action is restricted to a group specified but I can see that groups_id is just declared and not used here openerp/addons/base/ir/ir_actions.py. So there is no way to restrict calling an action. Why!?

3. Finally there is groups_id field for views but as described above it works only with inherited views.

So the only solution I found to securely have different UI for admin and user is 1-st defining an empy view and later inherting it by admin and user. 
Thus even if user can see act_window id of admin menu he will not be able to see the view! 
Please advise :-)

<record model="ir.ui.view" id="facility_base_form">
<field name="name">barrier facility admin form</field>
<field name="model">barrier.facility</field>
<field name="arch" type="xml">
<form>
<sheet></sheet>
</form>
</field>
</record>

<record model="ir.ui.view" id="facility_admin_form">
<field name="name">barrier facility admin form</field>
<field name="model">barrier.facility</field>
<field name="inherit_id" ref="facility_base_form"/>
<field name="groups_id" eval="[(4, ref('group_barrier_admin'))]"/>
<field name="arch" type="xml">
<xpath expr="//sheet" position="inside">
<group>
<group>
<field name="name"/>
<field name="num"/>
<field name="tariff"/>
</group>
<group>
<field name="comment"/>
</group>
</group>
<group>
<group>
<field name="warning"/>
<field name="unpaid"/>
<field name="guestmaxtime" string="Guest Max Time"/>
</group>
<group>
<field name="alertphone" string="Alert Phone"/>
<field name="alertmail" string="Alert Mail"/>
</group>
</group>

</xpath>
</field>
</record>
<record model="ir.ui.view" id="facility_resident_form">
<field name="name">barrier facility resident form</field>
<field name="model">barrier.facility</field>
<field name="inherit_id" ref="facility_base_form"/>
<field name="groups_id" eval="[(4, ref('group_barrier_resident'))]"/>
<field name="arch" type="xml">
<xpath expr="//form" position="replace">
<form create="false" edit="false">
<sheet>
<group>
<group>
<field name="name"/>
<field name="guestmaxtime" string="Guest Max Time"/>
<field name="alertphone" string="Alert Phone"/>
<field name="alertmail" string="Alert Mail"/>
</group>
</group>
</sheet>
</form>
</xpath>
</field>
</record>